Export logs in JSON format

Event log description

Field name

Description

Example value

user

The username.

Admin

timestamp

Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ.

2022-05-12T08:11:46.15869Z

ip_address

IPv4 address of the event source.

192.168.174.134

node

The unique name of the device that generated the event.

utmcore@ersthetatica

attributes

Event details in JSON format.

{"rule":{"logrotate":12,"attributes":{"timezone":"Asia/Dubai"},"id":"66f9de9f-d698-4bec-b3b0-ba65b46d3608","name":"Example log export ftp"}

event_type

Event type.

logexport_rule_updated

event_severity

The severity of the event.

info, warning, error, or critical

event_origin

Module where the event occurred.

core

event_component

Component where the event occurred.

console_auth

Web access log description

Field name

Description

Example value

timestamp

Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ.

2022-05-12T08:11:46.15869Z

url_categories

id

ID of the category to which the URL belongs.

39

threat_level

Threat level for the URL category.

Available values:

  • 1: very low

  • 2: low

  • 3: medium

  • 4: high

  • 5: very high

name

Name of the category to which the URL belongs.

Social Networking

bytes_sent

Number of bytes transmitted from the source to the destination.

52

node

The unique name of the device that generated the event.

utmcore@ersthetatica

packets_recv

Number of bytes transmitted from the destination to the source.

5

request_method

Method used to access the URL address (POST, GET, etc.).

GET

url

Contains the URL of the requested resource and the protocol used.

http://www.secure.com

packets_sent

Number of packets transmitted from the source to the destination.

2

action

Action taken by the device according to the configured policies.

block

media_type

The type of the content.

application/json

host

Hostname.

www.google.com

session

Session ID.

a7a3cd49-8232-4f1a-962a-3659af89e96f (if System: 00000000-0000-0000-0000-000000000000)

app_protocol

Application layer protocol and its version.

HTTP/1.1

status_code

Status code.

302

bytes_recv

Number of packets transmitted from the destination to the source.

100

http_referer

Request source URL (HTTP referer).

https://www.google.com/

decrypted

Indicates if the content was decrypted.

true, false

reasons

The reason why the event was created, e.g. the reason for the site block.

"url_cats":[{"id":39,"name":"Social Networking","threat_level":3}]

useragent

Browser useragent.

Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0

source

zone

guid

Unique ID of the traffic source zone.

d0038912-0d8a-4583-a525-e63950b1da47

name

Source zone name.

Trusted

country

Traffic source country.

AE (a two-letter country code is displayed)

ip

Source IPv4 address.

10.10.10.10

port

Source port

Values: 0-65535.

destination

zone

guid

Unique ID of the traffic destination zone.

3c0b1253-f069-4060-903b-5fec4f465db0

name

Traffic destination zone name.

Untrusted

country

The destination country.

AE (a two-letter country code is displayed)

ip

Destination IPv4 address.

192.168.174.134

port

Destination port

Values: 0-65535.

rule

guid

Unique ID of the rule triggered to cause the event.

f93da24d-74f9-4f8c-9e9b-8e6d02346fb4

name

The name of the rule.

Default allow

user

guid

Unique ID of the user.

a7a3cd49-8232-4f1a-962a-3659af89e96f

name

Username.

user_name

groups

guid

Unique ID of the group the user is a member of.

919878b2-e882-49ed-3331-8ec72c3c79cb

name

Name of the group the user is a member of.

Default Group

DNS log description

Field name

Description

Example value

timestamp

Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ.

2022-05-12T08:11:46.15869Z

node

The unique name of the device that generated the event.

utmcore@ntoorereaeda

proto

Level 4 protocol used.

UDP

data

Indicates the data being transmitted.

{"question":[{"domain":"google.com","type":"A","class":"IN"}],

"answer":[{"domain":"google.com","type":"TXT","class":"IN","ttl":5,"data":"Blocked"},{"domain":"google.com","type":"A","class":"IN","ttl":5,"data":"10.10.0.1"}]}

reasons

The reason why the event was created, e.g. the URL category on which the rule was triggered.

{"url_cats":[{"id":37,"name":"Search Engines & Portals","threat_level":1}]}

url_categories

id

ID of the triggered URL category.

37

threat_level

Threat level of the triggered category.

Available values:

  • 1: very low

  • 2: low

  • 3: medium

  • 4: high

  • 5: very high

name

Name of the triggered category.

Search Engines & Portals

source

zone

guid

Unique ID of the traffic source zone.

d0038912-0d8a-4583-a525-e63950b1da47

name

Traffic source zone name.

Trusted

country

Source country name.

AE (a two-letter country code is displayed)

ip

IPv4 address of the traffic source.

10.10.10.10

port

Source port

Values: 0-65535.

destination

zone

guid

Unique ID of the traffic destination zone.

3c0b1253-f069-4060-903b-5fec4f465db0

name

Traffic destination zone name.

Untrusted

country

Destination country name.

AE (a two-letter country code is displayed)

ip

IPv4 address of the traffic destination.

104.19.197.151

port

Destination port

Values: 0-65535. Port 53 is normally used for DNS.

rule

guid

Unique ID of the rule triggered to cause the event.

59e38e06-533a-4771-9664-031c3e8b2e1f

name

Name of the rule triggered to cause the event.

Rule1

user

guid

Unique ID of the user. If the user type is Unknown then the ID: 00000000-0000-0000-0000-000000000000.

a7a3cd49-8232-4f1a-962a-3659af89e96f

name

The username.

user1

groups

guid

Unique ID of the group the user is a member of.

919878b2-e882-49ed-3331-8ec72c3c79cb

name

Name of the group the user is a member of.

Default Group

Traffic log description

Field name

Description

Example value

timestamp

Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ.

2022-05-12T08:11:46.15869Z

bytes_sent

Number of bytes transmitted from the source to the destination.

100

node

The unique name of the device that generated the event.

utmcore@ersthetatica

packets_recv

Number of packets transmitted from the destination to the source.

1

proto

Level 4 protocol used.

TCP or UDP

packets_sent

Number of packets transmitted from the source to the destination.

1

action

Action taken by the device according to the configured policies.

accept

session

Session ID.

a7a3cd49-8232-4f1a-962a-3659af89e96f (if System: 00000000-0000-0000-0000-000000000000)

bytes_recv

Number of bytes transmitted from the destination to the source.

6

signatures

id

ID of the triggered signature.

999999

threat_level

Threat level of the triggered signature.

Available values:

  • 1: very low

  • 2: low

  • 3: medium

  • 4: high

  • 5: very high

name

Name of the triggered signature.

BlackSun Test

application

id

Application ID.

195

threat_level

Application threat level.

Available values:

  • 1: very low

  • 2: low

  • 3: medium

  • 4: high

  • 5: very high

name

Application name.

Youtube

source

zone

guid

Unique ID of the traffic source zone.

d0038912-0d8a-4583-a525-e63950b1da47

name

Traffic source zone name.

Trusted

country

Source country name.

AE (a two-letter country code is displayed)

ip

IPv4 address of the traffic source.

10.10.10.10

port

Source port

Values: 0-65535.

destination

zone

guid

Unique ID of the traffic destination zone.

3c0b1253-f069-4060-903b-5fec4f465db0

name

Traffic destination zone name.

Untrusted

country

Destination country name.

AE (a two-letter country code is displayed)

ip

IPv4 address of the traffic destination.

104.19.197.151

port

Destination port

Values: 0-65535.

nat

source

ip

Source address after reassignment (if NAT rules are configured).

192.168.117.85 (if NAT is not configured then "nat":null)

port

Source port after reassignment (if NAT rules are configured).

Values: 0-65535 (if NAT is not configured then "nat":null)

destination

ip

Destination address after reassignment (if NAT rules are configured).

64.233.164.198 (if NAT is not configured then "nat":null)

port

Source port after reassignment (if NAT rules are configured).

Values: 0-65535 (if NAT is not configured then "nat":null)

rule

guid

Unique ID of the rule triggered to cause the event.

59e38e06-533a-4771-9664-031c3e8b2e1f

type

Rule type.

firewall

name

Name of the rule triggered to cause the event.

Allow trusted to untrusted

user

guid

Unique ID of the user. If the user type is Unknown then the ID: 00000000-0000-0000-0000-000000000000.

a7a3cd49-8232-4f1a-962a-3659af89e96f

name

The username.

Admin

groups

guid

Unique ID of the group the user is a member of.

919878b2-e882-49ed-3331-8ec72c3c79cb

name

Name of the group the user is a member of.

Default Group

IDPS log description

Field name

Description

Example value

timestamp

Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ.

2022-05-12T08:11:46.15869Z

session

Session ID.

a7a3cd49-8232-4f1a-962a-3659af89e96f (if System: 00000000-0000-0000-0000-000000000000)

packets_sent

Number of packets transmitted from the source to the destination.

1

packets_recv

Number of packets transmitted from the destination to the source.

1

node

The unique name of the device that generated the event.

utmcore@ersthetatica

proto

Level 4 protocol used.

TCP or UDP

bytes_sent

Number of bytes transmitted from the source to the destination.

100

bytes_recv

Number of bytes transmitted from the destination to the source.

6

action

Action taken by the device according to the configured policies.

accept

application

id

Application ID.

195

threat_level

Application threat level.

Available values:

  • 1: very low

  • 2: low

  • 3: medium

  • 4: high

  • 5: very high

name

Application name.

Youtube

user

guid

Unique ID of the user. If the user type is Unknown then the ID: 00000000-0000-0000-0000-000000000000.

a7a3cd49-8232-4f1a-962a-3659af89e96f

name

The username.

Admin

groups

guid

Unique ID of the group the user is a member of.

919878b2-e882-49ed-3331-8ec72c3c79cb

name

Name of the group the user is a member of.

Default Group

rule

guid

Unique ID of the rule triggered to cause the event.

59e38e06-533a-4771-9664-031c3e8b2e1f

name

Name of the rule triggered to cause the event.

Allow trusted to untrusted

signatures

id

ID of the triggered signature.

999999

threat_level

Threat level of the triggered signature.

Available values:

  • 1: very low

  • 2: low

  • 3: medium

  • 4: high

  • 5: very high

name

Name of the triggered signature.

BlackSun Test

source

zone

guid

Unique ID of the traffic source zone.

d0038912-0d8a-4583-a525-e63950b1da47

name

Traffic source zone name.

Trusted

country

Source country name.

AE (a two-letter country code is displayed)

ip

IPv4 address of the traffic source.

10.10.10.10

port

Source port

Values: 0-65535.

destination

zone

guid

Unique ID of the traffic destination zone.

3c0b1253-f069-4060-903b-5fec4f465db0

name

Traffic destination zone name.

Untrusted

country

Destination country name.

AE (a two-letter country code is displayed)

ip

IPv4 address of the traffic destination.

104.19.197.151

port

Destination port

Values: 0-65535.

SCADA log description

Field name

Description

Example value

timestamp

Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ.

2022-05-12T08:11:46.15869Z

pdu_severity

SCADA severity.

1

pdu_func

Function code (instructs the slave what data the master requires from it or what action to perform).

12

pdu_address

Registry address with which the operation should be performed.

3154

node

The unique name of the device that generated the event.

utmcore@ersthetatica

details

pdu_varname

Variable name. Parameter is mainly used for real-time data exchange. Refers to the MMS protocol.

VAR

pdu_device

Address of the device used in the MMS and OPCUA protocols.

DEV

mb_write_quantity

Number of values to write (Read Write Register command).

998

mb_write_addr

Start register address to write (Read Write Register command).

776

mb_value

Value to write (for Write Single Coil, Write Single Register commands).

322

mb_unit_id

Device address.

186

mb_read_quantity

Number of values to read (Read Write Register command).

658

mb_read_addr

Start registry address to read (Read Write Register command).

122

mb_quantity

Number of values to read.

875

mb_payload

Register values (for Read Coil, Read Holding Registers, Read Input Registers, Read/Write Multiple registers, Write Multiple Coil commands).

75be5ecdc24f9883

mb_or_mask

OR mask value of the Mask Write Register command.

1024

mb_message

Modbus message.

exception

mb_exception_code

Error code. For the error_response message type.

255

mb_and_mask

AND mask value of the Mask Write Register command.

121

mb_addr

Registry address.

3154

iec104_msgtype

Type of the query.

request, response, error_response

iec104_ioa

Address of information object, which allows the receiving party to unambiguously identify the type of event.

23

iec104_cot

Reason for transmitting an Application Protocol Data Unit (APDU).

6

iec104_asdu

The ASDU address (COA, or Common Object Address). Refers to the IEC-104 protocol.

123

app_protocol

Application layer protocol

Modbus

action

Action taken by the device according to the configured policies.

pass

source

zone

guid

Unique ID of the traffic source zone.

d0038912-0d8a-4583-a525-e63950b1da47

name

Traffic source zone name.

Trusted

country

Source country name.

AE (a two-letter country code is displayed)

ip

IPv4 address of the traffic source.

10.10.10.10

port

Source port

Values: 0-65535.

destination

zone

guid

Unique ID of the traffic destination zone.

3c0b1253-f069-4060-903b-5fec4f465db0

name

Traffic destination zone name.

Untrusted

country

Destination country name.

AE (a two-letter country code is displayed)

ip

IPv4 address of the traffic destination.

104.19.197.151

port

Destination port

Values: 0-65535.

rule

guid

Unique ID of the rule triggered to cause the event.

59e38e06-533a-4771-9664-031c3e8b2e1f

name

Name of the rule triggered to cause the event.

SCADA Sample Rule

SSH inspection log description

Field name

Description

Example value

timestamp

Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ.

2022-05-12T08:11:46.15869Z

node

The unique name of the device that generated the event.

utmcore@ersthetatica

command

Command sent via SSH.

whoami

app_threat

Application threat level.

Available values: from 2 to 10 (set application threat level multiplied by 2)

app_protocol

Application layer protocol

SSH or SFTP

app_id

Application ID.

195

action

Action taken by the device according to the configured policies.

block

source

zone

guid

Unique ID of the traffic source zone.

d0038912-0d8a-4583-a525-e63950b1da47

name

Traffic source zone name.

Trusted

country

Source country name.

AE (a two-letter country code is displayed)

ip

IPv4 address of the traffic source.

10.10.10.10

port

Source port

Values: 0-65535.

mac

Source MAC address.

FA:16:3E:65:1C:B4

destination

zone

guid

Unique ID of the traffic destination zone.

3c0b1253-f069-4060-903b-5fec4f465db0

name

Traffic destination zone name.

Untrusted

country

Destination country name.

AE (a two-letter country code is displayed)

ip

IPv4 address of the traffic destination.

104.19.197.151

port

Destination port

Values: 0-65535.

rule

guid

Unique ID of the rule triggered to cause the event.

59e38e06-533a-4771-9664-031c3e8b2e1f

name

Name of the rule triggered to cause the event.

SSH Rule Example

user

guid

Unique ID of the user. If the user type is Unknown then the ID: 00000000-0000-0000-0000-000000000000.

a7a3cd49-8232-4f1a-962a-3659af89e96f

name

The username.

Admin

groups

guid

Unique ID of the group the user is a member of.

919878b2-e882-49ed-3331-8ec72c3c79cb

name

Name of the group the user is a member of.

Default Group

Mail Security Log Description

Field name

Description

Example value

timestamp

Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ.

2022-05-12T08:11:46.15869Z

node

The unique name of the device that generated the event.

utmcore@ersthetatica

from

Sender email.

sender@example.com

to

Recipient email.

receiver@example.com

app_protocol

Application layer network protocol.

SMTP

source

zone

guid

Unique ID of the traffic source zone.

d0038912-0d8a-4583-a525-e63950b1da47

name

Traffic source zone name.

Trusted

country

Source country name.

AE (a two-letter country code is displayed)

ip

IPv4 address of the traffic source.

10.10.10.10

port

Source port

Values: 0-65535.

destination

zone

guid

Unique ID of the traffic destination zone.

3c0b1253-f069-4060-903b-5fec4f465db0

name

Traffic destination zone name.

Untrusted

country

Destination country name.

AE (a two-letter country code is displayed)

ip

IPv4 address of the traffic destination.

10.10.10.10

port

Destination port

Values: 0-65535.

rule

guid

Unique ID of the rule triggered to cause the event.

59e38e06-533a-4771-9664-031c3e8b2e1f

name

Name of the rule triggered to cause the event.

Mail security rule

user

guid

Unique ID of the user.

a7a3cd49-8232-4f1a-962a-3659af89e96f

name

The username.

user_name

groups

guid

Unique ID of the group the user is a member of.

919878b2-e882-49ed-3331-8ec72c3c79cb

name

Name of the group the user is a member of.

Default Group

Endpoint Event Log Description

Field name

Description

Example value

user_name

The username.

DESKTOP-0731NFQ\\Username

timestamp

Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ.

2022-05-12T08:11:46.15869Z

status

The result of executing a WMI or SNMP query.

OK, Error

source_name

Log event source.

Microsoft-Windows-Security-Auditing

endpoint_name

Endpoint device or sensor name.

DESKTOP-0731NFQ

endpoint_id

Endpoint device or sensor ID.

35fb5820-74db-4eac-b05b-d01bc284c4e8

node

The ID of the endpoint device or node on which the sensor is running.

35fb5820-74db-4eac-b05b-d01bc284c4e8

log_level

Event type.

Success audit, Warning, Details, Rejection audit, Error

log_file

Type of the log containing important information on the software and hardware events.

Security (security log file), Application (application log file), System (system log file), Windows PowerShell

log_event_type

Log event type.

1 (error), 2 (warning), 3 (information), 4 (audit success), 5 (audit failure).

log_event_id

Event ID.

4672

log_event_code

Log event code.

14056

log_category_string

The event's category.

Special Logon

insertion_string

The insertion string is the EventData block of the Windows event data.

Windows DefenderSECURITY_PRODUCT_STATE_ON

error

The WMI or SNMP error that occurred as a result of the query.

0

data

Detailed information about the event.

The startup type of the "Windows Module Installer" service has been changed from "Automatic" to "Manual".

counter_id

The ID of the counter added to the WMI and SNMP sensor.

35fb5820-74db-4eac-b05b-d01bc284c4e8

computer_name

Computer name

DESKTOP-0731NFQ

Endpoint Rule Log Description

Field name

Description

Example value

url_categories

id

ID of the category to which the URL belongs.

39

threat level

Threat level for the URL category.

Available values:

  • 1: very low

  • 2: low

  • 3: medium

  • 4: high

  • 5: very high

name

Name of the category to which the URL belongs.

Social Networking

timestamp

Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ.

2022-05-12T08:11:46.15869Z

endpoint_name

Endpoint device name.

DESKTOP-0731NFQ

endpoint_id

The endpoint device ID.

35fb5820-74db-4eac-b05b-d01bc284c4e8

media_type

The type of the content.

application/json

ip_protocol

Number of the network protocol used.

4

host

Hostname.

www.google.com

app_name

Application to which the firewall rule was applied.

C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe

action

Action taken by the device according to the configured policies.

drop, accept, nat

source

ip

Source IPv4 address.

10.10.10.10

port

Source port

Values: 0-65535.

destination

ip

Destination IPv4 address.

104.19.197.151

port

Destination port

Values: 0-65535.

rule

guid

Unique ID of the rule triggered to cause the event.

f93da24d-74f9-4f8c-9e9b-8e6d02346fb4

name

Name of the rule triggered to cause the event.

Default allow

Endpoint Application Log Description

Field name

Description

Example value

user_name

Name of the user whose account is logged in on the endpoint device.

DESKTOP-0731NFQ\\User

timestamp

Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ.

2022-05-12T08:11:46.15869Z

endpoint_name

Endpoint device or sensor name.

DESKTOP-0731NFQ

endpoint_id

Endpoint device or sensor ID.

35fb5820-74db-4eac-b05b-d01bc284c4e8

process_id

Process ID.

3916

hash

The application hash.

B4CE5C3495FEA0A4FDBAC8ABDCD199F7E4CA8C1F

app_name

Application that was started/stopped.

C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe

action

Action (application start or stop).

start, stop

version

The application version.

6.2.19041.746

subject

Signature subject.

Microsoft Corporation

issuer

The issuer of the application's certificate.

Microsoft Windows Production PCA 2011

cmd_line

Command line prompt.

C:\\Windows\\system32\\svchost.exe -k wsappx -p -s AppXSvc

session_id

Session ID.

1656038456

Endpoint Hardware Log Description

Field name

Description

Example value

timestamp

Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ.

2022-05-12T08:11:46.15869Z

endpoint_name

Endpoint device or sensor name.

DESKTOP-0731NFQ

endpoint_id

Endpoint device or sensor ID.

35fb5820-74db-4eac-b05b-d01bc284c4e8

action

Action (connect or remove a device).

add_device, remove_device

device_name

The name of the device that was added or removed.

Generic USB Hub

device_id

Device ID.

USB\\VID_0E0F&PID_0002\\6&201153C1&0&7

service

A Windows driver that allows the computer to communicate with hardware/device.

USBHUB3

Windows Active Directory Log Description

Field name

Description

Example value

timestamp

Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ.

2022-05-12T08:11:46.15869Z

node_name

A name that uniquely identifies the UserGate device generating this event.

utmcore@ntoorereaeda

endpoint_id

ID of the endpoint that is the source of the event.

16535060-5a1a-4e92-8331-239406ec34da

endpoint_name

Имя конечного устройства --- источника события (UserGate клиента, сенсора WMI итд.).

dep.local

user_name

The "User" field from AD log.

user1.dep.local

log_level

The "Keywords" field from AD log.

Audit Success

log_category_string

Event category code in the AD log.

Group Membership

log_file

Windows log file.

Security

source_name

The "Source" field from AD log.

Microsoft-Windows-Security-Auditing

data

Event description in the AD log.

Group membership information. Subject: \tSecurity ID:\t\tS-1-0-0 \tAccount Name:\t\t- \tAccount Domain:\t\t- \tLogon ID:\t\t0x0 Logon Type:\t\t\t3 New Logon: \tSecurity ID:\t\tS-1-5-21-3795870133-5220325-2125745684-1103 \tAccount Name:\t\tuser1 \tAccount Domain:\t\tDEP \tLogon ID:\t\t0x7A25A21 Event in sequence:\t\t1 of 1 Group Membership:\t\t\t \t\t%{S-1-5-21-3795870133-5220325-2125745684-513} \t\t%{S-1-1-0} \t\t%{S-1-5-32-544} \t\t%{S-1-5-32-555} \t\t%{S-1-5-32-545} \t\t%{S-1-5-32-554} \t\t%{S-1-5-2} \t\t%{S-1-5-11} \t\t%{S-1-5-15} \t\t%{S-1-5-21-3795870133-5220325-2125745684-512} \t\t%{S-1-5-21-3795870133-5220325-2125745684-572} \t\t%{S-1-5-64-10} \t\t%{S-1-16-12288} The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. This event is generated when the Audit Group Membership subcategory is configured. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.

computer_name

Windows node from the AD log where the event took place.

DC1.dep.local

insertion_string

Parameters of the AD log event after message parsing.

['S-1-0-0', '-', '-', '0x0', 'S-1-5-21-3795870133-5220325-2125745684-1103', 'user1', 'DEP', '0x7a25a21', '3', '1', '1', '\ \ \\t\\t%

{S-1-5-21-3795870133-5220325-2125745684-513}\ \ \\t\\t%{S-1-1-0}\ \ \\t\\t%{S-1-5-32-544}\ \ \\t\\t%{S-1-5-32-555}\ \ \\t\\t%{S-1-5-32-545}\ \ \\t\\t%{S-1-5-32-554}\ \ \\t\\t%{S-1-5-2}\ \ \\t\\t%{S-1-5-11}

\ \ \\t\\t%{S-1-5-15}\ \ \\t\\t%{S-1-5-21-3795870133-5220325-2125745684-512}\ \ \\t\\t%{S-1-5-21-3795870133-5220325-2125745684-572}\ \ \\t\\t%{S-1-5-64-10}\ \ \\t\\t%{S-1-16-12288}']

error

Error code from the AD log that occurred while receiving data.

0

status

Error description from the AD log that occurred while receiving data.

counter_id

Counter ID of the WMI sensor.

login_logout

log_event_code

The "Event code" field from AD log.

4627

log_event_id

The "Event ID" field from AD log.

4627

log_event_type

Windows log even type (System/Security/Application etc.)

4

Syslog Description

Field name

Description

Example value

timestamp

Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ.

2022-05-12T08:11:46.15869Z

node

The unique name of the device that generated the event.

utmcore@ntoorereaeda

syslog_facility

Syslog event source type. Example: user-level messages.

For more information about Syslog facility values, see RFC 5424.

1

syslog_severity

Syslog event severity level. Example: warning.

For more information about Syslog severity values, see RFC 5424.

4

computer_name

The name of the device where the event occurred.

node1

app_name

Application triggering the event.

org.gnome.Shell.desktop

process_id

PID of the process triggering the event.

3036

data

The event description.

[3603:3603:1130/125201.838651:ERROR:CONSOLE(6)] \"console.assert\", source: devtools://devtools/bundled/devtools-frontend/front_end/panels/console/console.js (6)

rule

guid

Unique ID of the rule triggered to cause the event.

16535060-5a1a-4e92-8331-239406ec34da

name

Name of the rule triggered to cause the event.

Example - Allow user-level messages

UserID log description

Field name

Description

Example value

timestamp

Time when the event was received. Format: yyyy-mm-ddThh:mm:ssZ.

2022-05-12T08:11:46.15869Z

node

The unique name of the device that generated the event.

utmcore@ntoorereaeda

reasons

The reason why the event was created.

{\"user_groups_sids\":[\"S-1-5-21-3795870133-5220325-2125745684-513\",\"S-1-5-21-3795870133-5220325-2125745684-512\",\"S-1-5-21-3795870133-5220325-2125745684-572\"],

\"user_sid\":\"S-1-5-21-3795870133-5220325-2125745684-1103\",\"login\":\"user1\",\"domain\":\"DEV\",\"event_id\":4624}

action

Action taken by the device according to the configured policies.

login

src_ip

IPv4 address of the event source.

10.10.0.11

rule

guid

Unique ID of the rule triggered to cause the event.

16535060-5a1a-4e92-8331-239406ec34da

name

Name of the rule triggered to cause the event.

dev.local

user

guid

Unique ID of the user. If the user type is Unknown then the ID: 00000000-0000-0000-0000-000000000000.

745591c3-9d21-092d-8db4-5b9b0000044f

name

The username.

user1

groups

guid

Unique ID of the group the user is a member of.

aa218609-8716-9252-df20-88c43a0d0bf6

name

Name of the group the user is a member of.

CN=Domain Users,CN=Users,DC=dev,DC=local