xdm.auth

Cortex Data Model Schema Guide

Product
Cortex XSIAM
Last date published
2024-11-27
Category
XSIAM Data Model Schema

The Auth section is used for both authentication and authorization attempts, such as Kerberos, NTLM, Oauth2, Login, MFA, or SSO.In case of authentication/authorization over the network or from endpoint data, it is preferred to use the Auth section.

xdm.auth.service

Description

The authentication service name.

Datatype

String

Dataclass

Scalar

xdm.auth.auth_method

Description

The authentication method.

Datatype

String

Dataclass

Scalar

xdm.auth.privilege_level

Description

The privilege level.

Datatype

XDM_CONST.PRIVILEGE_LEVEL

Dataclass

Scalar

Examples

XDM_CONST.PRIVILEGE_LEVEL_GUEST, XDM_CONST.PRIVILEGE_LEVEL_USER, XDM_CONST.PRIVILEGE_LEVEL_ADMIN, XDM_CONST.PRIVILEGE_LEVEL_SYSTEM

xdm.auth.kerberos_tgt

Kerberos protocol specific fields.

xdm.auth.kerberos_tgt.msg_type

Description

Kerberos 5 message type assigned numbers.

Datatype

XDM_CONST.KERBEROS_MSG_TYPE

Dataclass

Scalar

Examples

XDM_CONST.KERBEROS_MSG_TYPE_AS_REQ, XDM_CONST.KERBEROS_MSG_TYPE_AS_REP, XDM_CONST.KERBEROS_MSG_TYPE_TGS_REQ, XDM_CONST.KERBEROS_MSG_TYPE_TGS_REP, XDM_CONST.KERBEROS_MSG_TYPE_AP_REQ

xdm.auth.kerberos_tgt.spn_type

Description

The type of the requested service principal.

Datatype

XDM_CONST.KERBEROS_PRINCIPAL_TYPE

Dataclass

Scalar

Examples

XDM_CONST.KERBEROS_PRINCIPAL_TYPE_UNKNOWN, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_PRINCIPAL, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_INST, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_HST, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_XHST

xdm.auth.kerberos_tgt.spn_values

Description

The service names being requested.

Datatype

String

Dataclass

Array

xdm.auth.kerberos_tgt.cname_type

Description

The client principal type.

Datatype

XDM_CONST.KERBEROS_PRINCIPAL_TYPE

Dataclass

Scalar

Examples

XDM_CONST.KERBEROS_PRINCIPAL_TYPE_UNKNOWN, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_PRINCIPAL, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_INST, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_HST, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_XHST

xdm.auth.kerberos_tgt.cname_values

Description

The client principal names being requested.

Datatype

String

Dataclass

Array

xdm.auth.kerberos_tgt.kdc_options

Description

The key distribution center options.

Datatype

XDM_CONST.KERBEROS_KDC_OPTION

Dataclass

Scalar

Examples

XDM_CONST.KERBEROS_KDC_OPTION_RESERVED, XDM_CONST.KERBEROS_KDC_OPTION_FORWARDABLE, XDM_CONST.KERBEROS_KDC_OPTION_FORWARDED, XDM_CONST.KERBEROS_KDC_OPTION_PROXIABLE, XDM_CONST.KERBEROS_KDC_OPTION_PROXY

xdm.auth.kerberos_tgt.ticket_expiration

Description

The time remaining until the ticket expires in seconds.

Datatype

Number

Dataclass

Scalar

xdm.auth.kerberos_tgt.renew_ticket_expiration

Description

The time remaining until the ticket renewal expires in seconds.

Datatype

Number

Dataclass

Scalar

xdm.auth.kerberos_tgt.encryption_type

Description

The encryption type.

Datatype

XDM_CONST.KERBEROS_ENCRYPTION_TYPE

Dataclass

Scalar

Examples

XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_CRC, XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_MD4, XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_MD5, XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_RAW, XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES3_CBC_MD5

xdm.auth.kerberos_tgt.padata_type

Description

Pre-authentication data types.

Datatype

XDM_CONST.KERBEROS_PA_TYPE

Dataclass

Scalar

Examples

XDM_CONST.KERBEROS_PA_TYPE_TGS_REQ, XDM_CONST.KERBEROS_PA_TYPE_ENC_TIMESTAMP, XDM_CONST.KERBEROS_PA_TYPE_PW_SALT, XDM_CONST.KERBEROS_PA_TYPE_ENC_UNIX_TIME, XDM_CONST.KERBEROS_PA_TYPE_SANDIA_SECUREID

xdm.auth.kerberos_tgt.padata_prefix

Description

Pre-authentication data that contains a PA-PAC-REQUEST structure.

Datatype

String

Dataclass

Scalar

xdm.auth.kerberos_tgt.ticket_prefix

Description

The prefix of the service principal's ticket.

Datatype

String

Dataclass

Scalar

xdm.auth.kerberos_tgt.error_code

Description

Kerberos error code.

Datatype

XDM_CONST.KERBEROS_ERROR_CODE

Dataclass

Scalar

Examples

XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NONE, XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NAME_EXP, XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SERVICE_EXP, XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_BAD_PVNO, XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_C_OLD_MAST_KVNO

xdm.auth.kerberos_tgs

Kerberos protocol specific fields.

xdm.auth.kerberos_tgs.msg_type

Description

Kerberos 5 message type assigned numbers.

Datatype

XDM_CONST.KERBEROS_MSG_TYPE

Dataclass

Scalar

Examples

XDM_CONST.KERBEROS_MSG_TYPE_AS_REQ, XDM_CONST.KERBEROS_MSG_TYPE_AS_REP, XDM_CONST.KERBEROS_MSG_TYPE_TGS_REQ, XDM_CONST.KERBEROS_MSG_TYPE_TGS_REP, XDM_CONST.KERBEROS_MSG_TYPE_AP_REQ

xdm.auth.kerberos_tgs.spn_type

Description

The type of the requested service principal.

Datatype

XDM_CONST.KERBEROS_PRINCIPAL_TYPE

Dataclass

Scalar

Examples

XDM_CONST.KERBEROS_PRINCIPAL_TYPE_UNKNOWN, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_PRINCIPAL, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_INST, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_HST, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_XHST

xdm.auth.kerberos_tgs.spn_values

Description

The service names being requested.

Datatype

String

Dataclass

Array

xdm.auth.kerberos_tgs.cname_type

Description

The client principal type.

Datatype

XDM_CONST.KERBEROS_PRINCIPAL_TYPE

Dataclass

Scalar

Examples

XDM_CONST.KERBEROS_PRINCIPAL_TYPE_UNKNOWN, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_PRINCIPAL, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_INST, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_HST, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_XHST

xdm.auth.kerberos_tgs.cname_values

Description

The client principal names being requested.

Datatype

String

Dataclass

Array

xdm.auth.kerberos_tgs.kdc_options

Description

The key distribution center options.

Datatype

XDM_CONST.KERBEROS_KDC_OPTION

Dataclass

Scalar

Examples

XDM_CONST.KERBEROS_KDC_OPTION_RESERVED, XDM_CONST.KERBEROS_KDC_OPTION_FORWARDABLE, XDM_CONST.KERBEROS_KDC_OPTION_FORWARDED, XDM_CONST.KERBEROS_KDC_OPTION_PROXIABLE, XDM_CONST.KERBEROS_KDC_OPTION_PROXY

xdm.auth.kerberos_tgs.ticket_expiration

Description

The time remaining until the ticket expires in seconds.

Datatype

Number

Dataclass

Scalar

xdm.auth.kerberos_tgs.renew_ticket_expiration

Description

The time remaining until the ticket renewal expires in seconds.

Datatype

Number

Dataclass

Scalar

xdm.auth.kerberos_tgs.encryption_type

Description

The encryption type.

Datatype

XDM_CONST.KERBEROS_ENCRYPTION_TYPE

Dataclass

Scalar

Examples

XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_CRC, XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_MD4, XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_MD5, XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_RAW, XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES3_CBC_MD5

xdm.auth.kerberos_tgs.padata_type

Description

Pre-authentication data types.

Datatype

XDM_CONST.KERBEROS_PA_TYPE

Dataclass

Scalar

Examples

XDM_CONST.KERBEROS_PA_TYPE_TGS_REQ, XDM_CONST.KERBEROS_PA_TYPE_ENC_TIMESTAMP, XDM_CONST.KERBEROS_PA_TYPE_PW_SALT, XDM_CONST.KERBEROS_PA_TYPE_ENC_UNIX_TIME, XDM_CONST.KERBEROS_PA_TYPE_SANDIA_SECUREID

xdm.auth.kerberos_tgs.padata_prefix

Description

Pre-authentication data that contains a PA-PAC-REQUEST structure.

Datatype

String

Dataclass

Scalar

xdm.auth.kerberos_tgs.ticket_prefix

Description

The prefix of the service principal's ticket.

Datatype

String

Dataclass

Scalar

xdm.auth.kerberos_tgs.error_code

Description

Kerberos error code.

Datatype

XDM_CONST.KERBEROS_ERROR_CODE

Dataclass

Scalar

Examples

XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NONE, XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NAME_EXP, XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SERVICE_EXP, XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_BAD_PVNO, XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_C_OLD_MAST_KVNO

xdm.auth.ntlm

NTLM (New Technology LAN Manager) protocol specific fields.

xdm.auth.ntlm.version

Description

The NTLM protocol version.

Datatype

String

Dataclass

Scalar

xdm.auth.ntlm.user_name

Description

The user name provided by the client.

Datatype

String

Dataclass

Scalar

xdm.auth.ntlm.hostname

Description

The host name provided by the client.

Datatype

String

Dataclass

Scalar

xdm.auth.ntlm.target

Description

The NTLM target provided by the server.

Datatype

String

Dataclass

Scalar

xdm.auth.ntlm.domain

Description

The domain name provided by the server.

Datatype

String

Dataclass

Scalar

xdm.auth.ntlm.dns_domain

Description

The DNS domain name provided by the server.

Datatype

String

Dataclass

Scalar

xdm.auth.ntlm.dns_hostname

Description

The DNS host name name provided by the server.

Datatype

String

Dataclass

Scalar

xdm.auth.ntlm.dns_three

Description

The DNS three provided by the server.

Datatype

String

Dataclass

Scalar

xdm.auth.ntlm.challenge

Description

The NTLM challenge.

Datatype

String

Dataclass

Scalar

xdm.auth.ntlm.ntproof

Description

The proof that the client provided, encoded as Base64.

Datatype

String

Dataclass

Scalar

xdm.auth.is_mfa_needed

Description

Whether multi-factor authentication was needed in this authentication attempt.

Datatype

Boolean

Dataclass

Scalar

xdm.auth.mfa

Details about the multi-factor authentication attempt.

xdm.auth.mfa.method

Description

The method being used by the multi-factor authentication provider.

Datatype

String

Dataclass

Scalar

xdm.auth.mfa.provider

Description

The multi-factor authentication provider.

Datatype

String

Dataclass

Scalar

xdm.auth.mfa.client_details

Description

Additional information about the client, as reported by the the multi-factor authentication provider.

Datatype

String

Dataclass

Scalar