How to map authentication story events? - Learn how to map authentication story events to the Cortex XSIAM Cortex Data Model. - Administrator Guide - Cortex XSIAM - Cortex

How to map authentication story events? - Learn how to map authentication story events to the Cortex XSIAM Cortex Data Model. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product

Cortex XSIAM

Creation date

2024-03-06

Last date published

2026-02-16

Scope Clarification

This Feature focuses on authentication events related to SSO (Single Sign-On) and SaaS (Software-as-a-Service) application authentications. It does not cover internal authentication mechanisms such as Kerberos, NTLM, or traditional domain logon events generated by on-premise infrastructure.

Prerequisite

Familiarize yourself with the Cortex Data model (XDM) schema for field definitions and naming conventions, see Cortex XSIAM Data Model Schema.

When mapping your authentication data, follow these guidelines:

Prioritize conclusive events: Focus on mapping events that clearly represent the final stage or result of an authentication process.
Exclude ambiguous or non-final steps from outcome decisions: Intermediate or informational events should not be treated as indicators of success or failure.
Preserve context across the full authentication flow: Include intermediate events to provide visibility into the process, while making it clear they are not final outcomes.
Normalize raw error and outcome data: You must define explicit mapping logic between the raw event fields that contain outcome or error messages, such as get_reason and debugdata_errorcode, and the target XDM fields. This logic should normalize provider-specific strings or codes into a canonical format to support reliable detection and analytics across diverse sources.

There are mandatory fields that you need map to the Cortex Data Model (XDM) schema to build authentication stories based on the mapped authentication data. For more detailed information on these fields, see XDM fields for mapping authentication events.

The following fields are mandatory to map:

xdm.source.port
xdm.target.ipv4
xdm.target.port
xdm.network.ip_protocol
xdm.source.ipv4
xdm.event.type
xdm.event.tags
xdm.event.operation
xdm.event.original_event_type
xdm.auth.service
xdm.event.outcome
xdm.source.user.upn

Important

To maximize the variety of issues that are retrieved based on the XDM authentication stories, we recommend that the following additional fields are populated: xdm.target.resource_name, xdm.logon.type, xdm.source.user_agent, and xdm.source.host.device_category. Should you decide to change the default XDM mappings, ensure that both the mandatory and recommended fields are populated and do not contain any empty values.