Authentication

The fields and tags in the Authentication data model and event category describe login activities from any data source.

Tags used with the Authentication event category

Object name(s)	Tag name	Required?
Authentication	authentication	YES
Authentication Privileged_Authentication	privileged	YES
Authentication Default_Authentication	default	YES
Authentication	cleartext	NO
Authentication	insecure	NO

Fields for the Authentication event category

Object name(s)	Field name	Data type	Description	Expected values
Authentication	`action`	string	The action performed on the resource.	`success`, `failure`, `unknown`
Authentication	`app`	string	The application involved in the event (such as `ssh`, `splunk`, `win:local`).
Authentication	`dest`	string	The target involved in the authentication. May be aliased from more specific fields, such as `dest_host`, `dest_ip`, or `dest_nt_host`.
Authentication	`src`	string	The source involved in the authentication. In the case of endpoint protection authentication the `src` is the client. May be aliased from more specific fields, such as `src_host`, `src_ip`, or `src_nt_host`. Note: Do not confuse `src` with the event `source` or `sourcetype` fields.
Authentication	`src_user`	string	In privilege escalation events, `src_user` represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.
Authentication	`user`	string	The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.

Comments