Authentication Field Mapping
The following shows an example of how authentication events map differently from various cloud providers to CIM data model field names.
See the Authentication data model for full field descriptions.
Login success example
The login success event from Google Cloud Platform (GCP), Microsoft Office 356 (MS o365), and Amazon Web Services (AWS) is a good way to see a common event and how each cloud provider maps to CIM data model field names.
GCP success
A sample GCP successful user login follows:
Click expand or collapse to show or hide the example.
{ "actor":{ "email":"name@gmail.com", /** ----- user_id "profileId":"104465715494659475645" }, "etag":"\"JDMC8884sebSczDxOtZ17CIssbQ/Pau_EbIGF8FWZWC7W8Ti1uoCfjc\"", "events":[ { "name":"login_success", /** ----- action "parameters":[ { "name":"login_type", "value":"google_password" }, { "multiValue":[ "password" /** ----- authentication_method ], "name":"login_challenge_method" }, { "boolValue":false, "name":"is_suspicious" } ], "type":"login" /** ----- signature } ], "id":{ "applicationName":"login", "customerId":"C035c27ok", /** ----- vendor_account "time":"2020-02-24T23:31:48.090Z", "uniqueQualifier":"529462392776" }, "ipAddress":"4.14.104.185", /** ----- src, src_ip "kind":"admin#reports#activity" /** ----- user_agent }
MS o365 success
A sample MS o365 successful user login follows:
Click expand or collapse to show or hide the example.
{ [-] Actor: [ [-] { [-] ID: df22f023-9e0f-4d78-bdd5-d496688af11e /** ----- user_id Type: 0 } { [-] ID: admin@a830edad9050849NDA3079.onmicrosoft.com /** ----- user_id Type: 5 } { [-] ID: 10037FFE8EC1E08E /** ----- user_id Type: 3 } ] ActorContextId: 2ed28a74-1f6f-4829-8530-fe359c77d35c /** ----- vendor_account ActorIpAddress: 4.14.104.185 /** ----- src, src_ip ApplicationId: c44b4083-3bb0-49c1-b47d-974e53cbdf3c AzureActiveDirectoryEventType: 1 ClientIP: 4.14.104.185 CreationTime: 2020-02-27T00:49:21 ExtendedProperties: [ [-] { [-] Name: UserAgent Value: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36 /** ----- user_agent } { [-] Name: FlowTokenScenario Value: Login } { [-] Name: UserAuthenticationMethod Value: 1 /** ----- authentication_method } { [-] Name: RequestType Value: Login:login } { [-] Name: ResultStatusDetail Value: Success } ] Id: 6c7bb43a-4fc5-403e-9e20-a1e6d4fdc7b3 InterSystemsId: a2c96557-09ee-4be2-9d8a-a13c7326ff0e IntraSystemId: 4bc7a6ba-fabb-4bcc-9663-2a1be0a11a00 ModifiedProperties: [ [-] ] ObjectId: 797f4846-ba00-4fd7-ba43-dac1f8f63013 Operation: UserLoggedIn /** ----- signature OrganizationId: 2ed28a74-1f6f-4829-8530-fe359c77d35c RecordType: 15 ResultStatus: Succeeded /** ----- action SupportTicketId: Target: [ [-] { [-] ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013 Type: 0 } ] TargetContextId: 2ed28a74-1f6f-4829-8530-fe359c77d35c UserId: admin@a830edad9050849NDA3079.onmicrosoft.com UserKey: 10037FFE8EC1E08E@a830edad9050849NDA3079.onmicrosoft.com UserType: 0 Version: 1 Workload: AzureActiveDirectory }
AWS success
A sample AWS successful user login follows:
Click expand or collapse to show or hide the example.
{ additionalEventData: { LoginTo: https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true MFAUsed: No /** ----- authentication_method MobileVersion: No } awsRegion: us-east-1 eventID: 040eb5f3-1132-4325-b06b-022e580c44fe eventName: ConsoleLogin /** ----- signature eventSource: signin.amazonaws.com eventTime: 2020-02-21T23:06:26Z eventType: AwsConsoleSignIn eventVersion: 1.05 recipientAccountId: 772089552793 requestParameters: null responseElements: { ConsoleLogin: Success /** ----- action } sourceIPAddress: 4.14.104.185 /** ----- src userAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 /** ----- user_agent userIdentity: { accountId: 772089552793 /** ----- vendor_account arn: arn:aws:iam::772089552793:user/example_user principalId: AIDA3HRA7T6MUVQJRHPKV type: IAMUser userName: example_user /** ----- user_id, user, src_user } }
Login success field mapping
Using the login success from GCP as a base sample, and comparing it to a similar event from MS o365 and AWS is a good way to see the similarities and differences per common CIM field names.
User id example data | Provider field name | CIM field name |
---|---|---|
GCP
|
actor.email | user_id |
MS o365
|
Id | user_id |
AWS
|
userIdentity.userName |
|
Action example data | Provider field name | CIM field name |
GCP
|
events.name | action |
MS o365
|
ResultStatus | action |
AWS
|
responseElements.ConsoleLogin | action |
Signature example data | Provider field name | CIM field name |
GCP
|
events.type | signature |
MS o365
|
Operation | signature |
AWS
|
eventName | signature |
Authentication method example data | Provider field name | CIM field name |
GCP
|
|
authentication_method |
MS o365
|
UserAuthenticationMethod | authentication_method |
AWS
|
MFAUsed | authentication_method |
Vendor account example data | Provider field name | CIM field name |
GCP
|
id.customerId | vendor_account |
MS o365
|
OrganizationId | vendor_account |
AWS
|
userIdentity.accountId | vendor_account |
Source example data | Provider field name | CIM field name |
GCP
|
ipAddress |
|
MS o365
|
ClientIP |
|
AWS
|
sourceIPAddress | src |
User agent data | Provider field name | CIM field name |
GCP
|
kind | user_agent |
MS o365
|
UserAgent | user_agent |
AWS
|
userAgent | user_agent |
Login failure example
The login failure event from Google Cloud Platform (GCP), Microsoft Office 356 (MS o365), and Amazon Web Services (AWS) is a good way to see a common event and how each cloud provider maps to CIM data model field names.
GCP failure
A sample GCP failed user login follows:
Click expand or collapse to show or hide the example.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "example_user@gmail.com" /** ----- user_id }, "requestMetadata": { "callerIp": "2601:646:8400:b0:a991:7135:7879:6cea" /** ----- src, src_ip }, "serviceName": "login.googleapis.com", /** ----- app, dest "methodName": "google.login.LoginService.loginFailure", /** ----- signature "resourceName": "organizations/809036120291", "metadata": { "activityId": { "timeUsec": "1588189783734201", "uniqQualifier": "1023108278221" }, "event": [ { "eventType": "login", "eventName": "login_failure", "parameter": [ { "name": "login_type", "value": "unknown", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" }, { "name": "login_challenge_method", /** ----- authentication_method "multiStrValue": [ /** ----- reason "password", "password" ], "label": "LABEL_REPEATED", "type": "TYPE_STRING" }, { "name": "dusi", "value": "IMyb8fehs77-gQE", "label": "LABEL_OPTIONAL", "type": "TYPE_STRING" } ] } ], "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto" } }, "insertId": "mh9fqkc4a2", "resource": { "type": "audited_resource", "labels": { "method": "google.login.LoginService.loginFailure", "service": "login.googleapis.com" } }, "timestamp": "2020-04-29T19:49:43.734201Z", "severity": "NOTICE", /** ----- action "logName": "organizations/809036120291/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2020-04-29T20:43:00.836830467Z" }
MS o365 failure
A sample MS o365 failed user login follows:
Click expand or collapse to show or hide the example.
{ [-] Actor: [ [-] { [-] ID: 1d48684f-70ea-41e7-8459-9a7a24a8690a Type: 0 } { [-] ID: jc3@a830edad9050849NDA3079.onmicrosoft.com /** ----- user_id Type: 5 } { [-] ID: 10030000AEF912F2 Type: 3 } ] ActorContextId: 2ed28a74-1f6f-4829-8530-fe359c77d35c ActorIpAddress: 13.67.186.66 ApplicationId: 00000002-0000-0ff1-ce00-000000000000 AzureActiveDirectoryEventType: 1 ClientIP: 13.67.186.66 /** ----- src_ip, src CreationTime: 2020-02-27T07:46:00 ExtendedProperties: [ [-] { [-] Name: UserAgent /** ----- user_agent Value: python-requests/2.12.4 } { [-] Name: RequestType Value: OrgIdWsTrust2:process } { [-] Name: ResultStatusDetail Value: UserError } ] Id: 8498834c-4ca4-4300-9351-099f917bd2e7 InterSystemsId: 3f3bd815-8d38-48c8-aa71-445216d908de IntraSystemId: c3b22bc6-14c4-4b41-9aee-f4fb7f1e1000 LogonError: InvalidUserNameOrPassword /** ----- reason ModifiedProperties: [ [-] ] ObjectId: Unknown Operation: UserLoginFailed /** ----- signature OrganizationId: 2ed28a74-1f6f-4829-8530-fe359c77d35c /** ----- vendor_account RecordType: 15 ResultStatus: Failed /** ----- action SupportTicketId: Target: [ [-] { [-] ID: Unknown Type: 0 } ] TargetContextId: 2ed28a74-1f6f-4829-8530-fe359c77d35c UserId: jc3@a830edad9050849NDA3079.onmicrosoft.com /** ----- user, user_id UserKey: 10030000AEF912F2@a830edad9050849NDA3079.onmicrosoft.com UserType: 0 /** ----- user_type Version: 1 Workload: AzureActiveDirectory /** ----- app }
AWS failure
A sample AWS failed user login follows:
Click expand or collapse to show or hide the example.
{ additionalEventData: { LoginTo: https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true MFAUsed: No /** ----- authentication_method MobileVersion: No } awsRegion: us-east-1 errorMessage: Failed authentication /** ----- reason eventID: 9c6005a8-def1-4075-a1b8-daba01c8150b eventName: ConsoleLogin /** ----- signature eventSource: signin.amazonaws.com /** ----- app, dest eventTime: 2020-02-21T23:06:11Z eventType: AwsConsoleSignIn eventVersion: 1.05 recipientAccountId: 772089552793 requestParameters: null responseElements: { ConsoleLogin: Failure /** ----- action } sourceIPAddress: 4.14.104.185 /** ----- src userAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 /** ----- user_agent userIdentity: { accessKeyId: accountId: 772089552793 /** ----- vendor_account principalId: AIDA3HRA7T6MUVQJRHPKV type: IAMUser /** ----- user_type userName: example_user /** ----- user_id } }
Login failure field mapping
Using the login failure from GCP as a base sample, and comparing it to a similar event from MS o365 and AWS is a good way to see the similarities and differences per common CIM field names.
User id example data | Provider field name | CIM field name |
---|---|---|
GCP
|
protoPayload.authenticationInfo.principalEmail | user_id |
MS o365 |
UserId | user_id |
AWS
|
userIdentity.userName | user_id |
User type example data | Provider field name | CIM field name |
MS o365 |
UserType | user_type |
AWS
|
userIdentity.type | user_type |
App example data | Provider field name | CIM field name |
GCP
|
protoPayload.serviceName | app |
MS o365 |
Workload | app |
AWS
|
eventSource | app |
Action example data | Provider field name | CIM field name |
GCP
|
severity | action |
MS o365
|
ResultStatus | action |
AWS
|
responseElements.ConsoleLogin | action |
Signature example data | Provider field name | CIM field name |
GCP
|
protoPayload.methodName | signature |
MS o365
|
Operation | signature |
AWS
|
eventName | signature |
Authentication method example data | Provider field name | CIM field name |
GCP
|
events.parameters.name.login_challenge_method | authentication_method |
AWS
|
additionalEventData.MFAUsed | authentication_method |
Vendor account example data | Provider field name | CIM field name |
MS o365
|
OrganizationId | vendor_account |
AWS
|
userIdentity.accountId | vendor_account |
Source example data | Provider field name | CIM field name |
GCP
|
requestMetadata.callerIp |
|
MS o365
|
ClientIP |
|
AWS
|
sourceIPAddress | src |
Reason example data | Provider field name | CIM field name |
GCP
|
event.parameter.multiStrValue | reason |
MS o365
|
LogonError | reason |
AWS
|
errorMessage | reason |
User agent data | Provider field name | CIM field name |
MS o365
|
UserAgent | user_agent |
AWS
|
userAgent | user_agent |
Privilege escalation example
The privilege escalation event from AWS is a good way to see a common event and how a cloud provider maps to CIM data model field names.
Privilege escalations include scenarios such as when a user, app, or agent logs in with one set of privileges, and then assumes a new set of privileges (such as sudo su -
or short-lived credentials for service accounts).
AWS privilege escalation
A sample AssumeRoleWithSAML follows:
{ "eventVersion": "1.05", "userIdentity": { "type": "SAMLUser", "principalId": "g4RD/xcF3dcnEghdegAhfaPo+ow=:example_user@aws.com", "userName": "example_user@aws.com", /** ----- src_user "identityProvider": "g4RD/xcF3dcnEghdegAhfaPo+ow=" }, "eventTime": "2020-03-02T20:25:30Z", "eventSource": "sts.amazonaws.com", /** ----- app, dest "eventName": "AssumeRoleWithSAML", /** ----- signature "awsRegion": "us-east-1", "sourceIPAddress": "12.26.0.2", "userAgent": "aws-sdk-go/2.0.0-preview.2 (go1.9.6; darwin; amd64)", "requestParameters": { "sAMLAssertionID": "id29525874074479896480891647", "roleSessionName": "example_user@aws.com", "durationSeconds": 43200, "roleArn": "arn:aws:iam::671568874969:role/splunkcloud_account_metadata_read", "principalArn": "arn:aws:iam::671568874969:saml-provider/SplunkcloudOkta" }, "responseElements": { "subjectType": "unspecified", "issuer": "http://www.okta.com/exksfwc0mwQGJQoJ62p6", "credentials": { "accessKeyId": "ASIAZYXE7ZXMXCVFRGMO", "expiration": "Mar 3, 2020 8:25:30 AM", "sessionToken": "FwoGZXIvYXdzEG4aDKrC390jc4wlJW7kpyLnAWpYPA0uT1YdeIogg1iol1J0mdHQkIy1QmETyBa8o8KWXP7ptMeilV1UiPmtPQppTu0iXsMOpUM25WOaPioornDWpHwY3ieOhJl1gVODA9cjlLu3pH8j9q4nFXxelkhieBdguExhUslmDSmGLoI94IPOn27bISDZW8vRJwnj9/7WupIM6g4zOOipstGNbWfgTE4/6fkc4HRxdrfS5c1c7ijFxfSaCoT134vhEA1xxhrKLn896ydbFuiIcxsYggDBe886NHKY+DNq1aYPKEiTrJKfWDLLs97sq0ZTi79fOW7arjtNccyKqyi61/XyBTIrZFsRcfIx6xpsS7cOszFx9wNIBJY8X4BjYCXx7QiCZW3pcKAIYbOcBLavSg==" }, "nameQualifier": "g4RD/xcF3dcnEghdegAhfaPo+ow=", "assumedRoleUser": { "assumedRoleId": "AROAIDCBHGVCTRIEIG2X2:example_user@aws.com", "arn": "arn:aws:sts::671568874969:assumed-role/splunkcloud_account_metadata_read/example_user@aws.com" /** ----- user }, "subject": "example_user@aws.com", "audience": "https://signin.aws.amazon.com/saml" }, "requestID": "7c7ac23a-fc2d-4c76-976e-8e2b40073d7d", "eventID": "84dd288a-bdc0-4708-ad61-cde4f45dcc64", "resources": [ { "ARN": "arn:aws:iam::671568874969:role/splunkcloud_account_metadata_read", "accountId": "671568874969", "type": "AWS::IAM::Role" }, { "ARN": "arn:aws:iam::671568874969:saml-provider/SplunkcloudOkta", "accountId": "671568874969", "type": "AWS::IAM::SAMLProvider" } ], "eventType": "AwsApiCall", "recipientAccountId": "671568874969" }
GCP short-lived credentials
A sample GCP short-lived credentials follows:
{ "logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Fdata_access", "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "example_user@gmail.com" /** ----- src_user }, "methodName": "GenerateAccessToken", /** ----- signature "request": { "@type": "type.googleapis.com/google.iam.credentials.v1.GenerateAccessTokenRequest", "name": "projects/-/serviceAccounts/my-service-account@my-project.iam.gserviceaccount.com" }, "serviceName": "iamcredentials.googleapis.com" /** ----- app, dest }, "resource": { "labels": { "email_id": "my-service-account@my-project.iam.gserviceaccount.com", /** ----- user "project_id": "my-project", /** ----- vendor_account "unique_id": "123456789012345678901" }, "type": "service_account" } }
Privilege escalation field mapping
Using the privilege escalation from AWS as a base sample is a good way to see the similarities and differences per common CIM field names.
Vendor account example data | Provider field name | CIM field name |
---|---|---|
AWS
|
userIdentity.accountId | vendor_account |
GCP
|
resource.labels.project_id | vendor_account |
Source user example data | Provider field name | CIM field name |
AWS
|
userIdentity.userName | src_user |
GCP
|
protoPayload.authenticationInfo.principalEmail | src_user |
App, dest example data | Provider field name | CIM field name |
AWS
|
eventSource | app, dest |
GCP
|
protoPayload.serviceName | app, dest |
Signature example data | Provider field name | CIM field name |
AWS
|
eventName | signature |
GCP
|
protoPayload.methodName | signature |
User example data | Provider field name | CIM field name |
AWS
|
assumedRoleUser.arn | user |
GCP
|
resource.labels.email_id | user |
Use the CIM to normalize CPU performance metrics | Change Field Mapping |
This documentation applies to the following versions of Splunk® Common Information Model Add-on: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.1, 5.3.2, 6.0.0
Feedback submitted, thanks!