ACES JSON Schema
{
"type": "object",
"properties": {
"@timestamp": {
"description": "Date/time when the event originated.",
"type": "string"
},
"tags": {
"description": "List of keywords used to tag each event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"labels": {
"description": "Custom key/value pairs.",
"type": "object"
},
"message": {
"description": "A human-readable summary of the event.",
"type": "string"
},
"version": {
"description": "Version of ACES.",
"type": "string"
},
"application": {
"type": "object",
"properties": {
"name": {
"description": "The name or description of the application.",
"type": "string"
},
"id": {
"description": "Unique ID of the application.",
"type": "string"
},
"domain": {
"description": "The domain name of the application.",
"type": "string"
},
"path": {
"description": "The URI of the application or API endpoint, which can include parameters.",
"type": "string"
},
"version": {
"description": "The version of the application.",
"type": "string"
},
"scopes": {
"description": "The scopes required by the application.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [],
"additionalProperties": false
},
"appomni": {
"type": "object",
"properties": {
"alert": {
"type": "object",
"properties": {
"channel": {
"description": "The channel of a rule is determined by the stage of the rule lifecycle.",
"type": "string",
"enum": [
"prod",
"beta",
"testing",
"ao_only_prod",
"ao_only_beta",
"ao_only_testing"
]
}
},
"required": [],
"additionalProperties": false
},
"service": {
"type": "object",
"properties": {
"type": {
"description": "The platform shortname of the monitored service.",
"type": "string",
"enum": [
"ao_qa",
"appomni",
"asana",
"auth0",
"bitbucket",
"box",
"confluence",
"crowdstrike",
"custom",
"databricks",
"docusign",
"duo",
"fastly",
"github",
"gsuite",
"hubspot",
"imanage",
"jamf",
"jira",
"jumpcloud",
"lucid",
"miro",
"mongo",
"monday",
"multiple",
"netsuite",
"notion",
"o365",
"okta",
"onelogin",
"ping",
"sapsf",
"sfdc",
"sfmc",
"slack",
"sendgrid",
"smartsheet",
"snow",
"snowflake",
"stripe",
"tableau",
"veevavault",
"webex",
"wiz",
"workday",
"zendesk",
"zoom"
]
},
"id": {
"description": "Unique AppOmni-assigned ID of the connected monitored service.",
"type": "integer"
},
"account_id": {
"description": "Unique platform-assigned ID of the connected monitored service.",
"type": "string"
},
"name": {
"description": "The tenant owner-assigned name of the connected monitored service.",
"type": "string"
},
"slug": {
"description": "The identifier of the monitored service, either the platform shortname for out-of-the-box (OOTB) services or the unique identifier for custom monitored services.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"source": {
"type": "object",
"properties": {
"id": {
"description": "Unique AppOmni-assigned ID of the detection event source.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"event": {
"type": "object",
"properties": {
"id": {
"description": "Unique AppOmni-assigned ID of the event.",
"type": "string"
},
"dataset": {
"description": "The dataset of the event. A dataset is generally a collection of similar events.",
"type": "string",
"enum": [
"onepassword_auditlog",
"ao_auditlogs",
"ao_canary",
"appomni_alert",
"appomni_event",
"appomni_qa",
"arista_auditlog",
"asana_eventlog",
"auth0_auditlog",
"bitbucket_auditlog",
"box_admin_logs",
"confluence_eventlog",
"cradlepoint_activity_log",
"crowdstrike_audit_log",
"crowdstrike_auth_activity",
"crowdstrike_cspm_ioa_event",
"crowdstrike_cspm_search_event",
"crowdstrike_detection_summary",
"crowdstrike_external_api_activity",
"crowdstrike_identity_protection_event",
"crowdstrike_idp_detection_summary",
"crowdstrike_incident_summary",
"crowdstrike_ioc_event",
"crowdstrike_firewall_match",
"crowdstrike_mobile_detection_summary",
"crowdstrike_realtime_response_end",
"crowdstrike_realtime_response_start",
"crowdstrike_recon_summary",
"crowdstrike_user_activity",
"crowdstrike_xdr_detection_summary",
"crowdstrike_unknown",
"custom_eventlog_push",
"custom_rawlog",
"databricks_auditlog",
"datadog_auditlog",
"duo_admin",
"duo_auth",
"docusign_envelope_audit",
"docusign_monitor",
"fastly_auditlog",
"github_audit",
"github_webhook",
"gitlab_audit_events",
"gsuite_admin_log",
"gsuite_alert_center_log",
"gsuite_drive_log",
"gsuite_login_log",
"gsuite_mobile_log",
"gsuite_token_log",
"hubspot_auditlog",
"imanage_auditlog",
"jamf_auditlog",
"jira_eventlog",
"jumpcloud_auditlog",
"juniper_system_log",
"lucid_eventlog",
"miro_auditlog",
"monday_auditlog",
"netsuite_login_log",
"netsuite_perm_change_log",
"netsuite_role_log",
"notion_auditlog",
"o365_audit_azure_active_directory",
"o365_audit_exchange",
"o365_audit_general",
"o365_audit_sharepoint",
"o365_dlp_all",
"mongodb_atlas",
"okta_syslog",
"onelogin_eventlog",
"openblue_auditlog",
"sapsf_sfapi_eventlog",
"sapsf_odata_api_eventlog",
"ping_eventlog",
"sfdc_admin_setup_event_table",
"sfdc_api_anomaly_event_store",
"sfdc_api_event_table",
"sfdc_audit_trail",
"sfdc_batch_event_log",
"sfdc_bulk_api_result_event_store",
"sfdc_content_transfer_event_store",
"sfdc_credential_stuffing_event_store",
"sfdc_data_query",
"sfdc_field_modification_history",
"sfdc_fsecure",
"sfdc_identity_verification_event_store",
"sfdc_idp_event_store",
"sfdc_lightning_uri_event_table",
"sfdc_list_view_event_table",
"sfdc_login_as_event_table",
"sfdc_login_event_table",
"sfdc_logout_event_table",
"sfdc_oauth_connection",
"sfdc_permission_event_store",
"sfdc_report_anomaly_event_store",
"sfdc_report_event_table",
"sfdc_session_hijacking_event_store",
"sfdc_uri_event_table",
"sfmc_audit_event",
"sfmc_security_event",
"slack_auditlog",
"smartsheet_auditlog",
"sendgrid_auditlog",
"snow_export_log",
"snow_mid_command_log",
"snow_sysaudit",
"snow_sysaudit_role",
"snow_sysevent",
"snow_syslog",
"snowflake_login_history",
"snowflake_query_history",
"stripe_eventlog",
"tableau_activitylogs",
"veevavault_login_audit_trail",
"veevavault_system_audit_trail",
"veevavault_document_audit_trail",
"veevavault_object_audit_trail",
"versa_auditlog",
"webex_admin_audit",
"wiz_audit",
"workday_auditlog_user_activity",
"workday_activity_logging",
"zendesk_auditlog",
"zoom_recordings",
"zoom_webhook"
]
},
"sortable_ingest_id": {
"description": "Unique sortable ID of the event assigned when it arrives in AppOmni's data store.",
"type": "string"
},
"sortable_event_id": {
"description": "Unique sortable ID of the event assigned when it's collected.",
"type": "string"
},
"parent_id": {
"description": "Unique ID of the parent event.",
"type": "string"
},
"ingestion_time": {
"description": "Timestamp when the event arrived in AppOmni's data store.",
"type": "string"
},
"collected_time": {
"description": "Timestamp when the event was collected by AppOmni.",
"type": "string"
},
"enrichments": {
"description": "List of 3rd party sources that contributed enrichment information to an event.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [
"id",
"dataset"
],
"additionalProperties": false
},
"organization": {
"type": "object",
"properties": {
"id": {
"description": "ID of the AppOmni Tenant this event originated from.",
"type": "integer"
}
},
"required": [
"id"
],
"additionalProperties": false
}
},
"required": [
"event",
"organization"
],
"additionalProperties": false
},
"authentication": {
"type": "object",
"properties": {
"raw_method": {
"description": "Method of authentication as provided by the monitored service.",
"type": "string"
},
"method": {
"description": "Normalized method of authentication.",
"type": "string",
"enum": [
"access_token",
"backup_code",
"biometric",
"email",
"hardware_authenticator",
"password",
"passwordless",
"phone_call",
"sms",
"sso",
"software_authenticator",
"gesture",
"hardware_token",
"software_token"
]
},
"provider": {
"description": "Authentication provider.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"configuration": {
"type": "object",
"properties": {
"name": {
"description": "The name or description of a configuration.",
"type": "string"
},
"value": {
"description": "The current value or state of a configuration.",
"type": "string"
},
"old_value": {
"description": "The previous value or state of a configuration.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"destination": {
"type": "object",
"properties": {
"address": {
"description": "The raw address of the destination according to the source. This value should be duplicated to `destination.ip` or `destination.domain`, depending on which one applies.",
"type": "string"
},
"ip": {
"description": "IP address of the destination (IPv4 or IPv6.)",
"type": "string"
},
"port": {
"description": "Port of the destination.",
"type": "integer"
},
"mac": {
"description": "MAC address of the destination.",
"type": "string"
},
"domain": {
"description": "The domain name of the destination. This value can be a host name or FQDN.",
"type": "string"
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a destination.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"as": {
"type": "object",
"properties": {
"country": {
"description": "ISO 3166 country code.",
"type": "string"
},
"domain": {
"description": "Domain name of the AS.",
"type": "string"
},
"number": {
"description": "Unique number assigned to the autonomous system.",
"type": "integer"
},
"type": {
"description": "AS type.",
"type": "string"
},
"service": {
"description": "Name of the IP privacy service provider.",
"type": "string"
},
"organization": {
"type": "object",
"properties": {
"name": {
"description": "Name of the organization.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"geo": {
"type": "object",
"properties": {
"location": {
"description": "Longitude and latitude.",
"type": "object"
},
"continent_code": {
"description": "Two-letter code representing continent\u2019s name.",
"type": "string",
"enum": [
"AF",
"AN",
"AS",
"EU",
"NA",
"OC",
"SA"
]
},
"continent_name": {
"description": "Name of the continent.",
"type": "string",
"enum": [
"Africa",
"Antarctica",
"Asia",
"Europe",
"North America",
"Oceania",
"South America"
]
},
"country_name": {
"description": "Name of the country.",
"type": "string"
},
"region_name": {
"description": "Name of the region or state.",
"type": "string"
},
"city_name": {
"description": "Name of the city.",
"type": "string"
},
"country_iso_code": {
"description": "ISO code of the country.",
"type": "string"
},
"postal_code": {
"description": "Postal code or ZIP code associated with the location. This value will vary depending on the country.",
"type": "string"
},
"region_iso_code": {
"description": "ISO code of the region or state.",
"type": "string"
},
"timezone": {
"description": "IANA timezone name of the location.",
"type": "string"
},
"name": {
"description": "Description of the specific location, such as an office name or floor number.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"host": {
"type": "object",
"properties": {
"name": {
"description": "Name of the host. This value can be the hostname, FQDN, or user-defined name.",
"type": "string"
},
"id": {
"description": "Unique ID of the host.",
"type": "string"
},
"hostname": {
"description": "Hostname of the host.",
"type": "string"
},
"mac": {
"description": "MAC address of the host.",
"type": "string"
},
"type": {
"description": "Type of host.",
"type": "string"
},
"os": {
"type": "object",
"properties": {
"name": {
"description": "Name of the operating system, without the version.",
"type": "string"
},
"kernel": {
"description": "Kernel version of operating system as a raw string.",
"type": "string"
},
"platform": {
"description": "Operating system platform.",
"type": "string"
},
"type": {
"description": "Name of the operating system family.",
"type": "string",
"enum": [
"android",
"chromeos",
"ios",
"linux",
"macos",
"unix",
"windows"
]
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"user": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the user.",
"type": "string"
},
"name": {
"description": "Short name or login name of the user.",
"type": "string"
},
"full_name": {
"description": "Full name of the user.",
"type": "string"
},
"email": {
"description": "Email address of the user.",
"type": "string"
},
"hash": {
"description": "Hash of the user.",
"type": "string"
},
"domain": {
"description": "Domain of the user. This is usually the domain of the user's email address.",
"type": "string"
},
"roles": {
"description": "The roles of the user at the time of the event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a user.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"error": {
"type": "object",
"properties": {
"message": {
"description": "Error message.",
"type": "string"
},
"id": {
"description": "Unique ID of the error.",
"type": "string"
},
"type": {
"description": "The type or class of the error.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"event": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID to describe the event.",
"type": "string"
},
"code": {
"description": "Identification code for this event, if one exists.\nSome event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time.",
"type": "string"
},
"kind": {
"description": "`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event.",
"type": "string",
"enum": [
"alert",
"event",
"synthetic",
"finding"
]
},
"category": {
"description": "Indicates the high-level categorization of an event.",
"type": "array",
"items": {
"type": [
"string"
],
"enum": [
"authentication",
"configuration",
"file",
"malware"
]
}
},
"action": {
"description": "The action captured by the event.",
"type": "string",
"enum": [
"accept_invite",
"accept_message",
"accept_session",
"accept_tos",
"access_app",
"access_webhook",
"add_app",
"add_device",
"add_domain",
"add_key",
"add_label",
"add_mfa",
"add_permission",
"add_policy",
"add_resource",
"add_role",
"add_rule",
"add_team",
"add_user",
"add_workflow",
"alert_api",
"alert_device",
"alert_event",
"alert_mfa",
"alert_policy",
"alert_resource",
"alert_rule",
"alert_user",
"allow_issue",
"approve_access",
"approve_app",
"approve_resource",
"approve_request",
"approve_token",
"approve_user",
"approve_workflow",
"archive_key",
"archive_resource",
"archive_rule",
"archive_user",
"assign_issue",
"authenticate_app",
"authenticate_user",
"await_resource",
"block_session",
"block_user",
"canary",
"cancel_review",
"cancel_sponsorship",
"cancel_workflow",
"change_mfa",
"close_issue",
"close_project",
"close_request",
"close_review",
"complete_task",
"complete_workflow",
"connect_app",
"connect_user",
"copy_key",
"copy_resource",
"create_account",
"create_advisory",
"create_api",
"create_app",
"create_branch",
"create_code",
"create_comment",
"create_csr",
"create_deployment",
"create_event",
"create_exception",
"create_fork",
"create_group",
"create_index",
"create_issue",
"create_key",
"create_label",
"create_metadata",
"create_mfa",
"create_organization",
"create_package",
"create_password",
"create_permission",
"create_policy",
"create_project",
"create_request",
"create_resource",
"create_role",
"create_rule",
"create_setting",
"create_share",
"create_sponsorship",
"create_task",
"create_team",
"create_token",
"create_user",
"create_webhook",
"create_workflow",
"delete_account",
"delete_advisory",
"delete_alert",
"delete_app",
"delete_branch",
"delete_certificate",
"delete_code",
"delete_comment",
"delete_exception",
"delete_group",
"delete_index",
"delete_issue",
"delete_key",
"delete_label",
"delete_metadata",
"delete_organization",
"delete_package",
"delete_permission",
"delete_policy",
"delete_project",
"delete_request",
"delete_resource",
"delete_role",
"delete_rule",
"delete_setting",
"delete_task",
"delete_team",
"delete_token",
"delete_user",
"delete_webhook",
"delete_workflow",
"demote_role",
"deny_access",
"deny_invite",
"deny_request",
"disable_account",
"disable_app",
"disable_device",
"disable_license",
"disable_mfa",
"disable_permission",
"disable_policy",
"disable_resource",
"disable_rule",
"disable_setting",
"disable_user",
"disable_webhook",
"disable_workflow",
"disconnect_app",
"disconnect_user",
"dismiss_advisory",
"download_resource",
"download_token",
"elevate_permission",
"elevate_role",
"enable_account",
"enable_api",
"enable_app",
"enable_device",
"enable_license",
"enable_mfa",
"enable_permission",
"enable_policy",
"enable_resource",
"enable_rule",
"enable_setting",
"enable_user",
"enable_webhook",
"enable_workflow",
"end_resource",
"end_session",
"end_task",
"enroll_certificate",
"enroll_mfa",
"evaluate_policy",
"evaluate_token",
"execute_app",
"execute_command",
"execute_policy",
"execute_request",
"execute_resource",
"execute_rule",
"execute_task",
"execute_workflow",
"expire_exception",
"expire_invite",
"expire_mfa",
"expire_password",
"expire_request",
"expire_session",
"expire_token",
"favorite_resource",
"follow_resource",
"get_token",
"ignore_issue",
"impersonate_user",
"import_account",
"import_group",
"import_resource",
"import_user",
"install_app",
"invite_user",
"issue_certificate",
"lock_account",
"lock_issue",
"lock_resource",
"lock_user",
"login_user",
"logout_user",
"mitigate_advisory",
"move_issue",
"move_resource",
"notify_issue",
"notify_mfa",
"notify_workflow",
"open_issue",
"open_project",
"pin_issue",
"preview_resource",
"print_resource",
"privatize_resource",
"publicize_resource",
"publish_code",
"publish_csr",
"publish_resource",
"push_commit",
"query_api",
"query_resource",
"read_account",
"read_audit",
"read_config",
"read_device",
"read_group",
"read_label",
"read_metadata",
"read_password",
"read_permission",
"read_policy",
"read_resource",
"read_role",
"read_rule",
"read_schema",
"read_setting",
"read_share",
"read_task",
"read_user",
"reject_tos",
"remove_app",
"remove_device",
"remove_domain",
"remove_group",
"remove_label",
"remove_license",
"remove_mfa",
"remove_permission",
"remove_policy",
"remove_resource",
"remove_role",
"remove_rule",
"remove_team",
"remove_user",
"request_access",
"request_advisory",
"request_authorization",
"request_review",
"request_task",
"request_token",
"reset_password",
"restore_resource",
"revoke_access",
"revoke_api",
"revoke_app",
"revoke_certificate",
"revoke_csr",
"revoke_token",
"revoke_user",
"send_healthcheck",
"send_heartbeart",
"share_resource",
"share_screen",
"start_resource",
"start_session",
"start_task",
"submit_review",
"suspend_app",
"synchronize_account",
"synchronize_device",
"synchronize_group",
"synchronize_resource",
"synchronize_task",
"synchronize_user",
"transfer_owner",
"unarchive_resource",
"unassign_issue",
"unblock_user",
"unenroll_mfa",
"unfavorite_resource",
"unfollow_resource",
"uninstall_app",
"unknown",
"unlock_account",
"unpublish_code",
"unlock_issue",
"unlock_resource",
"unlock_token",
"unlock_user",
"unpin_issue",
"unshare_resource",
"unsuspend_app",
"update_access",
"update_account",
"update_advisory",
"update_alert",
"update_api",
"update_app",
"update_authentication",
"update_certificate",
"update_code",
"update_comment",
"update_device",
"update_group",
"update_index",
"update_issue",
"update_key",
"update_label",
"update_metadata",
"update_mailbox",
"update_organization",
"update_package",
"update_password",
"update_permission",
"update_policy",
"update_project",
"update_resource",
"update_request",
"update_review",
"update_role",
"update_rule",
"update_session",
"update_setting",
"update_share",
"update_sponsorship",
"update_status",
"update_task",
"update_team",
"update_token",
"update_user",
"update_webhook",
"update_workflow",
"upgrade_app",
"upload_resource",
"upload_token",
"verify_device",
"verify_group",
"verify_mfa",
"verify_resource",
"verify_user",
"verify_webhook"
]
},
"outcome": {
"description": "The outcome describes whether an event action succeeded or failed.",
"type": "string",
"enum": [
"success",
"failure",
"unknown"
]
},
"type": {
"description": "Indicates the type of event. This is a subcategory of `event.category`.",
"type": "array",
"items": {
"type": [
"string"
],
"enum": [
"access",
"admin",
"change",
"end",
"info",
"start",
"creation",
"deletion"
]
}
},
"module": {
"description": "Module of the event. This is usually a specific product or plugin of the monitored service.",
"type": "string"
},
"dataset": {
"description": "The dataset of the event as presented by the SaaS platform. This is distinct from AppOmni datasets which reside under `appomni.event.dataset`.",
"type": "string"
},
"provider": {
"description": "Source of the event. This may be the API endpoint or operating system that generated the event.",
"type": "string"
},
"severity": {
"description": "The numeric severity of the event according to the source.",
"type": "integer"
},
"original": {
"description": "The raw event in it's original form.",
"type": "string"
},
"duration": {
"description": "Duration of the event. If `event.start` and `event.end` are known this value should be the difference between the end and start time.",
"type": "integer"
},
"sequence": {
"description": "Sequence number of the event. Sequence numbering is used to ensure the order of events is known, regardless of the timestamp.",
"type": "integer"
},
"created": {
"description": "Date/time when the event was reported as created in the monitored service.",
"type": "string"
},
"start": {
"description": "Date/time when the event started or when the activity was first observed.",
"type": "string"
},
"end": {
"description": "Date/time when the event ended or when the activity was last observed.",
"type": "string"
},
"risk_score": {
"description": "Risk score of the event, as provided by the original source.",
"type": "number"
},
"risk_score_norm": {
"description": "Normalized risk score of the event, on a scale of 0 to 100.",
"type": "number"
},
"ingested": {
"description": "Date/time when the event arrived in AppOmni's data store.",
"type": "string"
},
"reference": {
"description": "URL to reference information about this event.",
"type": "string"
},
"url": {
"description": "URL to an external source to continue investigation of this event.",
"type": "string"
},
"reason": {
"description": "Reason this event happened, according to the source.",
"type": "string"
},
"ueba": {
"type": "object",
"properties": {
"anomalous_fields": {
"description": "Details of the anomalous fields of the event.\n",
"type": "object"
},
"normal_state": {
"description": "Normal state values of the anomalous fields.\n",
"type": "object"
},
"rare_state": {
"description": "Rare state values of the anomalous fields.\n",
"type": "object"
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"file": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the file. This value should be duplicated to `resource.id`.",
"type": "string"
},
"name": {
"description": "Name of the file. This value should be duplicated to `resource.name`.",
"type": "string"
},
"directory": {
"description": "Directory where the file is located. It should include the drive letter if applicable.",
"type": "string"
},
"path": {
"description": "Full path to the file, including the file name.",
"type": "string"
},
"extension": {
"description": "File extension, excluding the leading dot.",
"type": "string"
},
"size": {
"description": "File size in bytes.",
"type": "integer"
},
"hash": {
"description": "Hash of the file. Value may be the result of any hashing algorithm.",
"type": "string"
},
"created": {
"description": "Date/time the file was created.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"policy": {
"type": "object",
"properties": {
"name": {
"description": "Name of the policy.",
"type": "string"
},
"id": {
"description": "Unique ID of the policy.",
"type": "string"
},
"category": {
"description": "Indicates the high-level categorization of a policy.",
"type": "string"
},
"description": {
"description": "Brief explanation of the purpose of the policy.",
"type": "string"
},
"outcome": {
"description": "Outcome of a policy evaluation on an audited action.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"related": {
"type": "object",
"properties": {
"ip": {
"description": "IP addresses related to an event (IPv4 or IPv6.)",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"user": {
"description": "Users related to an event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"hash": {
"description": "Hashes related to an event. Values may be the result of any hashing algorithm.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"host": {
"description": "Hosts related to an event. Values may be the hostname, FQDN, or user-defined name.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"resource": {
"description": "Resources related to an event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"event": {
"description": "Event IDs related to an event. Reflecting the AppOmni Event ID from `appomni.event.id`.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"identity": {
"description": "Identity IDs related to an event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"services": {
"type": "object",
"properties": {
"id": {
"description": "AppOmni Service IDs related to an event.",
"type": "array",
"items": {
"type": [
"integer"
]
}
},
"name": {
"description": "AppOmni Service Names related to an event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"type": {
"description": "AppOmni Service Types related to an event.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"resource": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the resource.",
"type": "string"
},
"name": {
"description": "Name of the resource.",
"type": "string"
},
"type": {
"description": "Indicates the type of resource. The most descriptive type should be used to define a resource. For example, a file containing a report should have the `resource.type` of `report` rather than `file`.",
"type": "string",
"enum": [
"application",
"code",
"comment",
"credential",
"datastore",
"destination",
"device",
"email",
"file",
"folder",
"group",
"issue",
"list",
"organization",
"page",
"policy",
"project",
"record",
"report",
"repository",
"role",
"rule",
"shortcut",
"space",
"table",
"tag",
"task",
"unknown",
"user"
]
},
"count": {
"description": "Number of items in the resource.",
"type": "integer"
},
"owner": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the user.",
"type": "string"
},
"name": {
"description": "Short name or login name of the user.",
"type": "string"
},
"full_name": {
"description": "Full name of the user.",
"type": "string"
},
"email": {
"description": "Email address of the user.",
"type": "string"
},
"hash": {
"description": "Hash of the user.",
"type": "string"
},
"domain": {
"description": "Domain of the user. This is usually the domain of the user's email address.",
"type": "string"
},
"roles": {
"description": "The roles of the user at the time of the event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a user.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [],
"additionalProperties": false
},
"parent": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the resource.",
"type": "string"
},
"name": {
"description": "Name of the resource.",
"type": "string"
},
"type": {
"description": "Indicates the type of resource. The most descriptive type should be used to define a resource. For example, a file containing a report should have the `resource.type` of `report` rather than `file`.",
"type": "string",
"enum": [
"application",
"code",
"comment",
"credential",
"datastore",
"destination",
"device",
"email",
"file",
"folder",
"group",
"issue",
"list",
"organization",
"page",
"policy",
"project",
"record",
"report",
"repository",
"role",
"rule",
"shortcut",
"space",
"table",
"tag",
"task",
"unknown",
"user"
]
},
"count": {
"description": "Number of items in the resource.",
"type": "integer"
},
"owner": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the user.",
"type": "string"
},
"name": {
"description": "Short name or login name of the user.",
"type": "string"
},
"full_name": {
"description": "Full name of the user.",
"type": "string"
},
"email": {
"description": "Email address of the user.",
"type": "string"
},
"hash": {
"description": "Hash of the user.",
"type": "string"
},
"domain": {
"description": "Domain of the user. This is usually the domain of the user's email address.",
"type": "string"
},
"roles": {
"description": "The roles of the user at the time of the event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a user.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"rule": {
"type": "object",
"properties": {
"uuid": {
"description": "Unique UUID of the rule.",
"type": "string"
},
"version": {
"description": "Version of the rule.",
"type": "string"
},
"name": {
"description": "Name of the rule.",
"type": "string"
},
"vendor_id": {
"description": "Unique ID of a vendor rule external to AppOmni.",
"type": "string"
},
"description": {
"description": "Brief explanation of what event(s) occurred and the intent/goal of the threat actor.",
"type": "string"
},
"category": {
"description": "Indicates the high-level categorization of the rule.",
"type": "string"
},
"ruleset": {
"description": "Name of the ruleset for which the rule is assigned.",
"type": "string"
},
"reference": {
"description": "URL to reference information about the rule.",
"type": "string"
},
"author": {
"description": "Name, organization, or author(s) who created the rule.",
"type": "string"
},
"license": {
"description": "Name of the license in which the rule is made available.",
"type": "string"
},
"threat": {
"type": "object",
"properties": {
"framework": {
"description": "Name of the threat framework used to classify the tactic and technique of a threat.",
"type": "string"
},
"tactic": {
"type": "object",
"properties": {
"id": {
"description": "ID of the tactic.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"name": {
"description": "Name of the tactic.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"reference": {
"description": "URL to reference information about the tactic.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [],
"additionalProperties": false
},
"technique": {
"type": "object",
"properties": {
"id": {
"description": "ID of the technique.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"name": {
"description": "Name of the technique.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"reference": {
"description": "URL to reference information about the technique.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"service": {
"type": "object",
"properties": {
"name": {
"description": "Name of the service as provided by the service provider.",
"type": "string"
},
"id": {
"description": "ID of service as provided by the service provider.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"session": {
"type": "object",
"properties": {
"kind": {
"description": "Description of the privilege level associated with a session, or how a session was established.",
"type": "string"
},
"id": {
"description": "Unique ID of the session.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"source": {
"type": "object",
"properties": {
"address": {
"description": "The raw address of the source. This value should be duplicated to `source.ip` or `source.domain`, depending on which one applies.",
"type": "string"
},
"ip": {
"description": "IP address of the source (IPv4 or IPv6.)",
"type": "string"
},
"port": {
"description": "Port of the source.",
"type": "integer"
},
"mac": {
"description": "MAC address of the source.",
"type": "string"
},
"domain": {
"description": "The domain name of the source. This value can be a host name or FQDN.",
"type": "string"
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a source.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"as": {
"type": "object",
"properties": {
"country": {
"description": "ISO 3166 country code.",
"type": "string"
},
"domain": {
"description": "Domain name of the AS.",
"type": "string"
},
"number": {
"description": "Unique number assigned to the autonomous system.",
"type": "integer"
},
"type": {
"description": "AS type.",
"type": "string"
},
"service": {
"description": "Name of the IP privacy service provider.",
"type": "string"
},
"organization": {
"type": "object",
"properties": {
"name": {
"description": "Name of the organization.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"geo": {
"type": "object",
"properties": {
"location": {
"description": "Longitude and latitude.",
"type": "object"
},
"continent_code": {
"description": "Two-letter code representing continent\u2019s name.",
"type": "string",
"enum": [
"AF",
"AN",
"AS",
"EU",
"NA",
"OC",
"SA"
]
},
"continent_name": {
"description": "Name of the continent.",
"type": "string",
"enum": [
"Africa",
"Antarctica",
"Asia",
"Europe",
"North America",
"Oceania",
"South America"
]
},
"country_name": {
"description": "Name of the country.",
"type": "string"
},
"region_name": {
"description": "Name of the region or state.",
"type": "string"
},
"city_name": {
"description": "Name of the city.",
"type": "string"
},
"country_iso_code": {
"description": "ISO code of the country.",
"type": "string"
},
"postal_code": {
"description": "Postal code or ZIP code associated with the location. This value will vary depending on the country.",
"type": "string"
},
"region_iso_code": {
"description": "ISO code of the region or state.",
"type": "string"
},
"timezone": {
"description": "IANA timezone name of the location.",
"type": "string"
},
"name": {
"description": "Description of the specific location, such as an office name or floor number.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"host": {
"type": "object",
"properties": {
"name": {
"description": "Name of the host. This value can be the hostname, FQDN, or user-defined name.",
"type": "string"
},
"id": {
"description": "Unique ID of the host.",
"type": "string"
},
"hostname": {
"description": "Hostname of the host.",
"type": "string"
},
"mac": {
"description": "MAC address of the host.",
"type": "string"
},
"type": {
"description": "Type of host.",
"type": "string"
},
"os": {
"type": "object",
"properties": {
"name": {
"description": "Name of the operating system, without the version.",
"type": "string"
},
"kernel": {
"description": "Kernel version of operating system as a raw string.",
"type": "string"
},
"platform": {
"description": "Operating system platform.",
"type": "string"
},
"type": {
"description": "Name of the operating system family.",
"type": "string",
"enum": [
"android",
"chromeos",
"ios",
"linux",
"macos",
"unix",
"windows"
]
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"user": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the user.",
"type": "string"
},
"name": {
"description": "Short name or login name of the user.",
"type": "string"
},
"full_name": {
"description": "Full name of the user.",
"type": "string"
},
"email": {
"description": "Email address of the user.",
"type": "string"
},
"hash": {
"description": "Hash of the user.",
"type": "string"
},
"domain": {
"description": "Domain of the user. This is usually the domain of the user's email address.",
"type": "string"
},
"roles": {
"description": "The roles of the user at the time of the event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a user.",
"type": "array",
"items": {
"type": [
"string"
]
}
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"space": {
"type": "object",
"properties": {
"name": {
"description": "Name or title of the space.",
"type": "string"
},
"id": {
"description": "Unique ID of the space.",
"type": "string"
},
"category": {
"description": "Indicates the high-level categorization of the space.",
"type": "string",
"enum": [
"channel",
"meeting",
"workspace"
]
}
},
"required": [],
"additionalProperties": false
},
"user": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the user.",
"type": "string"
},
"name": {
"description": "Short name or login name of the user.",
"type": "string"
},
"full_name": {
"description": "Full name of the user.",
"type": "string"
},
"email": {
"description": "Email address of the user.",
"type": "string"
},
"hash": {
"description": "Hash of the user.",
"type": "string"
},
"domain": {
"description": "Domain of the user. This is usually the domain of the user's email address.",
"type": "string"
},
"roles": {
"description": "The roles of the user at the time of the event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a user.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"changes": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the user.",
"type": "string"
},
"name": {
"description": "Short name or login name of the user.",
"type": "string"
},
"full_name": {
"description": "Full name of the user.",
"type": "string"
},
"email": {
"description": "Email address of the user.",
"type": "string"
},
"hash": {
"description": "Hash of the user.",
"type": "string"
},
"domain": {
"description": "Domain of the user. This is usually the domain of the user's email address.",
"type": "string"
},
"roles": {
"description": "The roles of the user at the time of the event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a user.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"group": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID for the group on the system.",
"type": "string"
},
"name": {
"description": "Name of the group.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"identity": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the identity.",
"type": "string"
},
"full_name": {
"description": "Display name of the identity.",
"type": "string"
},
"email": {
"description": "Email address of the identity.",
"type": "string"
},
"elevated": {
"description": "Indicates whether an identity has elevated privileges.",
"type": "boolean"
},
"admin": {
"description": "Indicates whether an identity has administrative privileges.",
"type": "boolean"
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"effective": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the user.",
"type": "string"
},
"name": {
"description": "Short name or login name of the user.",
"type": "string"
},
"full_name": {
"description": "Full name of the user.",
"type": "string"
},
"email": {
"description": "Email address of the user.",
"type": "string"
},
"hash": {
"description": "Hash of the user.",
"type": "string"
},
"domain": {
"description": "Domain of the user. This is usually the domain of the user's email address.",
"type": "string"
},
"roles": {
"description": "The roles of the user at the time of the event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a user.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"group": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID for the group on the system.",
"type": "string"
},
"name": {
"description": "Name of the group.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"identity": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the identity.",
"type": "string"
},
"full_name": {
"description": "Display name of the identity.",
"type": "string"
},
"email": {
"description": "Email address of the identity.",
"type": "string"
},
"elevated": {
"description": "Indicates whether an identity has elevated privileges.",
"type": "boolean"
},
"admin": {
"description": "Indicates whether an identity has administrative privileges.",
"type": "boolean"
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"group": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID for the group on the system.",
"type": "string"
},
"name": {
"description": "Name of the group.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"identity": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the identity.",
"type": "string"
},
"full_name": {
"description": "Display name of the identity.",
"type": "string"
},
"email": {
"description": "Email address of the identity.",
"type": "string"
},
"elevated": {
"description": "Indicates whether an identity has elevated privileges.",
"type": "boolean"
},
"admin": {
"description": "Indicates whether an identity has administrative privileges.",
"type": "boolean"
}
},
"required": [],
"additionalProperties": false
},
"target": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the user.",
"type": "string"
},
"name": {
"description": "Short name or login name of the user.",
"type": "string"
},
"full_name": {
"description": "Full name of the user.",
"type": "string"
},
"email": {
"description": "Email address of the user.",
"type": "string"
},
"hash": {
"description": "Hash of the user.",
"type": "string"
},
"domain": {
"description": "Domain of the user. This is usually the domain of the user's email address.",
"type": "string"
},
"roles": {
"description": "The roles of the user at the time of the event.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"indicators": {
"description": "Threat indicators identified through enrichment, specific to a user.",
"type": "array",
"items": {
"type": [
"string"
]
}
},
"group": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID for the group on the system.",
"type": "string"
},
"name": {
"description": "Name of the group.",
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"identity": {
"type": "object",
"properties": {
"id": {
"description": "Unique ID of the identity.",
"type": "string"
},
"full_name": {
"description": "Display name of the identity.",
"type": "string"
},
"email": {
"description": "Email address of the identity.",
"type": "string"
},
"elevated": {
"description": "Indicates whether an identity has elevated privileges.",
"type": "boolean"
},
"admin": {
"description": "Indicates whether an identity has administrative privileges.",
"type": "boolean"
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"user_agent": {
"type": "object",
"properties": {
"name": {
"description": "Name of the user agent.",
"type": "string"
},
"original": {
"description": "Original, unparsed user agent string.",
"type": "string"
},
"version": {
"description": "Version of the user agent.",
"type": "string"
},
"os": {
"type": "object",
"properties": {
"name": {
"description": "Name of the operating system, without the version.",
"type": "string"
},
"kernel": {
"description": "Kernel version of operating system as a raw string.",
"type": "string"
},
"platform": {
"description": "Operating system platform.",
"type": "string"
},
"type": {
"description": "Name of the operating system family.",
"type": "string",
"enum": [
"android",
"chromeos",
"ios",
"linux",
"macos",
"unix",
"windows"
]
}
},
"required": [],
"additionalProperties": false
}
},
"required": [],
"additionalProperties": false
},
"ao_qa": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"ao": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"asana": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"auth0": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"bitbucket": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"box": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"confluence": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"crowdstrike": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"custom": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"databricks": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"docusign": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"duo": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"fastly": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"github": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"gsuite": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"hubspot": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"imanage": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"jamf": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"jira": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"jumpcloud": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"lucid": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"miro": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"mongo": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"monday": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"multiple": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"netsuite": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"notion": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"o365": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"okta": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"onelogin": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"ping": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"sapsf": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"sfdc": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"sfmc": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"slack": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"sendgrid": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"smartsheet": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"snow": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"snowflake": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"stripe": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"tableau": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"veevavault": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"webex": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"wiz": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"workday": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"zendesk": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
},
"zoom": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": true
}
},
"required": [
"@timestamp",
"version",
"appomni"
],
"additionalProperties": false,
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "ACES.json",
"title": "AppOmni Common Event Schema",
"description": "TBD"
}