AppOmni
Top Level Fieldset: True
Contains fields related to the service, organization, and collection of an event.
AppOmni Fields
appomni.alert.channel
Required Field: False
Type: STRING
Example: prod
Detection Supported Field: False
The channel of a rule is determined by the stage of the rule lifecycle.
Allowed Values
| Name | Description |
|---|---|
prod | Reflects rule that has been made Generally Available to AppOmni Customers. |
beta | Reflects rule that is in beta. |
testing | Reflects rule that is in development. |
ao_only_prod | Rule for internal AppOmni usage that is in production. |
ao_only_beta | Rule for internal AppOmni usage that is in beta. |
ao_only_testing | Rule for internal AppOmni usage that is in testing. |
appomni.event.collected_time
Required Field: False
Type: DATETIME
Example: 2022-11-17T06:33:55.589Z
Detection Supported Field: False
Timestamp when the event was collected by AppOmni.
appomni.event.dataset
Required Field: True
Type: STRING
Example: appomni_qa
Detection Supported Field: True
The dataset of the event. A dataset is generally a collection of similar events.
Allowed Values
| Name | Description |
|---|---|
onepassword_auditlog | OnePassword Audit Events |
ao_auditlogs | AppOmni Audit Events |
ao_canary | AppOmni Canary Events |
appomni_alert | AppOmni Alerts |
appomni_event | AppOmni Events |
appomni_qa | AppOmni QA Events |
arista_auditlog | Arista Audit Events |
asana_eventlog | Asana Audit Events |
auth0_auditlog | Auth0 Audit Events |
bitbucket_auditlog | Bitbucket Audit Events |
box_admin_logs | Box Audit Events |
confluence_eventlog | Confluence Audit Events |
cradlepoint_activity_log | Cradlepoint Activity Logs |
crowdstrike_audit_log | CrowdStrike Audit Events |
crowdstrike_auth_activity | CrowdStrike Authentication Audit Events |
crowdstrike_cspm_ioa_event | CrowdStrike Falcon Horizon CSPM Assessment Events |
crowdstrike_cspm_search_event | CrowdStrike Falcon Horizon CSPM Audit Events |
crowdstrike_detection_summary | CrowdStrike Detection Events |
crowdstrike_external_api_activity | CrowdStrike 3rd Party App Audit Events |
crowdstrike_identity_protection_event | CrowdStrike Identity Protection Events |
crowdstrike_idp_detection_summary | CrowdStrike Identity Detection Events |
crowdstrike_incident_summary | CrowdStrike Incident Events |
crowdstrike_ioc_event | CrowdStrike Custom IOC Audit Events |
crowdstrike_firewall_match | CrowdStrike Firewall Audit Events |
crowdstrike_mobile_detection_summary | CrowdStrike Mobile Detection Events |
crowdstrike_realtime_response_end | CrowdStrike Real Time Response End Audit Events |
crowdstrike_realtime_response_start | CrowdStrike Real Time Response Start Audit Events |
crowdstrike_recon_summary | CrowdStrike Intelligence Monitoring Events |
crowdstrike_user_activity | CrowdStrike User Activity Audit Events |
crowdstrike_xdr_detection_summary | CrowdStrike XDR Detection Events |
crowdstrike_unknown | CrowdStrike Unidentified Event Types |
custom_eventlog_push | Custom App Events |
custom_rawlog | Custom Raw Events |
databricks_auditlog | Databricks Audit Events |
datadog_auditlog | Datadog Audit Events |
duo_admin | Duo Administrative Activity |
duo_auth | Duo Authentication Activity |
docusign_envelope_audit | DocuSign Audit Events |
docusign_monitor | DocuSign Monitor Alerts |
fastly_auditlog | Fastly Audit Events |
github_audit | GitHub Audit Events |
github_webhook | GitHub Webhook Events |
gitlab_audit_events | GitLab Audit Events |
gsuite_admin_log | Google Workspace Admin Events |
gsuite_alert_center_log | Google Workspace Alert Center Alerts |
gsuite_drive_log | Google Workspace Drive Events |
gsuite_login_log | Google Workspace Login Events |
gsuite_mobile_log | Google Workspace Mobile Events |
gsuite_token_log | Google Workspace Token Events |
hubspot_auditlog | HubSpot Audit Events |
imanage_auditlog | iManage Audit Events |
jamf_auditlog | Jamf Audit Events |
jira_eventlog | Jira Events |
jumpcloud_auditlog | JumpCloud Audit Events |
juniper_system_log | Juniper System Log Messages |
lucid_eventlog | Lucidchart Events |
miro_auditlog | Miro Events |
monday_auditlog | Monday Audit Events |
netsuite_login_log | NetSuite Login Events |
netsuite_perm_change_log | NetSuite Permission Changes Events |
netsuite_role_log | NetSuite Roles Events |
notion_auditlog | Notion Audit Events |
o365_audit_azure_active_directory | Microsoft 365 Azure Active Directory Audit Events |
o365_audit_exchange | Microsoft 365 Exchange Audit Events |
o365_audit_general | Microsoft 365 General Audit Events |
o365_audit_sharepoint | Microsoft 365 Sharepoint Audit Events |
o365_dlp_all | Microsoft 365 DLP Events |
mongodb_atlas | MongoDB Atlas Events |
okta_syslog | Okta System Events |
onelogin_eventlog | OneLogin Events |
openblue_auditlog | OpenBlue Audit Events |
sapsf_sfapi_eventlog | SAP SuccessFactors API Events |
sapsf_odata_api_eventlog | SAP SuccessFactors OData Events |
ping_eventlog | Ping Identity |
sfdc_admin_setup_event_table | Salesforce Admin Setup Events |
sfdc_api_anomaly_event_store | Salesforce API Usage Anomalies Events |
sfdc_api_event_table | Salesforce Read-Only API Events |
sfdc_audit_trail | Salesforce Audit Events |
sfdc_batch_event_log | Salesforce Batch Events |
sfdc_bulk_api_result_event_store | Salesforce Bulk API Events |
sfdc_content_transfer_event_store | Salesforce Content Transfer Events |
sfdc_credential_stuffing_event_store | Salesforce Credential Stuffing Login Events |
sfdc_data_query | Salesforce Data Query Events |
sfdc_field_modification_history | Salesforce Field History Events |
sfdc_fsecure | Salesforce F-Secure Events |
sfdc_identity_verification_event_store | Salesforce User Identity Verification Events |
sfdc_idp_event_store | Salesforce Identity Provider Events |
sfdc_lightning_uri_event_table | Salesforce Lightning Experience User CRUD Events |
sfdc_list_view_event_table | Salesforce List View Events |
sfdc_login_as_event_table | Salesforce Admin Login As User Events |
sfdc_login_event_table | Salesforce User Login Events |
sfdc_logout_event_table | Salesforce User Logout events |
sfdc_oauth_connection | Salesforce OAuth Connection Events |
sfdc_permission_event_store | Salesforce Permission Events |
sfdc_report_anomaly_event_store | Salesforce Report Anomaly Events |
sfdc_report_event_table | Salesforce Report Events |
sfdc_session_hijacking_event_store | Salesforce Session Hijacking Events |
sfdc_uri_event_table | Salesforce User Record CRUD Events |
sfmc_audit_event | Salesforce Marketing Cloud Audit Events |
sfmc_security_event | Salesforce Marketing Cloud Security Events |
slack_auditlog | Slack Audit Events |
smartsheet_auditlog | Smartsheet Audit Events |
sendgrid_auditlog | SendGrid Events |
snow_export_log | ServiceNow Export Events |
snow_mid_command_log | ServiceNow MID Server Command Events |
snow_sysaudit | ServiceNow System Audit Events |
snow_sysaudit_role | ServiceNow System Role Events |
snow_sysevent | ServiceNow System Events |
snow_syslog | ServiceNow Syslog Events |
snowflake_login_history | Snowflake Login Events |
snowflake_query_history | Snowflake Query History Events |
stripe_eventlog | Stripe Events |
tableau_activitylogs | Tableau Activity Events |
veevavault_login_audit_trail | VeevaVault Login Events |
veevavault_system_audit_trail | VeevaVault System Events |
veevavault_document_audit_trail | VeevaVault Document Events |
veevavault_object_audit_trail | VeevaVault Object Record Events |
versa_auditlog | Versa Audit Events |
webex_admin_audit | WebEx Admin Audit Events |
wiz_audit | Wiz Audit Events |
workday_auditlog_user_activity | Workday User Activity Events |
workday_activity_logging | Workday Activity Logging Events |
zendesk_auditlog | Zendesk Audit Events |
zoom_recordings | Zoom Recording Events |
zoom_webhook | Zoom Webhook Events |
appomni.event.enrichments
Required Field: False
Type: ARRAY
Example: ['ipinfo']
Detection Supported Field: True
List of 3rd party sources that contributed enrichment information to an event.
appomni.event.id
Required Field: True
Type: UUID
Example: 312b0a2d-a7a3-4529-bd61-bf3c2e2ba11d
Detection Supported Field: False
Unique AppOmni-assigned ID of the event.
appomni.event.ingestion_time
Required Field: False
Type: DATETIME
Example: 2022-11-17T06:34:18.429Z
Detection Supported Field: False
Timestamp when the event arrived in AppOmni's data store.
appomni.event.parent_id
Required Field: False
Type: UUID
Example: 733e5b47-d79b-40c1-bc8c-b19c22137785
Detection Supported Field: False
Unique ID of the parent event.
appomni.event.sortable_event_id
Required Field: False
Type: ULID
Example: 01GJ3CQYGGJ4GJP2WWBPRH07H8
Detection Supported Field: False
Unique sortable ID of the event assigned when it's collected.
appomni.event.sortable_ingest_id
Required Field: False
Type: ULID
Example: 01GJ3CQYGGJ4GJP2WWBPRH07H8
Detection Supported Field: False
Unique sortable ID of the event assigned when it arrives in AppOmni's data store.
appomni.organization.id
Required Field: True
Type: INTEGER
Example: 1
Detection Supported Field: False
ID of the AppOmni Tenant this event originated from.
appomni.service.account_id
Required Field: False
Type: STRING
Example: wehg385
Detection Supported Field: False
Unique platform-assigned ID of the connected monitored service.
appomni.service.id
Required Field: False
Type: INTEGER
Example: 1
Detection Supported Field: False
Unique AppOmni-assigned ID of the connected monitored service.
appomni.service.name
Required Field: False
Type: STRING
Example: AppOmni QA
Detection Supported Field: False
The tenant owner-assigned name of the connected monitored service.
appomni.service.slug
Required Field: False
Type: STRING
Example: tenant__uniq_svc_name
Detection Supported Field: False
The identifier of the monitored service, either the platform shortname for out-of-the-box (OOTB) services or the unique identifier for custom monitored services.
appomni.service.type
Required Field: False
Type: STRING
Example: ao_qa
Detection Supported Field: False
The platform shortname of the monitored service.
Allowed Values
| Name | Description |
|---|---|
ao_qa | AppOmni QA |
appomni | AppOmni |
asana | Asana |
auth0 | Auth0 |
bitbucket | Bitbucket |
box | Box |
confluence | Confluence |
crowdstrike | CrowdStrike |
custom | Custom |
databricks | Databricks |
docusign | DocuSign |
duo | Duo |
fastly | Fastly |
github | GitHub |
gsuite | Google Workspace |
hubspot | HubSpot |
imanage | iManage |
jamf | Jamf |
jira | Jira |
jumpcloud | JumpCloud |
lucid | Lucidchart |
miro | Miro |
mongo | MongoDB |
monday | Monday |
multiple | Multiple (only used in Alerting) |
netsuite | Netsuite |
notion | Notion |
o365 | Microsoft 365 |
okta | Okta |
onelogin | OneLogin |
ping | Ping Identity |
sapsf | SAP SuccessFactors |
sfdc | Salesforce |
sfmc | Salesforce Marketing Cloud |
slack | Slack |
sendgrid | SendGrid |
smartsheet | Smartsheet |
snow | ServiceNow |
snowflake | Snowflake |
stripe | Stripe |
tableau | Tableau |
veevavault | VeevaVault |
webex | WebEx |
wiz | Wiz |
workday | Workday |
zendesk | Zendesk |
zoom | Zoom |
appomni.source.id
Required Field: False
Type: STRING
Example: 123e4567-e89b-12d3-a456-426614174000
Detection Supported Field: False
Unique AppOmni-assigned ID of the detection event source.