Authentication
Top Level Fieldset: True
This field set contains information about authentication related to an event.
Authentication Fields
authentication.method
Required Field: False
Type: STRING
Example: password
Detection Supported Field: True
Normalized method of authentication.
Allowed Values
| Name | Description |
|---|---|
access_token | Token-based authentication. Examples: OAuth, JWT |
backup_code | Backup code. |
biometric | Biometric verification. Examples: fingerprint, facial ID |
email | Email verification code or link. |
hardware_authenticator | Hardware authenticator. Examples: Yubikey, hard token |
password | Password. |
passwordless | Passwordless authentication. Example: WebAuthn |
phone_call | Verification code sent via phone call. |
sms | Verification code sent via SMS. |
sso | Single Sign-On (SSO) via a federated identity/ external IdP. Examples: SAML, OpenID Connect, WsFederation |
software_authenticator | Software-based authenticator that generates a time-based or push notification. Examples: Okta Verify, Duo Push |
gesture | Gesture, such as tracing a pre-defined pattern on a touchscreen-enabled device. |
hardware_token | Hardware token, which is typically a dedicated authentication device. |
software_token | Software token, which is typically a credential file stored on a device. |
authentication.provider
Required Field: False
Type: STRING
Example: Okta
Detection Supported Field: True
Authentication provider.
authentication.raw_method
Required Field: False
Type: STRING
Example: Sha1HashedPassword
Detection Supported Field: True
Method of authentication as provided by the monitored service.