Event
Top Level Fieldset: True
The event fields are used for context information about the log itself. A log is defined as an event containing details of something that happened.
Event Fields
event.action
Required Field: False
Type: STRING
Example: login_user
Detection Supported Field: True
The action captured by the event.
Allowed Values
| Name | Description |
|---|---|
accept_invite | Accept an invitation |
accept_message | Accept a message |
accept_session | Accept a session |
accept_tos | Accept Terms of Service |
access_app | Access an application |
access_webhook | Access a webhook |
add_app | Add an application |
add_device | Add a device |
add_domain | Add a domain |
add_key | Add an encryption or x509 private key, or similar (Not used to refer to API keys) |
add_label | Add a label or tag |
add_mfa | Add a new MFA factor for a user such as a phone number, authenticator app, or hardware token |
add_permission | Add a permission |
add_policy | Add a policy |
add_resource | Add a resource |
add_role | Add a role |
add_rule | Add a rule |
add_team | Add a team |
add_user | Add a user |
add_workflow | Add a workflow |
alert_api | Notable API event |
alert_device | Notable device event |
alert_event | Notable event |
alert_mfa | User bypasses, attempts to bypass, or circumvents MFA in some way |
alert_policy | Notable policy event |
alert_resource | Notable resource event |
alert_rule | Notable rule event |
alert_user | Notable user event |
allow_issue | Allow an issue |
approve_access | Approve access to a service or resource |
approve_app | Approve an application |
approve_resource | Approve a resource |
approve_request | Approve a request |
approve_token | Approve a token or API key |
approve_user | Approve a user |
approve_workflow | Approve a workflow |
archive_key | Archive an encryption or x509 private key, or similar (Not used to refer to API keys) |
archive_resource | Archive a resource |
archive_rule | Archive a rule |
archive_user | Archive a user |
assign_issue | Assign an issue |
authenticate_app | Application authentication |
authenticate_user | User authentication |
await_resource | Await resource |
block_session | Block a session |
block_user | Block a user |
canary | Canary event |
cancel_review | Cancel a review |
cancel_sponsorship | Cancel a sponsorship |
cancel_workflow | Cancel a workflow |
change_mfa | Change an MFA factor (Use add_mfa and remove_mfa if separate events are available) |
close_issue | Close an issue |
close_project | Close a project |
close_request | Close or cancel a request |
close_review | Close a review |
complete_task | Complete a task |
complete_workflow | Complete a workflow |
connect_app | Connect an application |
connect_user | Connect a user (Used when a user joins a space.) |
copy_key | Copy an encryption or x509 private key, or similar (Not used to refer to API keys) |
copy_resource | Copy a resource |
create_account | Create an account (Used to refer to a business unit account; For a user account, use create_user) |
create_advisory | Create a security advisory |
create_api | Create or register an API |
create_app | Create or register an application |
create_branch | Create a Git branch |
create_code | Create code, commits, or releases |
create_comment | Create a comment |
create_csr | Create a Certificate Signing Request |
create_deployment | Create a deployment |
create_event | Create an event |
create_exception | Create an exception |
create_fork | Create a fork |
create_group | Create a group |
create_index | Create a table index |
create_issue | Create an issue |
create_key | Create an encryption or x509 private key, or similar (Not used to refer to API keys) |
create_label | Create a label or tag |
create_metadata | Create metadata |
create_mfa | Create an MFA token or code |
create_organization | Create an organization |
create_package | Create a package |
create_password | Create a password or PIN |
create_permission | Create a permission |
create_policy | Create a policy |
create_project | Create a project |
create_request | Create a request |
create_resource | Create a resource |
create_role | Create a role |
create_rule | Create a rule |
create_setting | Create a setting |
create_share | Create a shared resource such as a drive or folder |
create_sponsorship | Create a sponsorship |
create_task | Create a task |
create_team | Create a team |
create_token | Create a token or API key |
create_user | Create a user |
create_webhook | Create a webhook |
create_workflow | Create a workflow |
delete_account | Delete an account (Used to refer to a business unit account; For a user account, use delete_user) |
delete_advisory | Delete a security advisory |
delete_alert | Delete an alert |
delete_app | Delete an application |
delete_branch | Delete a Git branch |
delete_certificate | Delete a certificate |
delete_code | Delete code, commits, or releases |
delete_comment | Delete a comment |
delete_exception | Delete an exception |
delete_group | Delete a group |
delete_index | Delete a table index |
delete_issue | Delete an issue |
delete_key | Delete an encryption or x509 private key, or similar (Not used to refer to API keys) |
delete_label | Delete a label or tag |
delete_metadata | Delete metadata |
delete_organization | Delete an organization |
delete_package | Delete a package |
delete_permission | Delete a permission |
delete_policy | Delete a policy |
delete_project | Delete a project |
delete_request | Delete a request |
delete_resource | Delete a resource |
delete_role | Delete a role |
delete_rule | Delete a rule |
delete_setting | Delete a setting |
delete_task | Delete a task |
delete_team | Delete a team |
delete_token | Delete a token or API key |
delete_user | Delete a user |
delete_webhook | Delete a webhook |
delete_workflow | Delete a workflow |
demote_role | Demote the role of a user or group |
deny_access | Deny access to a service or resource |
deny_invite | Deny or reject an invitation |
deny_request | Deny or reject a request |
disable_account | Disable an account (Used to refer to a business unit account; For a user account, use disable_user) |
disable_app | Disable or deactivate an application |
disable_device | Disable or deactivate a device |
disable_license | Disable or deactivate a license |
disable_mfa | Disable or un-enforce MFA for an entire org |
disable_permission | Disable or un-enforce a permission |
disable_policy | Disable or un-enforce a policy |
disable_resource | Disable a resource |
disable_rule | Disable a rule |
disable_setting | Disable a setting |
disable_user | Disable or deactivate a user |
disable_webhook | Disable or deactivate a webhook |
disable_workflow | Disable a workflow |
disconnect_app | Disconnect an application |
disconnect_user | Disconnect a user (Used when a user leaves a space.) |
dismiss_advisory | Dismiss a security advisory |
download_resource | Download a resource |
download_token | Download or export a token or API key |
elevate_permission | Elevate the permission of a user or group |
elevate_role | Elevate the role of a user or group |
enable_account | Enable an account (Used to refer to a business unit account; For a user account, use enable_user) |
enable_api | Enable an API |
enable_app | Enable or activate an application |
enable_device | Enable or activate a device |
enable_license | Enable or activate a license |
enable_mfa | Enable or enforce MFA for an entire org |
enable_permission | Enable or enforce a permission |
enable_policy | Enable or enforce a policy |
enable_resource | Enable a resource |
enable_rule | Enable a rule |
enable_setting | Enable a setting |
enable_user | Enable or activate a user |
enable_webhook | Enable or activate a webhook |
enable_workflow | Enable a workflow |
end_resource | End, stop or terminate a resource |
end_session | End a session |
end_task | End a task |
enroll_certificate | Enroll or add a certificate |
enroll_mfa | Turn on MFA for a user |
evaluate_policy | Evaluate a policy |
evaluate_token | Evaluate a token or API key |
execute_app | Execute or launch an application |
execute_command | Execute a command |
execute_policy | Execute a policy |
execute_request | Execute a request |
execute_resource | Execute a resource |
execute_rule | Execute a rule |
execute_task | Execute a task (Use start_task and end_task if separate events are available) |
execute_workflow | Execute a workflow |
expire_exception | Expire an exception |
expire_invite | Force an invitation to expire |
expire_mfa | Expire an MFA request |
expire_password | Force a password to expire |
expire_request | Force a request to expire |
expire_session | Force a session to expire |
expire_token | Force a token to expire |
favorite_resource | Favorite or star a resource |
follow_resource | Follow or subscribe to a resource |
get_token | Get a token or API key |
ignore_issue | Ignore an issue |
impersonate_user | Impersonate a user |
import_account | Import an account (Used to refer to a business unit account; For a user account, use import_user) |
import_group | Import a group |
import_resource | Import a resource |
import_user | Import a user |
install_app | Install an application |
invite_user | Invite a user |
issue_certificate | Issue a certificate |
lock_account | Lock an account (Used to refer to a business unit account; For a user account, use lock_user) |
lock_issue | Lock an issue |
lock_resource | Lock a resource |
lock_user | Lock a user |
login_user | User login |
logout_user | User logout |
mitigate_advisory | Mitigate a security advisory |
move_issue | Move an issue |
move_resource | Move a resource |
notify_issue | An issue notification is sent |
notify_mfa | An MFA factor is sent to the user via SMS, email, phone call, etc. (This event action should be used only when a separate event exists that captures the success/failure of the second factor) |
notify_workflow | A workflow notification is sent |
open_issue | Open an issue |
open_project | Open a project |
pin_issue | Pin an issue |
preview_resource | Preview a resource (If no distinction is made between "preview" and "view", use read_resource) |
print_resource | Print resource to a printer |
privatize_resource | Make a resource private |
publicize_resource | Make a resource public |
publish_code | Publish code, commits, or releases |
publish_csr | Publish a Certificate Signing Request |
publish_resource | Publish a resource (Use privatize_resource or publicize_resource if private/public status is known) |
push_commit | Push a code commit to version control |
query_api | Query an API |
query_resource | Query a resource |
read_account | Read an account (Used to refer to a business unit account; For a user account, use read_user) |
read_audit | Read an audit log or file |
read_config | Read a configuration file |
read_device | Read a device |
read_group | Read a group |
read_label | Read a label or tag |
read_metadata | Read resource metadata |
read_password | Read or show a password |
read_permission | Read a permission |
read_policy | Read a policy |
read_resource | Read or open a resource |
read_role | Read a role |
read_rule | Read a rule |
read_schema | Read a schema |
read_setting | Read a setting |
read_share | Read a shared resource such as a drive or folder |
read_task | Read a task |
read_user | Read a user |
reject_tos | Reject Terms of Service |
remove_app | Remove an application |
remove_device | Remove a device |
remove_domain | Remove a domain |
remove_group | Remove a group or multiple users |
remove_label | Remove a label or tag |
remove_license | Remove a license |
remove_mfa | Remove, reset, or suspend MFA factor(s) for a user |
remove_permission | Remove a permission |
remove_policy | Remove a policy |
remove_resource | Remove a resource |
remove_role | Remove a role |
remove_rule | Remove a rule |
remove_team | Remove a team |
remove_user | Remove a user from a group or resource |
request_access | Request access to a service or resource |
request_advisory | Request a security advisory |
request_authorization | Request authorization |
request_review | Request a review |
request_task | Request to execute a task |
request_token | Request a token or API key |
reset_password | Reset a password (Refers to a user requesting a password reset; use update_password if the password is updated) |
restore_resource | Restore or recover a resource |
revoke_access | Revoke access to a service or resource |
revoke_api | Revoke an API |
revoke_app | Revoke an application |
revoke_certificate | Revoke a certificate |
revoke_csr | Revoke a Certificate Signing Request |
revoke_token | Revoke a token or API key |
revoke_user | Revoke a user |
send_healthcheck | Send a healthcheck |
send_heartbeart | Send a heartbeat event |
share_resource | Share a resource |
share_screen | Share or cast screen |
start_resource | Start or launch a resource |
start_session | Start a session |
start_task | Start a task |
submit_review | Submit a review |
suspend_app | Suspend an application |
synchronize_account | Synchronize an account (Used to refer to a business unit account; For a user account, use synchronize_user) |
synchronize_device | Synchronize a device |
synchronize_group | Synchronize a group |
synchronize_resource | Synchronize a resource |
synchronize_task | Synchronize a task |
synchronize_user | Synchronize a user |
transfer_owner | Transfer ownership |
unarchive_resource | Unarchive a resource |
unassign_issue | Unassign an issue |
unblock_user | Unblock a user |
unenroll_mfa | Turn off MFA for a user |
unfavorite_resource | Unfavorite or unstar a resource |
unfollow_resource | Unfollow or unsubscribe to a resource |
uninstall_app | Uninstall an application |
unknown | Event action is unknown |
unlock_account | Unlock an account (Used to refer to a business unit account; For a user account, use unlock_user) |
unpublish_code | Unpublish code, commits, or releases |
unlock_issue | Unlock an issue |
unlock_resource | Unlock a resource |
unlock_token | Unlock or enable a token or API key |
unlock_user | Unlock a user |
unpin_issue | Unpin an issue |
unshare_resource | Unshare a resource |
unsuspend_app | Unsuspend an application |
update_access | Update access to a service or resource |
update_account | Update an account (Used to refer to a business unit account; For a user account, use update_user) |
update_advisory | Update a security advisory |
update_alert | Update an alert |
update_api | Update an API |
update_app | Uodate an application |
update_authentication | Update authentication method or setting |
update_certificate | Update a certificate |
update_code | Update code, commits, or releases |
update_comment | Update a comment |
update_device | Update a device |
update_group | Update a group |
update_index | Update a table index |
update_issue | Update an issue |
update_key | Update an encryption or x509 private key, or similar (Not used to refer to API keys) |
update_label | Update a label or tag |
update_metadata | Update metadata |
update_mailbox | Update a mailbox |
update_organization | Update an organization-wide setting or value |
update_package | Update a package |
update_password | Update a password or PIN |
update_permission | Update a permission |
update_policy | Update a policy |
update_project | Update a project |
update_resource | Update a resource |
update_request | Update a request |
update_review | Update a review |
update_role | Update a role |
update_rule | Update a rule |
update_session | Update a session |
update_setting | Update a setting |
update_share | Update a shared resource such as a drive or folder |
update_sponsorship | Update a sponsorship |
update_status | Update a status |
update_task | Update a task |
update_team | Update a team |
update_token | Update a token or API key |
update_user | Update user information (Use update_password if the event refers to a password) |
update_webhook | Update a webhook |
update_workflow | Update a workflow |
upgrade_app | Upgrade an application |
upload_resource | Upload a resource |
upload_token | Upload a token or API key |
verify_device | Verify or authorize a device |
verify_group | Verify or authorize a group |
verify_mfa | Enter or acknowledge an MFA factor (event.outcome should be utilized to indicate success or failure) |
verify_resource | Verify a resource |
verify_user | Verify or authorize a user |
verify_webhook | Verify or authorize a webhook |
event.category
Required Field: False
Type: ARRAY
Example: ['authentication']
Detection Supported Field: True
Indicates the high-level categorization of an event.
Allowed Values
| Name | Description |
|---|---|
authentication | Represents an event is related to an identity verification process, such as a user providing a password to login. |
configuration | Represents an event is related to the creation, modification, or deletion of an application or system setting. |
file | Represents an event is related to a CRUD operation of a file. |
malware | Represents an event is related to a detection of malware. |
event.code
Required Field: False
Type: STRING
Example: 8080
Detection Supported Field: True
Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time.
event.created
Required Field: False
Type: DATETIME
Example: 2022-11-17T06:30:10.442Z
Detection Supported Field: False
Date/time when the event was reported as created in the monitored service.
event.dataset
Required Field: False
Type: STRING
Example: appomni_qa
Detection Supported Field: True
The dataset of the event as presented by the SaaS platform. This is distinct from AppOmni datasets which reside under appomni.event.dataset.
event.duration
Required Field: False
Type: INTEGER
Example: 60
Detection Supported Field: True
Duration of the event. If event.start and event.end are known this value should be the difference between the end and start time.
event.end
Required Field: False
Type: DATETIME
Example: 2022-11-17T06:30:10.442Z
Detection Supported Field: False
Date/time when the event ended or when the activity was last observed.
event.id
Required Field: False
Type: STRING
Example: f837df
Detection Supported Field: True
Unique ID to describe the event.
event.ingested
Required Field: False
Type: DATETIME
Example: 2022-11-17T06:30:10.442Z
Detection Supported Field: False
Date/time when the event arrived in AppOmni's data store.
event.kind
Required Field: False
Type: STRING
Example: event
Detection Supported Field: False
event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event.
Allowed Values
| Name | Description |
|---|---|
alert | Represents a notification about one or more related events; typically indicative of suspected malicious activity and generated via a detection rule. |
event | Represents any observable occurrence in a system. |
synthetic | Represents an AppOmni generated observation made during the analysis of a system. |
finding | Represents an AppOmni discovered policy/posture issue or insight. |
event.module
Required Field: False
Type: STRING
Example: core
Detection Supported Field: True
Module of the event. This is usually a specific product or plugin of the monitored service.
event.original
Required Field: False
Type: STRING
Example: {"some_key": "some value"}
Detection Supported Field: False
The raw event in it's original form.
event.outcome
Required Field: False
Type: STRING
Example: success
Detection Supported Field: True
The outcome describes whether an event action succeeded or failed.
Allowed Values
| Name | Description |
|---|---|
success | Indicates the result of the event succeeded. |
failure | Indicates the result of the event failed. |
unknown | Indicates the result of the event is unknown. |
event.provider
Required Field: False
Type: STRING
Example: AppOmni Core
Detection Supported Field: True
Source of the event. This may be the API endpoint or operating system that generated the event.
event.reason
Required Field: False
Type: STRING
Example: Incorrect password
Detection Supported Field: True
Reason this event happened, according to the source.
event.reference
Required Field: False
Type: STRING
Example: https://example.com/event/user_logged_in
Detection Supported Field: False
URL to reference information about this event.
event.risk_score
Required Field: False
Type: FLOAT
Example: 85.63
Detection Supported Field: True
Risk score of the event, as provided by the original source.
event.risk_score_norm
Required Field: False
Type: FLOAT
Example: 85.63
Detection Supported Field: True
Normalized risk score of the event, on a scale of 0 to 100.
event.sequence
Required Field: False
Type: INTEGER
Example: 1
Detection Supported Field: True
Sequence number of the event. Sequence numbering is used to ensure the order of events is known, regardless of the timestamp.
event.severity
Required Field: False
Type: INTEGER
Example: 1
Detection Supported Field: True
The numeric severity of the event according to the source.
event.start
Required Field: False
Type: DATETIME
Example: 2022-11-17T06:30:10.442Z
Detection Supported Field: False
Date/time when the event started or when the activity was first observed.
event.type
Required Field: False
Type: ARRAY
Example: ['access']
Detection Supported Field: True
Indicates the type of event. This is a subcategory of event.category.
Allowed Values
| Name | Description |
|---|---|
access | Represents a resource or item was accessed. |
admin | Represents an admin operation. |
change | Represents a resource or item was changed. |
end | Represents an event has ended. |
info | Represents an event is informational. |
start | Represents an event has started. |
creation | Represents a resource or item was created. |
deletion | Represents a resource or item was deleted. |
event.url
Required Field: False
Type: STRING
Example: https://example.com/alert/1234
Detection Supported Field: False
URL to an external source to continue investigation of this event.