Skip to content

3002 - Authentication

OCSF Reference

CIM Data Models: Authentication

OCSF Version: 1.0.0

CIM Field Mapping
app metadata.product.name
action case(status_id==1, "success", status_id==2, "failure", status_id==0, "unknown", true(), "other")
authentication_method coalesce(auth_protocol, auth_protocol_id)
dest coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name')
dest_nt_domain dst_endpoint.domain
duration duration / 1000
reason status_detail
response_time duration / 1000
signature type_name
signature_id type_uid
src coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name')
src_nt_domain src_endpoint.domain
user user.name
user_id user.uid
user_type case('user.type_id'==0, "unknown", 'user.type_id'==1, "regular", 'user.type_id'==2, "admin", 'user.type_id'==3, "system", true(), "other")

OCSF Version: 1.1.0

CIM Field Mapping
app metadata.product.name
action case(status_id==1, "success", status_id==2, "failure", status_id==0, "unknown", true(), "other")
authentication_method coalesce(auth_protocol, auth_protocol_id)
dest coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name')
dest_nt_domain dst_endpoint.domain
duration duration / 1000
reason status_detail
response_time duration / 1000
signature type_name
signature_id type_uid
src coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name')
src_nt_domain src_endpoint.domain
user user.name
user_id user.uid
user_type case('user.type_id'==0, "unknown", 'user.type_id'==1, "regular", 'user.type_id'==2, "admin", 'user.type_id'==3, "system", true(), "other")

OCSF Version: 1.2.0

CIM Field Mapping
app metadata.product.name
action case(status_id==1, "success", status_id==2, "failure", status_id==0, "unknown", true(), "other")
authentication_method coalesce(auth_protocol, auth_protocol_id)
dest coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name')
dest_nt_domain dst_endpoint.domain
duration duration / 1000
reason status_detail
response_time duration / 1000
signature type_name
signature_id type_uid
src coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name')
src_nt_domain src_endpoint.domain
user user.name
user_id user.uid
user_type case('user.type_id'==0, "unknown", 'user.type_id'==1, "regular", 'user.type_id'==2, "admin", 'user.type_id'==3, "system", true(), "other")

OCSF Version: 1.0.0*

CIM Field Mapping
app metadata.product.name
action case(status_id==1, "success", status_id==2, "failure", status_id==0, "unknown", true(), "other")
authentication_method coalesce(auth_protocol, auth_protocol_id)
dest coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name')
dest_nt_domain dst_endpoint.domain
duration duration / 1000
reason status_detail
response_time duration / 1000
signature type_name
signature_id type_uid
src coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name')
src_nt_domain src_endpoint.domain
user user.name
user_id user.uid
user_type case('user.type_id'==0, "unknown", 'user.type_id'==1, "regular", 'user.type_id'==2, "admin", 'user.type_id'==3, "system", true(), "other")