3003 - Authorization
OCSF Reference
CIM Data Models: Authentication
OCSF Version: 1.0.0
| CIM Field |
Mapping |
| user |
user.name |
| action |
case(status_id==1, "success", status_id==2, "failure", status_id==0, "unknown", true(), "other") |
| signature |
type_name |
| signature_id |
type_uid |
| src |
coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name') |
| src_ip |
src_endpoint.ip |
| src_port |
src_endpoint.port |
| src_mac |
src_endpoint.mac |
| src_host |
src_endpoint.hostname |
| dest |
coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_ip |
dst_endpoint.ip |
| dest_port |
dst_endpoint.port |
| dest_mac |
dst_endpoint.mac |
| dest_host |
dst_endpoint.hostname |
OCSF Version: 1.1.0
| CIM Field |
Mapping |
| user |
user.name |
| action |
case(status_id==1, "success", status_id==2, "failure", status_id==0, "unknown", true(), "other") |
| signature |
type_name |
| signature_id |
type_uid |
| src |
coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name') |
| src_ip |
src_endpoint.ip |
| src_port |
src_endpoint.port |
| src_mac |
src_endpoint.mac |
| src_host |
src_endpoint.hostname |
| dest |
coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_ip |
dst_endpoint.ip |
| dest_port |
dst_endpoint.port |
| dest_mac |
dst_endpoint.mac |
| dest_host |
dst_endpoint.hostname |
OCSF Version: 1.2.0
| CIM Field |
Mapping |
| user |
user.name |
| action |
case(status_id==1, "success", status_id==2, "failure", status_id==0, "unknown", true(), "other") |
| signature |
type_name |
| signature_id |
type_uid |
| src |
coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name') |
| src_ip |
src_endpoint.ip |
| src_port |
src_endpoint.port |
| src_mac |
src_endpoint.mac |
| src_host |
src_endpoint.hostname |
| dest |
coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_ip |
dst_endpoint.ip |
| dest_port |
dst_endpoint.port |
| dest_mac |
dst_endpoint.mac |
| dest_host |
dst_endpoint.hostname |
OCSF Version: 1.0.0*
| CIM Field |
Mapping |
| user |
user.name |
| action |
case(status_id==1, "success", status_id==2, "failure", status_id==0, "unknown", true(), "other") |
| signature |
type_name |
| signature_id |
type_uid |
| src |
coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name') |
| src_ip |
src_endpoint.ip |
| src_port |
src_endpoint.port |
| src_mac |
src_endpoint.mac |
| src_host |
src_endpoint.hostname |
| dest |
coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_ip |
dst_endpoint.ip |
| dest_port |
dst_endpoint.port |
| dest_mac |
dst_endpoint.mac |
| dest_host |
dst_endpoint.hostname |