6003 - API Activity¶

CIM Data Models: All_Changes

OCSF Version: 1.0.0¶

CIM Field	Mapping
action	`case(activity_id==0, "unknown", activity_id==1, "created", activity_id==2, "read", activity_id==3, "updated", activity_id==4, "deleted", activity_id==99, "other", 1==1, "other")`
change_type	`api`
command	`actor.process.cmd_line`
dest	`coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name')`
dvc	`metadata.log_provider`
object	`resources{}.name`
object_id	`resources{}.uid`
object_category	`resources{}.type`
result	`coalesce('status_detail', 'status', 'status_id')`
result_id	`status_id`
src	`coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name')`
status	`case(status_id==1, "success", status_id==2, "failure", status_id==99, "other", 1==1, "unknown")`
user	`actor.user.uid`
user_agent	`http_request.user_agent`
user_name	`actor.user.uid`
user_type	`coalesce('actor.user.type',case('actor.user.type_id'==1,"User",'actor.user.type_id'==2,"Admin",'actor.user.type_id'==3,"System",'actor.user.type_id'==99,"Other", 1==1, "Unknown"))`
vendor_account	`cloud.account.uid`
vendor_product	`metadata.product.name`
vendor_region	`cloud.account.region`

CIM Field	Mapping
action	`case(activity_id==0, "unknown", activity_id==1, "created", activity_id==2, "read", activity_id==3, "updated", activity_id==4, "deleted", activity_id==99, "other", 1==1, "other")`
change_type	`api`
command	`actor.process.cmd_line`
dest	`coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name')`
dvc	`metadata.log_provider`
object	`resources{}.name`
object_id	`resources{}.uid`
object_category	`resources{}.type`
result	`coalesce('status_detail', 'status', 'status_id')`
result_id	`status_id`
src	`coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name')`
status	`case(status_id==1, "success", status_id==2, "failure", status_id==99, "other", 1==1, "unknown")`
user	`actor.user.uid`
user_agent	`http_request.user_agent`
user_name	`actor.user.uid`
user_type	`coalesce('actor.user.type',case('actor.user.type_id'==1,"User",'actor.user.type_id'==2,"Admin",'actor.user.type_id'==3,"System",'actor.user.type_id'==99,"Other", 1==1, "Unknown"))`
vendor_account	`cloud.account.uid`
vendor_product	`metadata.product.name`
vendor_region	`cloud.account.region`

CIM Field	Mapping
action	`case(activity_id==0, "unknown", activity_id==1, "created", activity_id==2, "read", activity_id==3, "updated", activity_id==4, "deleted", activity_id==99, "other", 1==1, "other")`
change_type	`api`
command	`actor.process.cmd_line`
dest	`coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name')`
dvc	`metadata.log_provider`
object	`resources{}.name`
object_id	`resources{}.uid`
object_category	`resources{}.type`
result	`coalesce('status_detail', 'status', 'status_id')`
result_id	`status_id`
src	`coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name')`
status	`case(status_id==1, "success", status_id==2, "failure", status_id==99, "other", 1==1, "unknown")`
user	`actor.user.uid`
user_agent	`http_request.user_agent`
user_name	`actor.user.uid`
user_type	`coalesce('actor.user.type',case('actor.user.type_id'==1,"User",'actor.user.type_id'==2,"Admin",'actor.user.type_id'==3,"System",'actor.user.type_id'==99,"Other", 1==1, "Unknown"))`
vendor_account	`cloud.account.uid`
vendor_product	`metadata.product.name`
vendor_region	`cloud.account.region`

CIM Field	Mapping
action	`case(activity_id==0, "unknown", activity_id==1, "created", activity_id==2, "read", activity_id==3, "updated", activity_id==4, "deleted", activity_id==99, "other", 1==1, "other")`
change_type	`api`
command	`actor.process.cmd_line`
dest	`coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name')`
dvc	`metadata.log_provider`
object	`resources{}.name`
object_id	`resources{}.uid`
object_category	`resources{}.type`
result	`coalesce('status_detail', 'status', 'status_id')`
result_id	`status_id`
src	`coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name')`
status	`case(status_id==1, "success", status_id==2, "failure", status_id==99, "other", 1==1, "unknown")`
user	`actor.user.uid`
user_agent	`http_request.user_agent`
user_name	`actor.user.uid`
user_type	`coalesce('actor.user.type',case('actor.user.type_id'==1,"User",'actor.user.type_id'==2,"Admin",'actor.user.type_id'==3,"System",'actor.user.type_id'==99,"Other", 1==1, "Unknown"))`
vendor_account	`cloud.account.uid`
vendor_product	`metadata.product.name`
vendor_region	`cloud.account.region`