Rules (XIF)
[MODEL: dataset = "keeper_security_raw"]
alter
xdm.event.type = audit_event_type,
xdm.event.id = to_string(id),
xdm.source.ipv4 = if(ip_address ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", ip_address, null),
xdm.source.ipv6 = if(ip_address ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", ip_address, null),
xdm.source.user.username = username,
xdm.source.user.ou = to_string(node_id),
xdm.intermediate.user.username = from_username,
xdm.target.user.username = if(lowercase(audit_event_type) in ("delete_pending_user", "auto_invite_user", "delete_user", "send_invitation"), email, coalesce(to_username, recipient)),
xdm.target.user.upn = email,
xdm.observer.type = arrayindex(regextract(keeper_version, "([^\d]+)\s\d"), 0),
xdm.observer.version = arrayindex(regextract(keeper_version, "\s([\d\.]+)"), 0),
xdm.target.file.file_type = file_format,
xdm.target.file.directory = folder_uid,
xdm.target.file.filename = attachment_id,
xdm.source.host.device_model = device_name,
xdm.target.resource.id = coalesce(record_uid, node, role_id, team_uid, shared_folder_uid, plan, secret_uid, gateway_uid),
xdm.target.resource.value = value,
xdm.target.resource.type = enforcement,
xdm.target.resource.name = coalesce(email_domain, report_name, name),
xdm.event.outcome = if(lowercase(result_code) contains "fail", XDM_CONST.OUTCOME_FAILED, lowercase(result_code) contains "succ", XDM_CONST.OUTCOME_SUCCESS, null),
xdm.event.outcome_reason = result_code,
xdm.network.application_protocol = protocol;
Schema
keeper_security_raw
| Field |
Type |
Array? |
attachment_id |
string |
— |
audit_event_type |
string |
— |
device_name |
string |
— |
email |
string |
— |
email_domain |
string |
— |
enforcement |
string |
— |
file_format |
string |
— |
folder_uid |
string |
— |
from_username |
string |
— |
gateway_uid |
string |
— |
id |
int |
— |
ip_address |
string |
— |
keeper_version |
string |
— |
name |
string |
— |
node |
string |
— |
node_id |
int |
— |
plan |
string |
— |
protocol |
string |
— |
recipient |
string |
— |
record_uid |
string |
— |
report_name |
string |
— |
result_code |
string |
— |
role_id |
string |
— |
secret_uid |
string |
— |
shared_folder_uid |
string |
— |
team_uid |
string |
— |
to_username |
string |
— |
username |
string |
— |
value |
string |
— |
Raw JSON
{
"keeper_security_raw": {
"audit_event_type": {
"type": "string",
"is_array": false
},
"id": {
"type": "int",
"is_array": false
},
"ip_address": {
"type": "string",
"is_array": false
},
"username": {
"type": "string",
"is_array": false
},
"node_id": {
"type": "int",
"is_array": false
},
"from_username": {
"type": "string",
"is_array": false
},
"email": {
"type": "string",
"is_array": false
},
"to_username": {
"type": "string",
"is_array": false
},
"recipient": {
"type": "string",
"is_array": false
},
"keeper_version": {
"type": "string",
"is_array": false
},
"file_format": {
"type": "string",
"is_array": false
},
"folder_uid": {
"type": "string",
"is_array": false
},
"attachment_id": {
"type": "string",
"is_array": false
},
"device_name": {
"type": "string",
"is_array": false
},
"record_uid": {
"type": "string",
"is_array": false
},
"node": {
"type": "string",
"is_array": false
},
"role_id": {
"type": "string",
"is_array": false
},
"team_uid": {
"type": "string",
"is_array": false
},
"shared_folder_uid": {
"type": "string",
"is_array": false
},
"plan": {
"type": "string",
"is_array": false
},
"gateway_uid": {
"type": "string",
"is_array": false
},
"value": {
"type": "string",
"is_array": false
},
"enforcement": {
"type": "string",
"is_array": false
},
"email_domain": {
"type": "string",
"is_array": false
},
"secret_uid": {
"type": "string",
"is_array": false
},
"report_name": {
"type": "string",
"is_array": false
},
"name": {
"type": "string",
"is_array": false
},
"result_code": {
"type": "string",
"is_array": false
},
"protocol": {
"type": "string",
"is_array": false
}
}
}