SafeNetTrustedAccess Modeling Rule

Modeling Rule

Thales SafeNet Trusted Access

Details

IDsafenet_trusted_access_modeling_rule
From Version6.8.0
To Version6.9.9
Tagssafenet

Rules (XIF)

[MODEL: dataset="safenet_trusted_access_raw", model="Audit"]
filter json_extract_scalar(details, "$.type") in ("AUDIT")
| alter
    XDM.Audit.original_event_id = id,
    XDM.Audit.event_timestamp = parse_timestamp("%Y-%m-%dT%H:%M:%E*SZ", timeStamp),
    XDM.Audit.TriggeredBy.ipv4 = json_extract_scalar(context, "$.originatingAddress"),
    XDM.Audit.TriggeredBy.identity.name = json_extract_scalar(context, "$.principalId"),
    XDM.Audit.original_event_type = json_extract_scalar(details, "$.type"),
    XDM.Audit.original_event_description = json_extract_scalar(details, "$.description"),
    XDM.Audit.operation_type = json_extract_scalar(details, "$.operationType"),
    XDM.Audit.audited_resource.type = json_extract_scalar(details, "$.operationObjectType"),
    XDM.Audit.audited_resource.name = json_extract_scalar(details, "$.operationObjectName");


[MODEL: dataset="safenet_trusted_access_raw", model="Auth"]
filter json_extract_scalar(details, "$.type") in ("AUTHENTICATION", "ACCESS_REQUEST")
| alter
    XDM.Auth.original_event_id = id,
    XDM.Auth.event_timestamp = parse_timestamp("%Y-%m-%dT%H:%M:%E*SZ", timeStamp),
    XDM.Auth.session_context_id = json_extract_scalar(context, "$.sessionId"),
    XDM.Auth.application_protocol = coalesce(json_extract_scalar(context, "$.applicationType"), json_extract_scalar(details, "$.credentialType")),
    XDM.Auth.Client.application.name = json_extract_scalar(context, "$.applicationName"),
    XDM.Auth.original_event_type = json_extract_scalar(details, "$.type"),
    XDM.Auth.outcome = coalesce(json_extract_scalar(details, "$.state"), json_extract_scalar(details, "$.resultText")),
    XDM.Auth.reason = json_extract_scalar(details, "$.reason"),
    XDM.Auth.original_event_sub_type = json_extract_scalar(details, "$.actionText"),
    XDM.Auth.Observer.unique_identifier = json_extract_scalar(details, "$.agentId"),
    XDM.Auth.original_event_description = json_extract_scalar(details, "$.message"),
    XDM.Auth.Client.user.username = json_extract_scalar(details, "$.usedName");

Schema

safenet_trusted_access_raw

Field Type Array?
context string
details string
id string
timeStamp string
Raw JSON
{
  "safenet_trusted_access_raw": {
    "id": {
      "type": "string",
      "is_array": false
    },
    "timeStamp": {
      "type": "string",
      "is_array": false
    },
    "context": {
      "type": "string",
      "is_array": false
    },
    "details": {
      "type": "string",
      "is_array": false
    }
  }
}