Salesforce Modeling Rule

Modeling Rule

Salesforce

Details

IDSalesforce_ModelingRule
From Version8.14.0
Tagssalesforce

Rules (XIF)

[RULE: salesforce_saas_audit_common_fields]
alter
    xdm.event.type = "saas audit",
    xdm.event.original_event_type = api_object_type,
    xdm.target.resource.type = api_object_type,
    xdm.source.cloud.project_id = salesforce_domain,
    xdm.source.user.identifier = UserId,
    xdm.observer.type = "SalesForce",
    xdm.observer.sub_type = "Real Time Event Monitoring",
    xdm.source.user.user_type = XDM_CONST.USER_TYPE_REGULAR,
    xdm.source.user.scope = XDM_CONST.SCOPE_TYPE_SAAS;

[RULE: salesforce_authentication_common_fields]
alter
    xdm.event.type = "authentication",
    xdm.event.tags = arraycreate(XDM_CONST.EVENT_TAG_AUTHENTICATION),
    xdm.event.original_event_type = coalesce(LoginSubtype, api_object_type),
    xdm.source.port = to_integer(0),
    xdm.target.port = to_integer(0),
    xdm.network.ip_protocol = XDM_CONST.IP_PROTOCOL_TCP,
    xdm.auth.service = "SP",
    xdm.source.cloud.project_id = salesforce_domain,
    xdm.source.user.identifier = UserId,
    xdm.source.user.scope = XDM_CONST.SCOPE_TYPE_SAAS;

[MODEL: dataset="salesforce_realtime_raw"]
filter api_object_type ~= "ApiEvent|APIEvent" // ApiEvent
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))
| alter //XDM mapping
    xdm.event.id = EventIdentifier,
    xdm.logon.logon_guid = LoginKey,
    xdm.session_context_id = LoginKey,
    xdm.event.operation = XDM_CONST.OPERATION_TYPE_READ,
    xdm.source.user.upn = Username,
    xdm.source.user.full_domain_name = arrayindex(get_Username, 1),
    xdm.source.user.identity_type = if(
        ConnectedAppId != null, XDM_CONST.IDENTITY_TYPE_APPLICATION,
        XDM_CONST.IDENTITY_TYPE_USER
    ),
    xdm.auth.privilege_level = if(ConnectedAppId != null, XDM_CONST.PRIVILEGE_LEVEL_USER),
    xdm.intermediate.identity.username = if(
        Application = "N/A", null,
        Application != "N/A" and Application != null, Application,
        ConnectedAppId != null, ConnectedAppId
        ),
    xdm.intermediate.identity.identifier = ConnectedAppId,
    xdm.intermediate.identity.identity_type = if(ConnectedAppId != null, XDM_CONST.IDENTITY_TYPE_APPLICATION),
    xdm.event.outcome = XDM_CONST.OUTCOME_SUCCESS,
    xdm.target.resource.id = Query,
    xdm.target.resource.name = Query,
    xdm.source.user_agent = UserAgent,
    xdm.source.ipv4 = if(is_ipv4(SourceIp), SourceIp, ""),
    xdm.source.ipv6 = if(is_ipv6(SourceIp), SourceIp, ""),
    xdm.source.cloud.service = if(Client = "Unknown", null, Client),
    xdm.source.host.os = if(Platform = "Unknown", null, Platform),
    xdm.network.rule = PolicyId,
    xdm.event.operation_sub_type = PolicyOutcome,
    xdm.network.session_id = SessionKey;

//////////////////////////////
// BulkApiResultEvent
//////////////////////////////

filter api_object_type ~= "BulkApi"
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.session_context_id = LoginKey,
    xdm.logon.logon_guid = LoginKey,
    xdm.source.user.upn = Username,
    xdm.source.user.full_domain_name = arrayindex(get_Username, 1),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = XDM_CONST.OUTCOME_SUCCESS,
    xdm.target.resource.id = Query,
    xdm.target.resource.name = Query,
    xdm.event.operation = XDM_CONST.OPERATION_TYPE_READ,
    xdm.source.ipv4 = if(is_ipv4(SourceIp), SourceIp, ""),
    xdm.source.ipv6 = if(is_ipv6(SourceIp), SourceIp, ""),
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.network.rule = PolicyId,
    xdm.event.operation_sub_type = PolicyOutcome,
    xdm.network.session_id = SessionKey;

//////////////////////////////
// FileEvent
//////////////////////////////

filter api_object_type ~= "FileEvent"
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.session_context_id = LoginKey,
    xdm.logon.logon_guid = LoginKey,
    xdm.source.user.upn = Username,
    xdm.source.user.full_domain_name = arrayindex(get_Username,1),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = if(
        PolicyOutcome IN("*Error*", "*Block*"), XDM_CONST.OUTCOME_FAILED,
        XDM_CONST.OUTCOME_SUCCESS),
    xdm.event.operation_sub_type = coalesce(FileAction, PolicyOutcome),
    xdm.target.resource.id = FileName,
    xdm.target.resource.name = FileName,
    xdm.event.operation = if(
        FileAction IN("*API_DOWNLOAD*", "*PREVIEW*", "*UI_DOWNLOAD*"), XDM_CONST.OPERATION_TYPE_READ, XDM_CONST.OPERATION_TYPE_CREATE),
    xdm.source.ipv4 = if(is_ipv4(SourceIp), SourceIp, ""),
    xdm.source.ipv6 = if(is_ipv6(SourceIp), SourceIp, ""),
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.target.file.filename = FileName,
    xdm.target.file.size = to_number(ContentSize),
    xdm.target.file.file_type = FileType,
    xdm.target.file.extension = arrayindex(regextract(FileName, "\.(\w+)$"),0),
    xdm.network.session_id = SessionKey;

//////////////////////////////
// LightningUriEventStream
//////////////////////////////

filter api_object_type ~= "LightningUriEventStream"
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.session_context_id = LoginKey,
    xdm.logon.logon_guid = LoginKey,
    xdm.source.user.upn = Username,
    xdm.source.user.full_domain_name = arrayindex(get_Username, 1),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = XDM_CONST.OUTCOME_SUCCESS,
    xdm.target.resource.id = PageUrl,
    xdm.target.resource.name = PageUrl,
    xdm.alert.source_url = PageUrl,
    xdm.event.operation =if(
        Operation = "Read", XDM_CONST.OPERATION_TYPE_READ,
        Operation = "Create", XDM_CONST.OPERATION_TYPE_CREATE,
        Operation = "Update", XDM_CONST.OPERATION_TYPE_UPDATE,
        Operation = "Delete", XDM_CONST.OPERATION_TYPE_DELETE,
        "OTHER"),
    xdm.event.operation_sub_type = Operation,
    xdm.source.user_agent = UserAgent,
    xdm.source.ipv4 = if(is_ipv4(SourceIp), SourceIp, ""),
    xdm.source.ipv6 = if(is_ipv6(SourceIp), SourceIp, ""),
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.target.application.name = AppName,
    xdm.source.host.device_id = DeviceId,
    xdm.source.host.device_model = DeviceModel,
    xdm.network.session_id = coalesce(SessionKey, DeviceSessionId),
    xdm.event.duration = to_number(Duration),
    xdm.event.outcome_reason = EffectivePageTimeDeviationReason,
    xdm.source.host.os = OsName;

//////////////////////////////
// ReportEventStream
//////////////////////////////

filter api_object_type ~= "ReportEventStream"
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.session_context_id = LoginKey,
    xdm.logon.logon_guid = LoginKey,
    xdm.source.user.upn = Username,
    xdm.source.user.full_domain_name = arrayindex(get_Username,1),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = XDM_CONST.OUTCOME_SUCCESS,
    xdm.target.resource.id = ReportId,
    xdm.target.resource.name = Name,
    xdm.event.operation = XDM_CONST.OPERATION_TYPE_READ,
    xdm.source.ipv4 = if(is_ipv4(SourceIp), SourceIp, ""),
    xdm.source.ipv6 = if(is_ipv6(SourceIp), SourceIp, ""),
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.target.file.file_type = ExportFileFormat,
    xdm.event.operation_sub_type = Operation,
    xdm.network.rule = PolicyId,
    xdm.network.session_id = SessionKey;

//////////////////////////////
// ListViewEventStream
//////////////////////////////

filter api_object_type ~= "ListViewEventStream"
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.session_context_id = LoginKey,
    xdm.logon.logon_guid = LoginKey,
    xdm.source.user.upn = Username,
    xdm.source.user.full_domain_name = arrayindex(get_Username,1),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = if(
        PolicyOutcome IN("*Error*", "*Block*", "*Failed*", "TwoFADenied", "TwoFAReportedDenied"), XDM_CONST.OUTCOME_FAILED,
        XDM_CONST.OUTCOME_SUCCESS),
    xdm.event.outcome_reason = PolicyOutcome,
    xdm.event.operation_sub_type = PolicyOutcome,
    xdm.target.resource.id = ListViewId,
    xdm.target.resource.name = Name,
    xdm.event.operation = XDM_CONST.OPERATION_TYPE_READ,
    xdm.source.ipv4 = if(is_ipv4(SourceIp), SourceIp, ""),
    xdm.source.ipv6 = if(is_ipv6(SourceIp), SourceIp, ""),
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.network.rule = PolicyId,
    xdm.network.session_id = SessionKey;

//////////////////////////////
// UriEventStream
//////////////////////////////

filter api_object_type ~= "UriEventStream"
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.session_context_id = LoginKey,
    xdm.logon.logon_guid = LoginKey,
    xdm.source.user.upn = Username,
    xdm.source.user.full_domain_name = arrayindex(get_Username,1),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = if(
        OperationStatus CONTAINS "Failure", XDM_CONST.OUTCOME_FAILED,
        OperationStatus CONTAINS "Initiated",XDM_CONST.OUTCOME_PARTIAL,
        OperationStatus CONTAINS "Success",XDM_CONST.OUTCOME_SUCCESS,
        XDM_CONST.OUTCOME_UNKNOWN),
    xdm.event.outcome_reason = Message,
    xdm.target.resource.id = RecordId,
    xdm.target.resource.name = QueriedEntities,
    xdm.event.operation = if(
        Operation = "Read", XDM_CONST.OPERATION_TYPE_READ,
        Operation = "Create", XDM_CONST.OPERATION_TYPE_CREATE,
        Operation = "Update", XDM_CONST.OPERATION_TYPE_UPDATE,
        Operation = "Delete", XDM_CONST.OPERATION_TYPE_DELETE,
        "OTHER"),
    xdm.source.ipv4 = if(is_ipv4(SourceIp), SourceIp, ""),
    xdm.source.ipv6 = if(is_ipv6(SourceIp), SourceIp, ""),
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.network.session_id = SessionKey;

//////////////////////////////
// PermissionSetEvent
//////////////////////////////

filter api_object_type ~= "PermissionSetEvent"
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.session_context_id = LoginKey,
    xdm.logon.logon_guid = LoginKey,
    xdm.source.user.upn = Username,
    xdm.source.user.full_domain_name = arrayindex(get_Username,1),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = if(
        PolicyOutcome IN("*Error*", "*Block*", "*Failed*", "*Denied*", "*EndSession*"), XDM_CONST.OUTCOME_FAILED,
        XDM_CONST.OUTCOME_SUCCESS),
    xdm.target.resource.id = to_string(PermissionList),
    xdm.target.resource.name = to_string(PermissionList),
    xdm.event.operation = XDM_CONST.OPERATION_TYPE_UPDATE,
    xdm.event.operation_sub_type = Operation,
    xdm.source.ipv4 = if(is_ipv4(SourceIp), SourceIp, ""),
    xdm.source.ipv6 = if(is_ipv6(SourceIp), SourceIp, ""),
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.network.rule = PolicyId,
    xdm.network.session_id = SessionKey,
    xdm.target.resource.parent_id = to_string(ParentIdList);

//////////////////////////////
// IdentityVerificationEvent
//////////////////////////////

filter api_object_type ~= "IdentityVerificationEvent"
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.session_context_id = LoginKey,
    xdm.logon.logon_guid = LoginKey,
    xdm.source.user.upn = Username,
    xdm.source.user.full_domain_name = arrayindex(get_Username,1),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = if(
        Status IN("*Denied*", "Failed*"), XDM_CONST.OUTCOME_FAILED,
        Status IN("*Initiated*", "*InProgress*"), XDM_CONST.OUTCOME_PARTIAL,
        Status CONTAINS "Succeeded", XDM_CONST.OUTCOME_SUCCESS,
        XDM_CONST.OUTCOME_UNKNOWN
        ),
    xdm.target.resource.id = UserId,
    xdm.target.resource.name = Username,
    xdm.event.operation = XDM_CONST.OPERATION_TYPE_AUTHENTICATION,
    xdm.event.operation_sub_type = Activity,
    xdm.source.ipv4 = if(is_ipv4(SourceIp), SourceIp, ""),
    xdm.source.ipv6 = if(is_ipv6(SourceIp), SourceIp, ""),
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.source.location.city = City,
    xdm.source.location.country = Country,
    xdm.source.location.latitude = to_float(Latitude),
    xdm.source.location.longitude = to_float(Longitude),
    xdm.network.session_id = SessionKey;

//////////////////////////////
// IdentityProviderEventStore
//////////////////////////////

filter api_object_type ~= "IdentityProviderEventStore"
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_IdentityUsed = if(IdentityUsed != null, split(IdentityUsed, "@"))

| alter //XDM mapping
    xdm.event.id = EventIdentifier,
    xdm.session_context_id = AuthSessionId,
    xdm.source.user.upn = IdentityUsed,
    xdm.source.user.full_domain_name = arrayindex(get_IdentityUsed, 1),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = if(
        ErrorCode = "Success", XDM_CONST.OUTCOME_SUCCESS,
        ErrorCode IN("*Denied", "*Block*", "*Unapproved*", "*Expired*", "*Error*", "*Invalid*", "*NoAccess*", "*NoCustomAttrValue*", "*NoCustomField*", "*NoSpokeId*", "*UnableToResolve*"),XDM_CONST.OUTCOME_FAILED,
        XDM_CONST.OUTCOME_UNKNOWN
    ),
    xdm.event.outcome_reason = ErrorCode,
    xdm.target.resource.id = UserId,
    xdm.target.resource.name = UserId,
    xdm.event.operation = XDM_CONST.OPERATION_TYPE_AUTHENTICATION,
    xdm.source.ipv4 = "",
    xdm.source.ipv6 = "",
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.event.operation_sub_type = InitiatedBy,
    xdm.target.application.bundle_id = AppId,
    xdm.target.url = SamlEntityUrl;

//////////////////////////////
// CredentialStuffingEvent
//////////////////////////////

filter api_object_type ~= "CredentialStuffingEvent"
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.session_context_id = LoginKey,
    xdm.logon.logon_guid = LoginKey,
    xdm.source.user.upn = Username,
    xdm.source.user.full_domain_name = arrayindex(get_Username,1),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = XDM_CONST.OUTCOME_SUCCESS,
    xdm.target.resource.id = UserId,
    xdm.target.resource.name = Username,
    xdm.event.operation = XDM_CONST.OPERATION_TYPE_AUTH_LOGIN,
    xdm.source.user_agent = UserAgent,
    xdm.source.ipv4 = if(is_ipv4(SourceIp), SourceIp, ""),
    xdm.source.ipv6 = if(is_ipv6(SourceIp), SourceIp, ""),
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.target.url = LoginUrl,
    xdm.network.rule = PolicyId,
    xdm.event.operation_sub_type = PolicyOutcome,
    xdm.network.session_id = SessionKey,
    xdm.event.description = Summary;

//////////////////////////////
// ApiAnomalyEvent
//////////////////////////////

filter api_object_type ~= "ApiAnomalyEvent"
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.session_context_id = LoginKey,
    xdm.logon.logon_guid = LoginKey,
    xdm.source.user.upn = Username,
    xdm.source.user.full_domain_name = arrayindex(get_Username,1),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = if(
        PolicyOutcome IN("Error", "ExemptNoAction", "MeteringBlock"), XDM_CONST.OUTCOME_FAILED,
        XDM_CONST.OUTCOME_UNKNOWN),
    xdm.event.outcome_reason = PolicyOutcome,
    xdm.target.resource.id = Uri,
    xdm.target.resource.name = Uri,
    xdm.event.operation = "OTHER",
    xdm.event.operation_sub_type = Operation,
    xdm.source.user_agent = UserAgent,
    xdm.source.ipv4 = if(is_ipv4(SourceIp), SourceIp, ""),
    xdm.source.ipv6 = if(is_ipv6(SourceIp), SourceIp, ""),
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.network.session_id = SessionKey,
    xdm.event.description = Summary;

//////////////////////////////
// ReportAnomalyEvent
//////////////////////////////

filter api_object_type ~= "ReportAnomalyEvent"
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.session_context_id = LoginKey,
    xdm.logon.logon_guid = LoginKey,
    xdm.source.user.upn = Username,
    xdm.source.user.full_domain_name = arrayindex(get_Username,1),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = if(
        PolicyOutcome IN("Error", "ExemptNoAction", "MeteringBlock"), XDM_CONST.OUTCOME_FAILED,
        XDM_CONST.OUTCOME_UNKNOWN),
    xdm.event.outcome_reason = PolicyOutcome,
    xdm.target.resource.id = Report,
    xdm.target.resource.name = Report,
    xdm.event.operation = "OTHER",
    xdm.source.ipv4 = if(is_ipv4(SourceIp), SourceIp, ""),
    xdm.source.ipv6 = if(is_ipv6(SourceIp), SourceIp, ""),
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.network.rule = PolicyId,
    xdm.event.description = Summary;

//////////////////////////////
// SessionHijackingEvent
//////////////////////////////

filter api_object_type ~= "SessionHijackingEvent"
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.session_context_id = LoginKey,
    xdm.logon.logon_guid = LoginKey,
    xdm.source.user.upn = Username,
    xdm.source.user.full_domain_name = arrayindex(get_Username,1),
    xdm.source.host.os = CurrentPlatform,
    xdm.source.host.os_family = if(
        CurrentPlatform ~= "Windows", XDM_CONST.OS_FAMILY_WINDOWS,
        CurrentPlatform ~= "Mac\s*OS" , XDM_CONST.OS_FAMILY_MACOS,
        CurrentPlatform ~= "Android", XDM_CONST.OS_FAMILY_ANDROID,
        CurrentPlatform IN("*iPhone*", "*iPad*", "*iOS*"), XDM_CONST.OS_FAMILY_IOS,
        PreviousPlatform ~= "Linux", XDM_CONST.OS_FAMILY_LINUX),
    xdm.source.user_agent = CurrentUserAgent,
    xdm.intermediate.host.os = PreviousPlatform,
    xdm.intermediate.host.os_family = if(
        PreviousPlatform ~= "Windows", XDM_CONST.OS_FAMILY_WINDOWS,
        PreviousPlatform ~= "Mac\s*OS" , XDM_CONST.OS_FAMILY_MACOS,
        PreviousPlatform ~= "Android", XDM_CONST.OS_FAMILY_ANDROID,
        PreviousPlatform IN("*iPhone*", "*iPad*", "*iOS*"), XDM_CONST.OS_FAMILY_IOS,
        PreviousPlatform ~= "Linux", XDM_CONST.OS_FAMILY_LINUX),
    xdm.intermediate.user_agent = PreviousUserAgent,
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = if(
        PolicyOutcome IN("Error", "ExemptNoAction", "MeteringBlock"), XDM_CONST.OUTCOME_FAILED,
        XDM_CONST.OUTCOME_SUCCESS),
    xdm.event.outcome_reason = PolicyOutcome,
    xdm.target.resource.id = UserId,
    xdm.target.resource.name = Username,
    xdm.event.operation = "OTHER",
    xdm.source.ipv4 = if(is_ipv4(CurrentIp), CurrentIp, ""),
    xdm.source.ipv6 = if(is_ipv6(CurrentIp), CurrentIp, ""),
    xdm.intermediate.ipv4 = if(is_ipv4(SourceIp), SourceIp, ""),
    xdm.intermediate.ipv6 = if(is_ipv6(SourceIp), SourceIp, ""),
    xdm.intermediate.user.scope = XDM_CONST.SCOPE_TYPE_SAAS,
    xdm.network.rule = PolicyId,
    xdm.network.session_id = SessionKey,
    xdm.event.description = Summary;

//////////////////////////////
// MobileEmailEvent
//////////////////////////////

filter api_object_type ~= "MobileEmailEvent"
| call salesforce_saas_audit_common_fields
| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = XDM_CONST.OUTCOME_SUCCESS,
    xdm.target.resource.id = EmailAddress,
    xdm.target.resource.name = EmailAddress,
    xdm.event.operation = XDM_CONST.OPERATION_TYPE_AUDIT,
    xdm.source.ipv4 = "",
    xdm.source.ipv6 = "",
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.source.application.bundle_id = AppPackageIdentifier,
    xdm.source.application.version = AppVersion,
    xdm.source.host.device_id = DeviceIdentifier,
    xdm.source.host.device_model = DeviceModel,
    xdm.email.recipients = if(
        EmailAddress != null and EmailAddress ~= "\,", split(EmailAddress, ","),
        EmailAddress != null, arraycreate(EmailAddress)),
    xdm.event.description = EventDescription,
    xdm.source.host.os = OsName;

//////////////////////////////
// MobileEnforcedPolicyEvent
//////////////////////////////

filter api_object_type ~= "MobileEnforcedPolicyEvent"
| call salesforce_saas_audit_common_fields
| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = XDM_CONST.OUTCOME_SUCCESS,
    xdm.target.resource.id = DeviceIdentifier,
    xdm.target.resource.name = DeviceIdentifier,
    xdm.event.operation = XDM_CONST.OPERATION_TYPE_AUDIT,
    xdm.observer.action = EnforcedAction,
    xdm.event.log_level = if(
        EnforcedAction ~= "Warn", XDM_CONST.LOG_LEVEL_WARNING,
        EnforcedAction ~= "Critical Error", XDM_CONST.LOG_LEVEL_CRITICAL,
        EnforcedAction ~= "Error", XDM_CONST.LOG_LEVEL_ERROR),
    xdm.source.ipv4 = "",
    xdm.source.ipv6 = "",
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.source.application.bundle_id = AppPackageIdentifier,
    xdm.source.application.version = AppVersion,
    xdm.source.host.device_id = DeviceIdentifier,
    xdm.source.host.device_model = DeviceModel,
    xdm.event.description = EventDescription,
    xdm.source.host.os = OsName;

//////////////////////////////
// MobileTelephonyEvent
//////////////////////////////

filter api_object_type ~= "MobileTelephonyEvent"
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.source.user.upn = Username,
    xdm.source.user.full_domain_name = arrayindex(get_Username,1),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = XDM_CONST.OUTCOME_SUCCESS,
    xdm.target.resource.id = DeviceIdentifier,
    xdm.target.resource.name = DeviceIdentifier,
    xdm.event.operation = XDM_CONST.OPERATION_TYPE_AUDIT,
    xdm.event.operation_sub_type = Operation,
    xdm.source.ipv4 = "",
    xdm.source.ipv6 = "",
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.source.application.bundle_id = AppPackageIdentifier,
    xdm.source.application.version = AppVersion,
    xdm.source.host.device_id = DeviceIdentifier,
    xdm.source.host.device_model = DeviceModel,
    xdm.event.description = EventDescription,
    xdm.source.host.os = OsName;

//////////////////////////////
// MobileScreenshotEvent
//////////////////////////////

filter api_object_type ~= "MobileScreenshotEvent"
| call salesforce_saas_audit_common_fields
| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = XDM_CONST.OUTCOME_SUCCESS,
    xdm.target.resource.id = DeviceIdentifier,
    xdm.target.resource.name = DeviceIdentifier,
    xdm.event.operation = XDM_CONST.OPERATION_TYPE_AUDIT,
    xdm.source.ipv4 = "",
    xdm.source.ipv6 = "",
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.source.application.bundle_id = AppPackageIdentifier,
    xdm.source.application.version = AppVersion,
    xdm.source.host.device_id = DeviceIdentifier,
    xdm.source.host.device_model = DeviceModel,
    xdm.event.description = EventDescription,
    xdm.source.host.os = OsName,
    xdm.target.resource.value = ScreenDescription;

//////////////////////////////
// LogoutEventStream
//////////////////////////////

filter api_object_type ~= "LogoutEventStream"
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.session_context_id = LoginKey,
    xdm.logon.logon_guid = LoginKey,
    xdm.source.user.upn = Username,
    xdm.source.user.full_domain_name = arrayindex(get_Username,1),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = XDM_CONST.OUTCOME_SUCCESS,
    xdm.target.resource.id = UserId,
    xdm.target.resource.name = Username,
    xdm.event.operation = XDM_CONST.OPERATION_TYPE_AUDIT,
    xdm.source.ipv4 = if(is_ipv4(SourceIp), SourceIp, ""),
    xdm.source.ipv6 = if(is_ipv6(SourceIp), SourceIp, ""),
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.network.session_id = SessionKey;

//////////////////////////////
// GuestUserAnomalyEvent
//////////////////////////////

filter api_object_type ~= "GuestUserAnomalyEvent"
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.session_context_id = LoginKey,
    xdm.logon.logon_guid = LoginKey,
    xdm.source.user.upn = Username,
    xdm.source.user.full_domain_name = arrayindex(get_Username,1),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = if(
        PolicyOutcome IN("*Error*", "*Block*", "*NoAction*"), XDM_CONST.OUTCOME_FAILED,
        PolicyOutcome = "Notified", XDM_CONST.OUTCOME_SUCCESS,
        XDM_CONST.OUTCOME_UNKNOWN),
    xdm.event.operation_sub_type = PolicyOutcome,
    xdm.event.outcome_reason = Summary,
    xdm.event.description = Summary,
    xdm.target.resource.id = SoqlCommands,
    xdm.target.resource.name = SoqlCommands,
    xdm.event.operation = "OTHER",
    xdm.source.user_agent = UserAgent,
    xdm.source.ipv4 = if(is_ipv4(SourceIp), SourceIp, ""),
    xdm.source.ipv6 = if(is_ipv6(SourceIp), SourceIp, ""),
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.network.rule = PolicyId,
    xdm.network.session_id = SessionKey;

//////////////////////////////
// LoginAnomalyEvent
//////////////////////////////

filter api_object_type ~= "LoginAnomalyEvent"
| call salesforce_saas_audit_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.session_context_id = LoginKey,
    xdm.logon.logon_guid = LoginKey,
    xdm.source.user.upn = Username,
    xdm.source.user.full_domain_name = arrayindex(get_Username,1),
    xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,
    xdm.event.outcome = if(
        PolicyOutcome IN("*Error*", "*Block*", "*NoAction*"), XDM_CONST.OUTCOME_FAILED,
        PolicyOutcome = "Notified", XDM_CONST.OUTCOME_SUCCESS,
        XDM_CONST.OUTCOME_UNKNOWN),
    xdm.event.operation_sub_type = PolicyOutcome,
    xdm.event.outcome_reason = Summary,
    xdm.event.description = Summary,
    xdm.target.resource.id = UserId,
    xdm.target.resource.name = Username,
    xdm.event.operation = "OTHER",
    xdm.source.ipv4 = if(is_ipv4(SourceIp), SourceIp, ""),
    xdm.source.ipv6 = if(is_ipv6(SourceIp), SourceIp, ""),
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.network.rule = PolicyId,
    xdm.network.session_id = SessionKey;

//////////////////////////////
// LoginEvent
//////////////////////////////

filter api_object_type ~= "LoginEvent"
| call salesforce_authentication_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.session_context_id = LoginKey,
    xdm.logon.logon_guid = LoginKey,
    xdm.source.user.upn = Username,
    xdm.source.user.username = arrayindex(get_Username, 0),
    xdm.source.user.full_domain_name = arrayindex(get_Username,1),
    xdm.source.host.os = Platform,
    xdm.source.host.os_family = if(
        Platform ~= "Windows", XDM_CONST.OS_FAMILY_WINDOWS,
        Platform ~= "Mac\s*OS" , XDM_CONST.OS_FAMILY_MACOS,
        Platform ~= "Android", XDM_CONST.OS_FAMILY_ANDROID,
        Platform IN("*iPhone*", "*iPad*", "*iOS*"), XDM_CONST.OS_FAMILY_IOS,
        Platform ~= "Linux", XDM_CONST.OS_FAMILY_LINUX),
    xdm.source.host.device_category = if(
        Platform ~= "Unknown", null,
        Platform IN("*Windows*", "*Mac*"), "Computer",
        Platform IN("*Android*", "*iOS*"), "Mobile",
        Platform ~= "iPad", "Tablet",
        "Computer"),
    xdm.event.outcome = if(
        Status = "Success", XDM_CONST.OUTCOME_SUCCESS,
        XDM_CONST.OUTCOME_FAILED),
    xdm.event.outcome_reason = if(
        Status IN("*Failed: Computer activation required*", "*Failed: API security token required*", "*Failed: Mobile License Required*"), "auth_login_restrictions",
        Status CONTAINS "Invalid Password", "bad_credentials",
        Status CONTAINS "Failed: Token request is already being processed", "failed_login",
        Status CONTAINS "Password Lockout", "account_locked",
        Status IN("*User is Inactive*", "*User Is Frozen*"), "account_expired_or_disabled",
        "OTHER"),
    xdm.source.user_agent = concat(Platform," ",Browser),
    xdm.event.operation = XDM_CONST.OPERATION_TYPE_AUTH_LOGIN,
    xdm.source.ipv4 = if(
        is_ipv4(ForwardedForIp), ForwardedForIp,
        is_ipv4(SourceIp), SourceIp),
    xdm.source.ipv6 = if(
        is_ipv6(ForwardedForIp), ForwardedForIp,
        is_ipv6(SourceIp), SourceIp),
    xdm.intermediate.ipv4 = if(ForwardedForIp != null AND is_ipv4(SourceIp), SourceIp),
    xdm.intermediate.ipv6 = if(ForwardedForIp != null AND is_ipv6(SourceIp), SourceIp),
    xdm.target.ipv4 = "",
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.source.application.name = Browser,
    xdm.source.application.version = arrayindex(regextract(Browser, "\d+"),0),
    xdm.network.http.browser = Browser,
    xdm.source.location.city = City,
    xdm.source.location.country = Country,
    xdm.source.location.latitude = to_float(LoginLatitude),
    xdm.source.location.longitude = to_float(LoginLongitude),
    xdm.source.location.region = Subdivision,
    xdm.target.url = LoginUrl,
    xdm.target.resource.id = LoginUrl,
    xdm.target.resource.name = if(LoginUrl != null, "Salesforce"),
    xdm.network.session_id = SessionKey,
    xdm.event.description = LoginType,
    xdm.logon.type = if(
        LoginType IN("Application", "ChatterCommunityPortalUnPwd","AppExchange","ChatterCommunityThirdPartySso", "EmployeeLoginToCommunity", "HelpAndTraining", "IeOfflineClient", "LightningLogin", "PasswordlessLogin", "Portal", "PortalThirdPartySso", "PrmPortalThirdPartySso", "PrmPortal", "saml", "SamlChatterNetworks", "SamlCspPortal", "SamlPrmPortal", "SamlSite", "Saml2", "SelfService"),XDM_CONST.LOGON_TYPE_INTERACTIVE,
        LoginType IN("NetworksPortalApiOnly", "Oauth*", "OtherApi","Partner", "Remote Access*"), XDM_CONST.LOGON_TYPE_SERVICE),
    xdm.event.operation_sub_type = if(
        LoginType IN("ChatterCommunityPortalUnPwd" ,"EmployeeLoginToCommunity", "HelpAndTraining", "IeOfflineClient", "Portal", "PrmPortal", "SelfService"), "password",
        LoginType IN("AppExchange", "LightningLogin"), "application",
        LoginType IN("ChatterCommunityThirdPartySso", "PortalThirdPartySso", "PrmPortalThirdPartySso", "saml","SamlChatterNetworks", "SamlCspPortal", "SamlPrmPortal", "SamlSite","Saml2"), "Generic SSO"),
    xdm.source.user.user_type = if(
        LoginType CONTAINS "Remote Access", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT,
        XDM_CONST.USER_TYPE_REGULAR),
    xdm.auth.privilege_level = if(
        UserType ~= "Guest", XDM_CONST.PRIVILEGE_LEVEL_GUEST,
        UserType ~= "SelfService", XDM_CONST.PRIVILEGE_LEVEL_SYSTEM,
        XDM_CONST.PRIVILEGE_LEVEL_USER
    );

//////////////////////////////
// LoginAsEvent
//////////////////////////////

filter api_object_type ~= "LoginAsEvent"
| call salesforce_authentication_common_fields
// Extract Username parts for identity normalization
| alter
    get_Username = if(Username != null, split(Username, "@"))

| alter //XDM mapping
    xdm.event.id = coalesce(EventIdentifier, EventUuid),
    xdm.session_context_id = LoginKey,
    xdm.logon.logon_guid = LoginKey,
    xdm.source.user.upn = Username,
    xdm.source.user.username = arrayindex(get_Username, 0),
    xdm.source.user.full_domain_name = arrayindex(get_Username, 1),
    xdm.auth.privilege_level = if(
        UserType ~= "Guest", XDM_CONST.PRIVILEGE_LEVEL_GUEST,
        UserType ~= "SelfService", XDM_CONST.PRIVILEGE_LEVEL_SYSTEM,
        XDM_CONST.PRIVILEGE_LEVEL_USER),
    xdm.event.outcome = XDM_CONST.OUTCOME_SUCCESS,
    xdm.target.user.upn = DelegatedUsername,
    xdm.event.operation = XDM_CONST.OPERATION_TYPE_AUTH_LOGIN,
    xdm.event.outcome_reason = "OTHER",
    xdm.source.user_agent = concat(Platform," ",Browser),
    xdm.source.ipv4 = if(is_ipv4(SourceIp), SourceIp),
    xdm.source.ipv6 = if(is_ipv6(SourceIp), SourceIp),
    xdm.target.ipv4 = "",
    xdm.source.user.identity_type = XDM_CONST.IDENTITY_TYPE_USER,
    xdm.source.application.name = Browser,
    xdm.source.application.version = arrayindex(regextract(Browser, "\d+"),0),
    xdm.source.host.os = Platform,
    xdm.source.host.os_family = if(
        Platform ~= "Windows", XDM_CONST.OS_FAMILY_WINDOWS,
        Platform ~= "Mac\s*OS" , XDM_CONST.OS_FAMILY_MACOS,
        Platform ~= "Android", XDM_CONST.OS_FAMILY_ANDROID,
        Platform IN("*iPhone*", "*iPad*", "*iOS*"), XDM_CONST.OS_FAMILY_IOS,
        Platform ~= "Linux", XDM_CONST.OS_FAMILY_LINUX),
    xdm.source.host.device_category = if(
        Platform ~= "Unknown", null,
        Platform IN("*Windows*", "*Mac*"), "Computer",
        Platform IN("*Android*", "*iOS*"), "Mobile",
        Platform ~= "iPad", "Tablet",
        "Computer"),
    xdm.network.session_id = SessionKey,
    xdm.target.url = TargetUrl,
    xdm.target.resource.id = TargetUrl,
    xdm.target.resource.name = if(TargetUrl != null, "Salesforce"),
    xdm.event.description = LoginType,
    xdm.logon.type = if(
        LoginType IN("Application", "ChatterCommunityPortalUnPwd","AppExchange","ChatterCommunityThirdPartySso", "EmployeeLoginToCommunity", "HelpAndTraining", "IeOfflineClient", "LightningLogin", "PasswordlessLogin", "Portal", "PortalThirdPartySso", "PrmPortalThirdPartySso", "PrmPortal", "saml", "SamlChatterNetworks", "SamlCspPortal", "SamlPrmPortal", "SamlSite", "Saml2", "SelfService"),XDM_CONST.LOGON_TYPE_INTERACTIVE,
        LoginType IN("NetworksPortalApiOnly", "Oauth*", "OtherApi","Partner", "Remote Access*"), XDM_CONST.LOGON_TYPE_SERVICE),
    xdm.event.operation_sub_type = if(
        LoginType IN("ChatterCommunityPortalUnPwd" ,"EmployeeLoginToCommunity", "HelpAndTraining", "IeOfflineClient", "Portal", "PrmPortal", "SelfService"), "password",
        LoginType IN("AppExchange", "LightningLogin"), "application",
        LoginType IN("ChatterCommunityThirdPartySso", "PortalThirdPartySso", "PrmPortalThirdPartySso", "saml","SamlChatterNetworks", "SamlCspPortal", "SamlPrmPortal", "SamlSite","Saml2"), "Generic SSO"),
    xdm.source.user.user_type = if(
        LoginType CONTAINS "Remote Access", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT,
        XDM_CONST.USER_TYPE_REGULAR);

Schema

salesforce_realtime_raw

Field Type Array?
Activity string
AppId string
AppName string
AppPackageIdentifier string
AppVersion string
Application string
AuthSessionId string
Browser string
City string
Client string
ConnectedAppId string
ContentSize int
Country string
CurrentIp string
CurrentPlatform string
CurrentUserAgent string
DelegatedUsername string
DeviceId string
DeviceIdentifier string
DeviceModel string
DeviceSessionId string
Duration float
EffectivePageTimeDeviationReason string
EmailAddress string
EnforcedAction string
ErrorCode string
EventDate datetime
EventDescription string
EventIdentifier string
EventUuid string
ExportFileFormat string
FileAction string
FileName string
FileType string
ForwardedForIp string
IdentityUsed string
InitiatedBy string
Latitude float
ListViewId string
LoginKey string
LoginLatitude string
LoginLongitude string
LoginSubtype string
LoginType string
LoginUrl string
Longitude float
Message string
Name string
Operation string
OperationStatus string
OsName string
PageUrl string
ParentIdList string
PermissionList string
Platform string
PolicyId string
PolicyOutcome string
PreviousPlatform string
PreviousUserAgent string
QueriedEntities string
Query string
RecordId string
Report string
ReportId string
SamlEntityUrl string
ScreenDescription string
SessionKey string
SoqlCommands string
SourceIp string
Status string
Subdivision string
Summary string
TargetUrl string
Uri string
UserAgent string
UserId string
UserType string
Username string
api_object_type string
salesforce_domain string
Raw JSON
{

    "salesforce_realtime_raw": {
        "api_object_type": {
            "type": "string",
            "is_array": false
        },
        "salesforce_domain": {
            "type": "string",
            "is_array": false
        },
        "UserId": {
            "type": "string",
            "is_array": false
        },
        "Username": {
            "type": "string",
            "is_array": false
        },
        "EventIdentifier": {
            "type": "string",
            "is_array": false
        },
        "LoginKey": {
            "type": "string",
            "is_array": false
        },
        "ConnectedAppId": {
            "type": "string",
            "is_array": false
        },
        "Application": {
            "type": "string",
            "is_array": false
        },
        "Query": {
            "type": "string",
            "is_array": false
        },
        "UserAgent": {
            "type": "string",
            "is_array": false
        },
        "SourceIp": {
            "type": "string",
            "is_array": false
        },
        "Client": {
            "type": "string",
            "is_array": false
        },
        "Platform": {
            "type": "string",
            "is_array": false
        },
        "PolicyId": {
            "type": "string",
            "is_array": false
        },
        "PolicyOutcome": {
            "type": "string",
            "is_array": false
        },
        "SessionKey": {
            "type": "string",
            "is_array": false
        },
        "EventUuid": {
            "type": "string",
            "is_array": false
        },
        "UserType": {
            "type": "string",
            "is_array": false
        },
        "DelegatedUsername": {
            "type": "string",
            "is_array": false
        },
        "Browser": {
            "type": "string",
            "is_array": false
        },
        "TargetUrl": {
            "type": "string",
            "is_array": false
        },
        "FileAction": {
            "type": "string",
            "is_array": false
        },
        "FileName": {
            "type": "string",
            "is_array": false
        },
        "ContentSize": {
            "type": "int",
            "is_array": false
        },
        "FileType": {
            "type": "string",
            "is_array": false
        },
        "PageUrl": {
            "type": "string",
            "is_array": false
        },
        "Operation": {
            "type": "string",
            "is_array": false
        },
        "AppName": {
            "type": "string",
            "is_array": false
        },
        "DeviceId": {
            "type": "string",
            "is_array": false
        },
        "DeviceModel": {
            "type": "string",
            "is_array": false
        },
        "DeviceSessionId": {
            "type": "string",
            "is_array": false
        },
        "Duration": {
            "type": "float",
            "is_array": false
        },
        "EffectivePageTimeDeviationReason": {
            "type": "string",
            "is_array": false
        },
        "OsName": {
            "type": "string",
            "is_array": false
        },
        "ReportId": {
            "type": "string",
            "is_array": false
        },
        "Name": {
            "type": "string",
            "is_array": false
        },
        "ExportFileFormat": {
            "type": "string",
            "is_array": false
        },
        "Status": {
            "type": "string",
            "is_array": false
        },
        "ListViewId": {
            "type": "string",
            "is_array": false
        },
        "OperationStatus": {
            "type": "string",
            "is_array": false
        },
        "Message": {
            "type": "string",
            "is_array": false
        },
        "RecordId": {
            "type": "string",
            "is_array": false
        },
        "QueriedEntities": {
            "type": "string",
            "is_array": false
        },
        "PermissionList": {
            "type": "string",
            "is_array": false
        },
        "ParentIdList": {
            "type": "string",
            "is_array": false
        },
        "Activity": {
            "type": "string",
            "is_array": false
        },
        "City": {
            "type": "string",
            "is_array": false
        },
        "Country": {
            "type": "string",
            "is_array": false
        },
        "Latitude": {
            "type": "float",
            "is_array": false
        },
        "Longitude": {
            "type": "float",
            "is_array": false
        },
        "IdentityUsed": {
            "type": "string",
            "is_array": false
        },
        "AuthSessionId": {
            "type": "string",
            "is_array": false
        },
        "ErrorCode": {
            "type": "string",
            "is_array": false
        },
        "InitiatedBy": {
            "type": "string",
            "is_array": false
        },
        "AppId": {
            "type": "string",
            "is_array": false
        },
        "SamlEntityUrl": {
            "type": "string",
            "is_array": false
        },
        "LoginUrl": {
            "type": "string",
            "is_array": false
        },
        "Summary": {
            "type": "string",
            "is_array": false
        },
        "Uri": {
            "type": "string",
            "is_array": false
        },
        "Report": {
            "type": "string",
            "is_array": false
        },
        "EmailAddress": {
            "type": "string",
            "is_array": false
        },
        "AppPackageIdentifier": {
            "type": "string",
            "is_array": false
        },
        "AppVersion": {
            "type": "string",
            "is_array": false
        },
        "DeviceIdentifier": {
            "type": "string",
            "is_array": false
        },
        "EventDescription": {
            "type": "string",
            "is_array": false
        },
        "EnforcedAction": {
            "type": "string",
            "is_array": false
        },
        "ScreenDescription": {
            "type": "string",
            "is_array": false
        },
        "SoqlCommands": {
            "type": "string",
            "is_array": false
        },
        "ForwardedForIp": {
            "type": "string",
            "is_array": false
        },
        "LoginLatitude": {
            "type": "string",
            "is_array": false
        },
        "LoginLongitude": {
            "type": "string",
            "is_array": false
        },
        "EventDate": {
            "type": "datetime",
            "is_array": false
        },
        "PreviousPlatform":{
            "type": "string",
            "is_array": false
        },
        "CurrentPlatform":{
            "type": "string",
            "is_array": false
        },
        "PreviousUserAgent":{
            "type": "string",
            "is_array": false
        },
        "CurrentUserAgent":{
            "type": "string",
            "is_array": false
        },
        "CurrentIp":{
            "type": "string",
            "is_array": false
        },
        "Subdivision":{
            "type": "string",
            "is_array": false
        },
        "LoginType":{
            "type": "string",
            "is_array": false
        },
        "LoginSubtype": {
            "type": "string",
            "is_array": false
        }
    }
}