Rules (XIF)
//Rule for mapping event type "Authentication" of Silverfort Admin Console
[RULE: silverfort_admin_console_authentication_fields]
alter
src_user = arrayindex(regextract(suser,"(\S+)\@"),0), //suser comes sometimes as UPN
coordinates = if(cs11 != "n/a", split(cs11, ",")), //The coordinates comes as <latitude>,<longitude>
outcome_reason = arrayindex(regextract(cs2, "\((.+)\)"), 0), //The format of 'cs2' is 'Denied (Bad Password)', we're extracting the outcome reason.
risks = if(cs7 != "n/a", replace(cs7, "_", " ")) //Comes with underscore instead of space delimiter
| alter
latitude = if(cs11 != "n/a", to_float(arrayindex(coordinates, 0))),
longitude = if(cs11 != "n/a", to_float(arrayindex(coordinates, 1)))
//Mapping to XDM fields
| alter
xdm.source.user.username = coalesce(src_user,suser),
xdm.source.user.upn = if(src_user != null, suser, concat(suser, "@", sntdom)), //In some cases suser comes as UPN, and in others as username, the UPN can then be derived as suser@sntdom.
xdm.source.user.domain = sntdom,
xdm.source.host.hostname = if(shost = "n/a", null, shost),
xdm.source.ipv4 = if(is_ipv4(src) = TRUE, src),
xdm.source.ipv6 = if(is_ipv6(src) = TRUE, src),
xdm.target.host.hostname = if(is_ipv4(dhost) = FALSE AND is_ipv6(dhost) = FALSE, dhost), //dhost sometimes represents IP address and sometimes hostname.
xdm.target.resource.name = if(destinationServiceName != "", destinationServiceName, dhost),
xdm.target.ipv4 = if(is_ipv4(dhost) = TRUE, dhost),
xdm.target.ipv6 = if(is_ipv6(dhost) = TRUE, dhost),
xdm.target.domain = if(dntdom != "", dntdom),
xdm.event.description = if(msg != "", msg),
xdm.alert.severity = cs1,
xdm.event.outcome = if(cs2 contains "Allowed", XDM_CONST.OUTCOME_SUCCESS, cs2 contains "Denied", XDM_CONST.OUTCOME_FAILED, XDM_CONST.OUTCOME_UNKNOWN),
xdm.observer.action = if(cs3 != "n/a",cs3),
xdm.alert.risks = split(risks ,","),
xdm.network.rule = if(cs8 != "n/a", replace(cs8, "_", " ")),
xdm.auth.auth_method = app,
xdm.source.location.country = if(cs9 != "n/a", cs9),
xdm.source.location.city = if(cs10 != "n/a", cs10),
xdm.source.location.latitude = latitude,
xdm.source.location.longitude = longitude,
xdm.event.type = "authentication",
xdm.event.original_event_type = cefdeviceeventclassid,
xdm.event.operation = XDM_CONST.OPERATION_TYPE_AUTH_LOGIN, //MFA is a different cefdeviceeventclassid "MFA", we currently don't support this event class.
xdm.event.tags = arraycreate(XDM_CONST.EVENT_TAG_AUTHENTICATION);
//For authentication story - should be only for SSO events.
[RULE: silverfort_admin_console_authentication_story_fields]
alter
xdm.source.port = to_integer(0),
xdm.source.user.user_type = if(suser ~= "\$$" OR suser ~= "^(http|host|cifs|krbtgt|mssql|nfs)\/" OR suser ~= "\/",XDM_CONST.USER_TYPE_MACHINE_ACCOUNT, XDM_CONST.USER_TYPE_REGULAR),
xdm.target.port = to_integer(0),
xdm.logon.type = XDM_CONST.LOGON_TYPE_INTERACTIVE,
xdm.network.ip_protocol = XDM_CONST.IP_PROTOCOL_TCP,
xdm.auth.service = "IDP",
xdm.event.outcome_reason = if(
outcome_reason IN("*Bad password*", "*Bad username*", "*Bad credentials*", "*Expired password*"), "bad_credentials",
outcome_reason IN("*Account disabled, expired or locked out*", "*Account disabled*"), "account_expired_or_disabled",
outcome_reason IN("*Locked account*"), "account_locked",
outcome_reason IN("*Expired ticket*", "*The client trust failed or is not implemented*", "*The ticket and authenticator do not match*", "*Bad server*", "*cannot accommodate requested option*", "*Clock skew is too great*", "*TGT has been revoked*", "*KDC has no support for PADATA type*", "*Requested start time is later than end time*"), "failed_login",
outcome_reason IN("*Outside authorized hours*", "*Unauthorized workstation*", "Denied (Conditional access applied*", "*Changing password is required*"), "auth_policy_access_violation",
"NOT_SPECIFIED");
[MODEL: dataset = silverfort_admin_console_raw]
filter cefdeviceeventclassid = "Authentication" AND app ~= "SSO|SAML|OIDC"
| call silverfort_admin_console_authentication_fields
| call silverfort_admin_console_authentication_story_fields;
filter cefdeviceeventclassid = "Authentication" AND app NOT IN("*SSO*","*SAML*", "*OIDC*")
| call silverfort_admin_console_authentication_fields
| alter
xdm.event.outcome_reason = if(cs5 != "n/a", cs5, outcome_reason);
Schema
silverfort_admin_console_raw
| Field |
Type |
Array? |
app |
string |
— |
cefdeviceeventclassid |
string |
— |
cefseverity |
string |
— |
cs1 |
string |
— |
cs10 |
string |
— |
cs11 |
string |
— |
cs2 |
string |
— |
cs3 |
string |
— |
cs5 |
string |
— |
cs7 |
string |
— |
cs8 |
string |
— |
cs9 |
string |
— |
destinationservicename |
string |
— |
dhost |
string |
— |
dntdom |
string |
— |
msg |
string |
— |
rt |
datetime |
— |
shost |
string |
— |
sntdom |
string |
— |
src |
string |
— |
suser |
string |
— |
Raw JSON
{
"silverfort_admin_console_raw": {
"rt": {
"type": "datetime",
"is_array": false
},
"cefdeviceeventclassid": {
"type": "string",
"is_array": false
},
"cefseverity": {
"type": "string",
"is_array": false
},
"msg": {
"type": "string",
"is_array": false
},
"app": {
"type": "string",
"is_array": false
},
"suser": {
"type": "string",
"is_array": false
},
"sntdom": {
"type": "string",
"is_array": false
},
"shost": {
"type": "string",
"is_array": false
},
"src": {
"type": "string",
"is_array": false
},
"cs1": {
"type": "string",
"is_array": false
},
"cs2": {
"type": "string",
"is_array": false
},
"cs3": {
"type": "string",
"is_array": false
},
"cs5": {
"type": "string",
"is_array": false
},
"cs7": {
"type": "string",
"is_array": false
},
"cs8": {
"type": "string",
"is_array": false
},
"cs9": {
"type": "string",
"is_array": false
},
"cs10": {
"type": "string",
"is_array": false
},
"cs11": {
"type": "string",
"is_array": false
},
"destinationservicename": {
"type": "string",
"is_array": false
},
"dhost": {
"type": "string",
"is_array": false
},
"dntdom": {
"type": "string",
"is_array": false
}
}
}