{ "$schema" : "https://json-schema.org/draft/2020-12/schema", "type" : "object", "properties" : { "timestamp" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "The timestamp when the event originally occurred" }, "source_asset" : { "type" : "string", "x-isAttributed" : true, "description" : "Name of the source asset, if available" }, "destination_asset" : { "type" : "string", "x-isAttributed" : true, "description" : "Name of the destination asset, if available" }, "source_asset_address" : { "type" : "string", "x-isAttributed" : false, "description" : "The asset this authentication attempt came from, as either a hostname or an IP address", "oneOf" : [ { "format" : "ipv4" }, { "format" : "ipv6" }, { "format" : "hostname" } ] }, "destination_asset_address" : { "type" : "string", "x-isAttributed" : false, "description" : "The asset this authentication attempt was made to, as either a hostname or an IP address", "oneOf" : [ { "format" : "ipv4" }, { "format" : "ipv6" }, { "format" : "hostname" } ] }, "source_local_account" : { "type" : "string", "x-isAttributed" : true, "description" : "Source local account name, if available" }, "source_user" : { "type" : "string", "x-isAttributed" : true, "description" : "Source username, if available" }, "source_account" : { "type" : "string", "x-isAttributed" : false, "description" : "Source account name" }, "source_domain" : { "type" : "string", "x-isAttributed" : false, "format" : "hostname", "description" : "Source user domain name, if available" }, "source_account_sid" : { "type" : "string", "x-isAttributed" : false, "description" : "Source account security ID (SID). Always null" }, "destination_local_account" : { "type" : "string", "x-isAttributed" : true, "description" : "Destination local account name, if available" }, "destination_user" : { "type" : "string", "x-isAttributed" : true, "description" : "Destination username, if available" }, "destination_account" : { "type" : "string", "x-isAttributed" : false, "description" : "Destination account name, if available" }, "destination_domain" : { "type" : "string", "x-isAttributed" : false, "format" : "hostname", "description" : "Destination user domain name, if available" }, "destination_account_sid" : { "type" : "string", "x-isAttributed" : false, "description" : "The security ID (SID) of the destination_user.\n(not destination_account, user SID is applied to all it's accounts)" }, "logon_type" : { "type" : "string", "enum" : [ "INTERACTIVE", "NETWORK", "UNLOCK", "REMOTE", "CACHED", "BATCH", "SERVICE" ], "x-isAttributed" : false, "description" : "Type of logon attempt" }, "result" : { "type" : "string", "enum" : [ "SUCCESS", "FAILED_BAD_LOGIN", "FAILED_BAD_PASSWORD", "FAILED_ACCOUNT_LOCKED", "FAILED_ACCOUNT_DISABLED", "FAILED_OTHER" ], "x-isAttributed" : false, "description" : "Result of the authentication attempt" }, "new_authentication" : { "type" : "string", "x-isAttributed" : true, "description" : "Indicates if this is the first known time the account has authenticated to this asset", "pattern" : "true|false" }, "new_source_authentication" : { "type" : "string", "x-isAttributed" : true, "description" : "Indicates whether this is the first known time the source asset has authenticated to the destination asset", "pattern" : "true|false" }, "new_source_for_account" : { "type" : "string", "x-isAttributed" : true, "description" : "Indicates if this is the first time the user has authenticated from the source asset", "pattern" : "true|false" }, "windows_event_code" : { "type" : "string", "x-isAttributed" : false, "description" : "Event code, if this was generated by a Windows log", "pattern" : "\\d+" }, "service" : { "type" : "string", "x-isAttributed" : false, "description" : "Service being accessed" }, "r7_hostid" : { "type" : "string", "x-isAttributed" : false, "description" : "The host id of the system on which the event happened. Only included for data sourced from endpoint agents" }, "source_json" : { "type" : "object", "x-isAttributed" : false, "description" : "The data that was received or collected by our collector or endpoint agent, formatted as JSON" }, "source_data" : { "type" : "string", "x-isAttributed" : false, "description" : "The unparsed, original log line as received from the collector" }, "custom_data" : { "type" : "object", "x-isAttributed" : false, "description" : "JSON string produced by applying one or more user-defined custom parsers to the original data" }, "r7_context" : { "type" : "object", "properties" : { "source_user" : { "type" : "object", "properties" : { "domain" : { "type" : "string", "x-isAttributed" : false, "format" : "hostname", "description" : "The domain of the user" }, "name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the r7context resource" }, "rrn" : { "type" : "string", "x-isAttributed" : false, "description" : "The RRN (Rapid7 Resource Name) of the r7context resource", "pattern" : "rrn(_[^\\s:]+)?:[^\\s:]+:[^\\s:]*:[^\\s:]*(:[^\\s:]+)+" }, "type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of r7context field", "const" : "user" } }, "required" : [ "name", "rrn", "type" ], "x-isAttributed" : true }, "destination_user" : { "type" : "object", "properties" : { "domain" : { "type" : "string", "x-isAttributed" : false, "format" : "hostname", "description" : "The domain of the user" }, "name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the r7context resource" }, "rrn" : { "type" : "string", "x-isAttributed" : false, "description" : "The RRN (Rapid7 Resource Name) of the r7context resource", "pattern" : "rrn(_[^\\s:]+)?:[^\\s:]+:[^\\s:]*:[^\\s:]*(:[^\\s:]+)+" }, "type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of r7context field", "const" : "user" } }, "required" : [ "name", "rrn", "type" ], "x-isAttributed" : true }, "source_account" : { "type" : "object", "properties" : { "name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the r7context resource" }, "rrn" : { "type" : "string", "x-isAttributed" : false, "description" : "The RRN (Rapid7 Resource Name) of the r7context resource", "pattern" : "rrn(_[^\\s:]+)?:[^\\s:]+:[^\\s:]*:[^\\s:]*(:[^\\s:]+)+" }, "type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of r7context field", "enum" : [ "account", "asset:account" ] } }, "required" : [ "name", "rrn", "type" ], "x-isAttributed" : true }, "destination_account" : { "type" : "object", "properties" : { "name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the r7context resource" }, "rrn" : { "type" : "string", "x-isAttributed" : false, "description" : "The RRN (Rapid7 Resource Name) of the r7context resource", "pattern" : "rrn(_[^\\s:]+)?:[^\\s:]+:[^\\s:]*:[^\\s:]*(:[^\\s:]+)+" }, "type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of r7context field", "enum" : [ "account", "asset:account" ] } }, "required" : [ "name", "rrn", "type" ], "x-isAttributed" : true }, "source_local_account" : { "type" : "object", "properties" : { "name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the r7context resource" }, "rrn" : { "type" : "string", "x-isAttributed" : false, "description" : "The RRN (Rapid7 Resource Name) of the r7context resource", "pattern" : "rrn(_[^\\s:]+)?:[^\\s:]+:[^\\s:]*:[^\\s:]*(:[^\\s:]+)+" }, "type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of r7context field", "enum" : [ "account", "asset:account" ] } }, "required" : [ "name", "rrn", "type" ], "x-isAttributed" : true }, "destination_local_account" : { "type" : "object", "properties" : { "name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the r7context resource" }, "rrn" : { "type" : "string", "x-isAttributed" : false, "description" : "The RRN (Rapid7 Resource Name) of the r7context resource", "pattern" : "rrn(_[^\\s:]+)?:[^\\s:]+:[^\\s:]*:[^\\s:]*(:[^\\s:]+)+" }, "type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of r7context field", "enum" : [ "account", "asset:account" ] } }, "required" : [ "name", "rrn", "type" ], "x-isAttributed" : true }, "source_asset" : { "type" : "object", "properties" : { "name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the r7context resource" }, "rrn" : { "type" : "string", "x-isAttributed" : false, "description" : "The RRN (Rapid7 Resource Name) of the r7context resource", "pattern" : "rrn(_[^\\s:]+)?:[^\\s:]+:[^\\s:]*:[^\\s:]*(:[^\\s:]+)+" }, "type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of r7context field", "const" : "asset" } }, "required" : [ "name", "rrn", "type" ], "x-isAttributed" : true }, "destination_asset" : { "type" : "object", "properties" : { "name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the r7context resource" }, "rrn" : { "type" : "string", "x-isAttributed" : false, "description" : "The RRN (Rapid7 Resource Name) of the r7context resource", "pattern" : "rrn(_[^\\s:]+)?:[^\\s:]+:[^\\s:]*:[^\\s:]*(:[^\\s:]+)+" }, "type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of r7context field", "const" : "asset" } }, "required" : [ "name", "rrn", "type" ], "x-isAttributed" : true } }, "x-isAttributed" : true, "description" : "R7_context includes attributed information related to the entry, with references to Rapid7-specific RRNs" }, "entry_id" : { "type" : "string", "x-isAttributed" : false, "description" : "Unique Entry ID assigned to each document or log entry" } }, "required" : [ "timestamp", "destination_asset_address" ], "description" : "Authentication to a system. This includes Active Directory authentications and\n(if an endpoint monitor is setup) endpoint logons, but not ingress authentications" }