Authentication
Description
The Authentication section is designed for monitoring authorization and authentication events on hosts, in applications, and during remote connections.
Displayed Data
- Number of authentication attempts
- Top users by authentication attempts
- Top hosts/sources of authentication; sources with authentication attempts from multiple users
- Statistics on authentication events with details by users
- Statistics on authentication events with details by sources
List of Dashboards
- Authentication: Overview
- Authentication: User Profile
- Authentication: Source Profile
Data Model
The section uses the following fields from data sources. Alias used: sm_cs_auth_indexes.
Categorization Fields
| Field Name | Value |
|---|---|
event.kind | event |
event.category | authentication |
event.type | start | end | info |
event.outcome | success | failure | unknown |
event.action | From the original event. |
General Purpose Fields
User user
| Field Name | Value |
|---|---|
user.name | Username or ID. |
user.effective.name | Username or ID for events with privilege escalation. |
user.effective.id | User ID for events with privilege escalation in *nix systems |
Source source
The source of the authentication request.
| Field Name | Value |
|---|---|
source.address | Source address of the authentication request (name or IP address). |
source.ip | IP address of the source of the authentication request. |
source.domain | Name (hostname or FQDN) of the source of the authentication request. |
Destination destination
The place relative to which authentication is performed (matches the source for local authentication).
| Field Name | Value |
|---|---|
destination.address | Destination address of the authentication (name or IP address). |
destination.ip | IP address of the authentication destination. |
destination.domain | Name (hostname or FQDN) of the authentication destination. |
Reference Tables
Below is a table of reference tables used in the section.
| Name | Fields | Description |
|---|---|---|
sm_cs_auth_default_users_lookup | user.nameis_default | Reference table for default usernames. |
sm_cs_auth_privileged_users_lookup | user.nameis_privileged | Reference table for privileged usernames. |