@@ -29,6 +29,7 @@ grouped in the following categories:
2929* <<exported-fields-coredns>>
3030* <<exported-fields-crowdstrike>>
3131* <<exported-fields-cyberark>>
32+ * <<exported-fields-cyberarkpas>>
3233* <<exported-fields-cylance>>
3334* <<exported-fields-docker-processor>>
3435* <<exported-fields-ecs>>
@@ -34178,6 +34179,268 @@ type: keyword
3417834179
3417934180--
3418034181
34182+ [[exported-fields-cyberarkpas]]
34183+ == CyberArk PAS fields
34184+
34185+ cyberarkpas fields.
34186+
34187+
34188+
34189+
34190+ [float]
34191+ === audit
34192+
34193+ Cyberark Privileged Access Security Audit fields.
34194+
34195+
34196+
34197+ *`cyberarkpas.audit.action`*::
34198+ +
34199+ --
34200+ A description of the audit record.
34201+
34202+ type: keyword
34203+
34204+ --
34205+
34206+ *`cyberarkpas.audit.ca_properties`*::
34207+ +
34208+ --
34209+ Account metadata.
34210+
34211+ type: flattened
34212+
34213+ --
34214+
34215+ *`cyberarkpas.audit.category`*::
34216+ +
34217+ --
34218+ The category name (for category-related operations).
34219+
34220+ type: keyword
34221+
34222+ --
34223+
34224+ *`cyberarkpas.audit.desc`*::
34225+ +
34226+ --
34227+ A static value that displays a description of the audit codes.
34228+
34229+ type: keyword
34230+
34231+ --
34232+
34233+ *`cyberarkpas.audit.extra_details`*::
34234+ +
34235+ --
34236+ Specific extra details of the audit records.
34237+
34238+ type: flattened
34239+
34240+ --
34241+
34242+ *`cyberarkpas.audit.file`*::
34243+ +
34244+ --
34245+ The name of the target file.
34246+
34247+ type: keyword
34248+
34249+ --
34250+
34251+ *`cyberarkpas.audit.gateway_station`*::
34252+ +
34253+ --
34254+ The IP of the web application machine (PVWA).
34255+
34256+ type: ip
34257+
34258+ --
34259+
34260+ *`cyberarkpas.audit.hostname`*::
34261+ +
34262+ --
34263+ The hostname, in upper case.
34264+
34265+ type: keyword
34266+
34267+ example: MY-COMPUTER
34268+
34269+ --
34270+
34271+ *`cyberarkpas.audit.iso_timestamp`*::
34272+ +
34273+ --
34274+ The timestamp, in ISO Timestamp format (RFC 3339).
34275+
34276+ type: date
34277+
34278+ example: 2013-06-25 10:47:19+00:00
34279+
34280+ --
34281+
34282+ *`cyberarkpas.audit.issuer`*::
34283+ +
34284+ --
34285+ The Vault user who wrote the audit. This is usually the user who performed the operation.
34286+
34287+ type: keyword
34288+
34289+ --
34290+
34291+ *`cyberarkpas.audit.location`*::
34292+ +
34293+ --
34294+ The target Location (for Location operations).
34295+
34296+ type: keyword
34297+
34298+ Field is not indexed.
34299+
34300+ --
34301+
34302+ *`cyberarkpas.audit.message`*::
34303+ +
34304+ --
34305+ A description of the audit records (same information as in the Desc field).
34306+
34307+ type: keyword
34308+
34309+ --
34310+
34311+ *`cyberarkpas.audit.message_id`*::
34312+ +
34313+ --
34314+ The code ID of the audit records.
34315+
34316+ type: keyword
34317+
34318+ --
34319+
34320+ *`cyberarkpas.audit.product`*::
34321+ +
34322+ --
34323+ A static value that represents the product.
34324+
34325+ type: keyword
34326+
34327+ --
34328+
34329+ *`cyberarkpas.audit.pvwa_details`*::
34330+ +
34331+ --
34332+ Specific details of the PVWA audit records.
34333+
34334+ type: flattened
34335+
34336+ --
34337+
34338+ *`cyberarkpas.audit.raw`*::
34339+ +
34340+ --
34341+ Raw XML for the original audit record. Only present when XSLT file has debugging enabled.
34342+
34343+
34344+ type: keyword
34345+
34346+ Field is not indexed.
34347+
34348+ --
34349+
34350+ *`cyberarkpas.audit.reason`*::
34351+ +
34352+ --
34353+ The reason entered by the user.
34354+
34355+ type: text
34356+
34357+ --
34358+
34359+ *`cyberarkpas.audit.rfc5424`*::
34360+ +
34361+ --
34362+ Whether the syslog format complies with RFC5424.
34363+
34364+ type: boolean
34365+
34366+ example: True
34367+
34368+ --
34369+
34370+ *`cyberarkpas.audit.safe`*::
34371+ +
34372+ --
34373+ The name of the target Safe.
34374+
34375+ type: keyword
34376+
34377+ --
34378+
34379+ *`cyberarkpas.audit.severity`*::
34380+ +
34381+ --
34382+ The severity of the audit records.
34383+
34384+ type: keyword
34385+
34386+ --
34387+
34388+ *`cyberarkpas.audit.source_user`*::
34389+ +
34390+ --
34391+ The name of the Vault user who performed the operation.
34392+
34393+ type: keyword
34394+
34395+ --
34396+
34397+ *`cyberarkpas.audit.station`*::
34398+ +
34399+ --
34400+ The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP.
34401+
34402+ type: ip
34403+
34404+ --
34405+
34406+ *`cyberarkpas.audit.target_user`*::
34407+ +
34408+ --
34409+ The name of the Vault user on which the operation was performed.
34410+
34411+ type: keyword
34412+
34413+ --
34414+
34415+ *`cyberarkpas.audit.timestamp`*::
34416+ +
34417+ --
34418+ The timestamp, in MMM DD HH:MM:SS format.
34419+
34420+ type: keyword
34421+
34422+ example: Jun 25 10:47:19
34423+
34424+ --
34425+
34426+ *`cyberarkpas.audit.vendor`*::
34427+ +
34428+ --
34429+ A static value that represents the vendor.
34430+
34431+ type: keyword
34432+
34433+ --
34434+
34435+ *`cyberarkpas.audit.version`*::
34436+ +
34437+ --
34438+ A static value that represents the version of the Vault.
34439+
34440+ type: keyword
34441+
34442+ --
34443+
3418134444[[exported-fields-cylance]]
3418234445== CylanceProtect fields
3418334446
0 commit comments