Authentication

Description

Offers fields related to authentication events.
This preset is a story that contains fields originating from third-party authentication vendors such as Okta and PingOne (depending on the vendor(s) you have deployed), as well as Windows event logs collected by the Cortex XDR agent, and/or other sources such as the WEC Collector.

Preset Fields

The
authentication_story
preset has the following fields:
Field Name
(Datatype)
Description
action_​country
(string)
None Available
action_​local_​ip
(string)
Source IP address
action_​local_​port
(integer)
Source port
action_​remote_​ip
(string)
Destination IP address
action_​remote_​port
(integer)
Destination port
action_​user_​agent
(string)
None Available
auth_​client
(string)
None Available
auth_​client_​type
(string)
None Available
auth_​correlation_​id
(string)
None Available
auth_​domain
(string)
None Available
auth_​identity
(string)
None Available
auth_​outcome
(string)
None Available
auth_​outcome_​reason
(string)
None Available
auth_​service
(string)
None Available
auth_​target
(string)
None Available
krb_​error_​code
(integer)
None Available
krb_​is_​machine_​account
(boolean)
None Available
krb_​logon_​guid
(string)
None Available
krb_​req_​kdc_​options
(integer)
None Available
krb_​req_​msg_​type
(integer)
None Available
krb_​rsp_​msg_​type
(integer)
None Available
krb_​rsp_​ticket_​enc_​type
(integer)
None Available
krb_​rsp_​ticket_​prefix
(string)
None Available
krb_​spn_​type
(integer)
None Available
krb_​user_​type
(integer)
None Available
sso_​display_​message
(string)
None Available
sso_​severity
(string)
None Available

Recommended For You