Stay organized with collections Save and categorize content based on your preferences.

User Context logs

NXLog field UDM field
GivenName entity.entity.user.first_name
Surname entity.entity.user.last_name
SamAccountName entity.entity.user.userid
SID.Value entity.entity.user.windows_sid
ObjectClass If the value is "user",
entity.metadata.entity_type is set to USER
ObjectGuid entity.entity.user.product_object_id
AccountExpirationDate Stored as an entity.entity.user.attribute.label.key/value pair.
badPwdCount Stored as an entity.entity.user.attribute.label.key/value pair.
CanonicalName entity.enitity.administrative_domain
City entity.entity.user.personal_address.city
Company entity.entity.user.company_name
Country entity.entity.user.personal_address.country_or_region
Department entity.entity.user.department
Description entity.metadata.description
DisplayName entity.entity.user.user_display_name
EmailAddress entity.entity.user.email_addresses
EmployeeID entity.entity.user.employee_id
HomeDirectory entity.entity.file.full_path
HomePage entity.entity.url
HomePhone entity.entity.user.phone_numbers
LastBadPasswordAttempt Stored as an entity.entity.user.attribute.label.key/value pair.
lastLogoff Stored as an entity.entity.user.attribute.label.key/value pair.
lastLogon Stored as an entity.entity.user.attribute.label.key/value pair.
LastLogonDate Stored as an entity.entity.user.attribute.label.key/value pair.
Manager Values for GUID, SAMAccountname, SID all mapped to different UDM fields:
- SID is stored in manager.windows_sid
- Distinguished name (i.e. value in first CN) is stored in manager.user_display_name
- GUID,SamAccountName is stored in manager.userid
MemberOf The following fields in the first occurrence of CN are set:
entity.relations.entity.group.group_display_name
entity.relations.entity_type set to GROUP
entity.relations.relationship set t0 MEMBER
entity.relations.direction set to UNIDIRECTIONAL
MobilePhone entity.entity.user.phone_numbers
Office entity.entity.user.office_address.name
PasswordExpired Stored as an entity.entity.user.attribute.label.key/value pair.
PasswordLastSet Stored as an entity.entity.user.attribute.label.key/value pair.
PasswordNeverExpires Stored as an entity.entity.user.attribute.label.key/value pair.
PasswordNotRequired Stored as an entity.entity.user.attribute.label.key/value pair.
PrimaryGroup Following fields are set:
- entity.relations.entity.group.group_display_name
- entity.relations.entity_type set to GROUP
- entity.relations.relationship set to MEMBER
- entity.relations.direction set to UNIDIRECTIONAL
ServicePrincipalNames Stored as an entity.entity.user.attribute.label.key/value pair.
State entity.entity.user.personal_address.state
StreetAddress entity.entity.user.personal_address.name
Title entity.entity.user.title
whenCreated entity.user.attribute.creation_time

Asset Context logs

NXLog Field UDM Field
DNSHostName entity.entity.asset.hostname
SamAccountName entity.entity.asset.asset_id
SID.Value entity.entity.user.windows_sid
ObjectClass If the value is "computer", entity.metadata.entity_type set to ASSET
ObjectGuid entity.entity.asset.product_object_id
AccountExpirationDate entity.entity.asset.attribute.label.key/value
badPwdCount entity.entity.asset.attribute.label.key/value
CanonicalName entity.entity.administrative_domain
countryCode entity.entity.asset.location.country_or_region
Description entity.entity.metadata.description
HomePage entity.entity.url
IPv4Address entity.entity.asset.ip
IPv6Address entity.entity.asset.ip
LastBadPasswordAttempt Stored as an entity.entity.asset.attribute.label.key/value pair.
lastLogoff Stored as an entity.entity.asset.attribute.label.key/value pair.
lastLogon Stored as an entity.entity.asset.attribute.label.key/value pair.
LastLogonDate Stored as an entity.entity.asset.attribute.label.key/value pair.
Location entity.entity.asset.location.name
ManagedBy The following fields are set:

entity.entity.user.user_display_name
entity.relations.entity_type set to USER
entity.relations.relationship set to ADMINISTERS
entity.relations.direction set to UNIDIRECTIONAL
ObjectCategory entity.entity.asset.category
OperatingSystem If the name contains "Windows", entity.entity.asset.platform_software.platform field is set to WINDOWS.
OperatingSystemServicePack entity.entity.asset.platform_software.platform_patch_level
OperatingSystemVersion The field entity.entity.asset.platform_software.platform_version is set to %{OperatingSystem} - %{OperatingSystemVersion}
PasswordExpired Stored as an entity.entity.asset.attribute.label.key/value pair.
PasswordLastSet Stored as an entity.entity.asset.attribute.label.key/value pair.
PasswordNeverExpires Stored as an entity.entity.asset.attribute.label.key/value pair.
PasswordNotRequired Stored as an entity.entity.asset.attribute.label.key/value pair.
PrimaryGroup The following fields are set:
- entity.relations.entity.group.group_display_name
- entity.relations.entity_type set to GROUP
- entity.relations.relationship set to MEMBER
- entity.relations.direction set to UNIDIRECTIONAL
ServicePrincipalNames Stored as an entity.entity.asset.attribute.label.key/value pair.
whenChanged entity.entity.asset.attribute.last_update_time
whenCreated entity.entity.asset.attribute.creation_time