User Context logs
| NXLog field | UDM field |
|---|---|
| GivenName | entity.entity.user.first_name |
| Surname | entity.entity.user.last_name |
| SamAccountName | entity.entity.user.userid |
| SID.Value | entity.entity.user.windows_sid |
| ObjectClass | If the value is "user", entity.metadata.entity_type is set to USER |
| ObjectGuid | entity.entity.user.product_object_id |
| AccountExpirationDate | Stored as an entity.entity.user.attribute.label.key/value pair. |
| badPwdCount | Stored as an entity.entity.user.attribute.label.key/value pair. |
| CanonicalName | entity.entity.administrative_domain |
| City | entity.entity.user.personal_address.city |
| Company | entity.entity.user.company_name |
| Country | entity.entity.user.personal_address.country_or_region |
| Department | entity.entity.user.department |
| Description | entity.metadata.description |
| DisplayName | entity.entity.user.user_display_name |
| EmailAddress | entity.entity.user.email_addresses |
| EmployeeID | entity.entity.user.employee_id |
| HomeDirectory | entity.entity.file.full_path |
| HomePage | entity.entity.url |
| HomePhone | entity.entity.user.phone_numbers |
| LastBadPasswordAttempt | Stored as an entity.entity.user.attribute.label.key/value pair. |
| lastLogoff | Stored as an entity.entity.user.attribute.label.key/value pair. |
| lastLogon | Stored as an entity.entity.user.attribute.label.key/value pair. |
| LastLogonDate | Stored as an entity.entity.user.attribute.label.key/value pair. |
| Manager | Values for GUID, SAMAccountname, SID all mapped to different UDM fields: - SID is stored in manager.windows_sid - Distinguished name (i.e. value in first CN) is stored in manager.user_display_name - GUID,SamAccountName is stored in manager.userid |
| MemberOf | The following fields in the first occurrence of CN are set: entity.relations.entity.group.group_display_name entity.relations.entity_type set to GROUP entity.relations.relationship set t0 MEMBER entity.relations.direction set to UNIDIRECTIONAL |
| MobilePhone | entity.entity.user.phone_numbers |
| Office | entity.entity.user.office_address.name |
| PasswordExpired | Stored as an entity.entity.user.attribute.label.key/value pair. |
| PasswordLastSet | Stored as an entity.entity.user.attribute.label.key/value pair. |
| PasswordNeverExpires | Stored as an entity.entity.user.attribute.label.key/value pair. |
| PasswordNotRequired | Stored as an entity.entity.user.attribute.label.key/value pair. |
| PrimaryGroup | Following fields are set: - entity.relations.entity.group.group_display_name - entity.relations.entity_type set to GROUP - entity.relations.relationship set to MEMBER - entity.relations.direction set to UNIDIRECTIONAL |
| ServicePrincipalNames | Stored as an entity.entity.user.attribute.label.key/value pair. |
| State | entity.entity.user.personal_address.state |
| StreetAddress | entity.entity.user.personal_address.name |
| Title | entity.entity.user.title |
| whenCreated | entity.user.attribute.creation_time |
Asset Context logs
| NXLog Field | UDM Field |
|---|---|
| DNSHostName | entity.entity.asset.hostname |
| SamAccountName | entity.entity.asset.asset_id |
| SID.Value | entity.entity.user.windows_sid |
| ObjectClass | If the value is "computer", entity.metadata.entity_type set to ASSET |
| ObjectGuid | entity.entity.asset.product_object_id |
| AccountExpirationDate | entity.entity.asset.attribute.label.key/value |
| badPwdCount | entity.entity.asset.attribute.label.key/value |
| CanonicalName | entity.entity.administrative_domain |
| countryCode | entity.entity.asset.location.country_or_region |
| Description | entity.entity.metadata.description |
| HomePage | entity.entity.url |
| IPv4Address | entity.entity.asset.ip |
| IPv6Address | entity.entity.asset.ip |
| LastBadPasswordAttempt | Stored as an entity.entity.asset.attribute.label.key/value pair. |
| lastLogoff | Stored as an entity.entity.asset.attribute.label.key/value pair. |
| lastLogon | Stored as an entity.entity.asset.attribute.label.key/value pair. |
| LastLogonDate | Stored as an entity.entity.asset.attribute.label.key/value pair. |
| Location | entity.entity.asset.location.name |
| ManagedBy | The following fields are set: entity.entity.user.user_display_name entity.relations.entity_type set to USER entity.relations.relationship set to ADMINISTERS entity.relations.direction set to UNIDIRECTIONAL |
| ObjectCategory | entity.entity.asset.category |
| OperatingSystem | If the name contains "Windows", entity.entity.asset.platform_software.platform field is set to WINDOWS. |
| OperatingSystemServicePack | entity.entity.asset.platform_software.platform_patch_level |
| OperatingSystemVersion | The field entity.entity.asset.platform_software.platform_version is set to %{OperatingSystem} - %{OperatingSystemVersion} |
| PasswordExpired | Stored as an entity.entity.asset.attribute.label.key/value pair. |
| PasswordLastSet | Stored as an entity.entity.asset.attribute.label.key/value pair. |
| PasswordNeverExpires | Stored as an entity.entity.asset.attribute.label.key/value pair. |
| PasswordNotRequired | Stored as an entity.entity.asset.attribute.label.key/value pair. |
| PrimaryGroup | The following fields are set: - entity.relations.entity.group.group_display_name - entity.relations.entity_type set to GROUP - entity.relations.relationship set to MEMBER - entity.relations.direction set to UNIDIRECTIONAL |
| ServicePrincipalNames | Stored as an entity.entity.asset.attribute.label.key/value pair. |
| whenChanged | entity.entity.asset.attribute.last_update_time |
| whenCreated | entity.entity.asset.attribute.creation_time |