Event Name - SsoApplicationAccess

Field

Description

ActivityId

A globally-unique identifier for the activity event.

ContextTimeStamp

System time of event creation.

SsoEventSource

The source from which the activity data was retrieved. In the case of federated-SSO, this might be either the IDaaS vendor or the federation provider, depending on the retrieval method.

Values:

• AZURE (1)

• OKTA (2)

• ADFS (100)

• PING_FEDERATE (101)

WebSessionIdentifier

SourceAccountUserName

The username associated with this activity.

SourceAccountAzureId

The unique Azure userId value of the user associated with this activity

SourceAccountOktaId

The unique OKTA actor ID of the user associated with this activity

SourceAccountObjectSid

The objectSid value of the account bound with this activity.

SourceAccountObjectGuid

The objectGUID value of the account bound with this activity.

SourceEndpointAddressIP4

The IP address of the endpoint from which this activity originates.

Mutually exclusive with the SourceEndpointAddressIP6 field.

SourceEndpointAddressIP6

The IP address of the endpoint from which this activity originates.

Mutually exclusive with the SourceEndpointAddressIP4 field.

SourceEndpointIpReputation

The reputation attributes of the source IP (SourceEndpointAddressIP4 or SourceEndpointAddressIP6).

Only set for public addresses.

Values:

• NONE (0x00)

• ANONYMOUS_ACTIVE (0x01)

• ANONYMOUS_SUSPECT (0x02)

• ANONYMOUS_INACTIVE (0x04)

• ANONYMOUS_PRIVATE (0x08)

• ASSOCIATED_WITH_DICTIONARY_ATTACK (0x10)

• ASSOCIATED_WITH_DDOS_ATTACK (0x20)

• ASSOCIATED_WITH_SPAM (0x40)

• HOSTING_FACILITY (0x80)

SourceEndpointNetworkType

The network type to which the SourceEndpointAddressIP4 or SourceEndpointAddressIP6 value belongs, depending on customer configuration.

Values:

• INTERNAL (0x1)

• VPN (0x2)

• WIRELESS (0x4)

• NAT (0x8)

• PUBLIC (0x10)

SourceEndpointNetworkTag

The network tag to which the SourceEndpointAddressIP4 or SourceEndpointAddressIP6 value belongs, depending on customer configuration.

SourceEndpointHostName

The hostname of the source endpoint. Might originate either directly from the raw event data or from one of the host association resolution methods.

When available, either the SourceEndpointAccountObjectSid or SourceEndpointAccountObjectGuid fields are superior for use as foreign keys.

SourceEndpointAccountObjectSid

The objectSid value of the source endpoint account.

SourceEndpointAccountObjectGuid

The objectGUID value of the source endpoint account.

ClientUserAgentString

The HTTP User-Agent string identified by the client.

ClientIdentifier

A human readable string identifying the client, if available.

LocationLongitudeAsInt

The location longitude value associated with the event.

The value is a 4-digit precision fixed-point value (11.1m) represented as a 64-bit integer.

Divide by 100,000 to get back the fixed-point value

LocationLatitudeAsInt

The location latitude value associated with the event.

The value is a 4-digit precision fixed-point value (11.1m) represented as a 64-bit integer.

Divide by 100,000 to get back the fixed-point value.

LocationAccuracyRadius

The reported accuracy radius for (LocationLatitudeAsInt, LocationLongitudeAsInt).

LocationCountryCode

The country-code associated with (LocationLatitudeAsInt, LocationLongitudeAsInt).

LocationStateCode

The state-code associated with (LocationLatitudeAsInt, LocationLongitudeAsInt).

LocationCityCode

The city-code associated with (LocationLatitudeAsInt, LocationLongitudeAsInt) as listed in the GeoNames database.

SsoApplicationIdentifier

The human-readable target application identifier.

For stronger identification, use either the SsoApplicationUri field, or vendor-specific fields such as AzureApplicationId.

SsoApplicationUri

The URL or URN of the target application.

AzureApplicationId

The unique Azure appId value of the application accessed. Is only available when the SsoEventSource field is set to AZURE.

OktaApplicationId

The unique Okta actor ID of the application being accessed.

Only set if the SsoEventSource field is set to OKTA.

AppliedDisposition

A bit mask of the disposition the sensor has applied.

IdpEntityId