Definition of the Source Object

Table 1.
Field Required Type Description Values comments
user_principal

_name

At least 1 of the 5:

user_principal_name/ down_level_logon_

name/ sam_account_name/ distinguished_name/ user_email_address

should be present if the agent is capable of obtaining it.

string   "example

@forcepoint.com"

 
down_level_

logon_name

string   "nis1\example"  
sam_account

_name

string   "example"  
distinguished

_name

string   "CN=Smith\,

John,OU=Users,

OU=Raanana,

DC=example,

DC=com"

 
user_email

_address

string   "example

@forcepoint.com"

 
host_ips yes array of strings the ip of the machine the operation originated from ["192.168.31.14"] it can be more than 1 because it can be obtained before and after the NAT. If available, the machine's internal address will be the second address in the list.
host_name no string the name of the machine the operation originated from "asi_laptop"  
user_agent no string   "Mozilla/5.0 (Windows NT 10.0; Win64; x64)

AppleWebKit/537.36

(KHTML, like Gecko)

Chrome/81.0.4044.122

Safari/537.36"
 
host_domain no string the domain to which the computer belongs. The full compute name is a concatenation of : host_name.host

_domain

"example"

NIS1

In Cloud Web, the machine name comes from Endpoint, which provides it in "NTLM" form, so this may be a single word rather than a DNS-style domain.