Definition of the Source Object
| Field | Required | Type | Description | Values | comments |
|---|---|---|---|---|---|
| user_principal _name |
At least 1 of the 5: user_principal_name/ down_level_logon_ name/ sam_account_name/ distinguished_name/ user_email_address should be present if the agent is capable of obtaining it. |
string | "example @forcepoint.com" |
||
| down_level_ logon_name |
string | "nis1\example" | |||
| sam_account _name |
string | "example" | |||
| distinguished _name |
string | "CN=Smith\, John,OU=Users, OU=Raanana, DC=example, DC=com" |
|||
| user_email _address |
string | "example @forcepoint.com" |
|||
| host_ips | yes | array of strings | the ip of the machine the operation originated from | ["192.168.31.14"] | it can be more than 1 because it can be obtained before and after the NAT. If available, the machine's internal address will be the second address in the list. |
| host_name | no | string | the name of the machine the operation originated from | "asi_laptop" | |
| user_agent | no | string | "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/81.0.4044.122 Safari/537.36" |
||
| host_domain | no | string | the domain to which the computer belongs. The full compute name is a concatenation of : host_name.host _domain |
"example" NIS1 |
In Cloud Web, the machine name comes from Endpoint, which provides it in "NTLM" form, so this may be a single word rather than a DNS-style domain. |