You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -99,13 +99,15 @@ Each schema explicitly defines the central entities and entity fields. The follo
99
99
100
100
Users are central to activities reported by events. The fields listed in this section are used to describe the users involved in the action. Prefixes are used to designate the role of the user in the activity. The prefixes `Src` and `Dst` are used to designate the user role in network related events, in which a source system and a destination system communicate. The prefixes 'Actor' and 'Target' are used for system oriented events such as process events.
101
101
102
-
#### The user ID
102
+
#### The user ID and scope
103
103
104
104
| Field | Class | Type | Description |
105
105
|-------|-------|------|-------------|
106
106
| <a name="userid"></a>**UserId** | Optional | String | A machine-readable, alphanumeric, unique representation of the user. |
107
+
| <a name="userscope"></a>**UserScope** | Optional | string | The scope in which the user is defined. For example, an AAD tenant for. The scope type is tightly coupled to the user ID type, and therefore the [UserIdType](#useridtype) field represents also the type of the associated with this field. |
107
108
| <a name="useridtype"></a>**UserIdType** | Optional | UserIdType | The type of the ID stored in the [UserId](#userid) field. |
108
-
| **UserSid**, **UserUid**, **UserAadId**, **UserOktaId**, **UserAWSId** | Optional | String | Fields used to store additional user IDs, if the original event includes multiple user IDs. Select the ID most associated with the event as the primary ID stored in [UserId](#userid).
109
+
| **UserSid**, **UserUid**, **UserAadId**, **UserOktaId**, **UserAWSId** | Optional | String | Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in [UserId](#userid). Populate the relevant specific ID field, in addition to [UserId](#userid), even if the event has only one ID. |
110
+
| **UserAADTenant**, **UserAWSAccount** | Optional | String | Fields used to store specific scopes. Use the [UserScope](#userscope) field for the scope associated with the ID stored in the [UserId](#userid) field. Populate the relevant specific scope field, in addition to [UserScope](#userscope), even if the event has only one ID. |
109
111
110
112
The allowed values for a user ID type are:
111
113
@@ -117,6 +119,17 @@ The allowed values for a user ID type are:
117
119
| **OktaId** | An Okta user ID. | `00urjk4znu3BcncfY0h7` |
118
120
| **AWSId** | An AWS user ID. | `72643944673` |
119
121
122
+
#### The user scope
123
+
124
+
The user context defines the sc
125
+
126
+
| Field | Class | Type | Description |
127
+
|-------|-------|------|-------------|
128
+
| <a name="userscope"></a>**UserContext** | Optional | string | The context in which the user is defined
129
+
| <a name="usercontexttype"></a>**UserContextType** | Optional | UserContextType | The type of the ID stored in the [UserId](#userid) field. |
130
+
| **UserSid**, **UserUid**, **UserAadId**, **UserOktaId**, **UserAWSId** | Optional | String | Fields used to store additional user IDs, if the original event includes multiple user IDs. Select the ID most associated with the event as the primary ID stored in [UserId](#userid).
Copy file name to clipboardExpand all lines: articles/sentinel/web-normalization-schema.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -124,7 +124,7 @@ The following list mentions fields that have specific guidelines for Web Session
124
124
|**EventResult**| Mandatory | Enumerated | Describes the event result, normalized to one of the following values: <br> - `Success` <br> - `Partial` <br> - `Failure` <br> - `NA` (not applicable) <br><br>For an HTTP session, `Success` is defined as a status code lower than `400`, and `Failure` is defined as a status code higher than `400`. For a list of HTTP status codes, refer to [W3 Org](https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html).<br><br>The source may provide only a value for the [EventResultDetails](#eventresultdetails) field, which must be analyzed to get the **EventResult** value. |
125
125
| <aname="eventresultdetails"></a>**EventResultDetails**| Mandatory | String | For HTTP sessions, the value should be the HTTP status code. <br><br>**Note**: The value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the **EventOriginalResultDetails** field.|
126
126
|**EventSchema**| Mandatory | String | The name of the schema documented here is `WebSession`. |
127
-
|**EventSchemaVersion**| Mandatory | String | The version of the schema. The version of the schema documented here is `0.2.3`|
127
+
|**EventSchemaVersion**| Mandatory | String | The version of the schema. The version of the schema documented here is `0.2.4`|
128
128
|**Dvc** fields||| For Web Session events, device fields refer to the system reporting the Web Session event. |
129
129
130
130
@@ -198,7 +198,7 @@ If the event is reported by one of the endpoints of the web session, it may incl
198
198
199
199
### Schema updates
200
200
201
-
The Web Session schema relies on the Network Session schema. Therefore, [Network Session schema updates](network-normalization-schema.md#schema-updates) apply to the Web Session schema as well. The WebSession schema version has been updated to reflect this dependancy.
201
+
The Web Session schema relies on the Network Session schema. Therefore, [Network Session schema updates](network-normalization-schema.md#schema-updates) apply to the Web Session schema as well. The WebSession schema version has been updated to reflect this dependency.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments