| AnomalySubType |
- Type
- picklist
- Properties
- Filter, Group, Nillable, Restricted picklist, Sort
- Description
- Possible values are:
-
-
ApiAnomaly - API Anomaly
-
CredentialStuffing - Credential
Stuffing
-
GuestUserAnomaly - Guest User
Anomaly
-
LoginAnomaly - Login Anomaly
-
MCPAnomaly - MCP Anomaly
-
ReportAnomaly - Report Anomaly
-
SessionHijacking - Session
Hijacking
|
| EvaluationTime |
- Type
- double
- Properties
- Filter, Nillable, Sort
- Description
- The amount of time it took to evaluate the transaction security policy in
milliseconds.
|
| EventDate |
- Type
- dateTime
- Properties
- Filter, Sort
- Description
- The time when the file event was reported. For example, 2020-01-20T19:12:26.965Z. Milliseconds is the
most granular setting.
|
| EventIdentifier |
- Type
- string
- Properties
- Filter, Sort
- Description
- The unique ID of the event, which is shared with the corresponding storage
object. For example, 0a4779b0-0da1-4619-a373-0a36991dff90. Use this field to correlate
the event with its storage object.
|
| LastReferencedDate |
- Type
- dateTime
- Properties
- Filter, Nillable, Sort
- Description
- The timestamp for when the current user last viewed a record
related to this record.
|
| LastViewedDate |
- Type
- dateTime
- Properties
- Filter, Nillable, Sort
- Description
- The timestamp for when the current user last viewed this record.
If this value is null, it’s possible that this record was
referenced (LastReferencedDate) and not
viewed.
|
| LoginKey |
- Type
- string
- Properties
- Nillable
- Description
- The string that ties together all events in a given user's login session.
The session starts with a login event and ends with either a logout event or
the user session expiring. For example, lUqjLPQTWRdvRG4.
|
| PolicyId |
- Type
- reference
- Properties
- Nillable
- Description
- The ID of the transaction policy associated with this event. For example,
0NIB000000000KOOAY.
- This is a relationship field.
- Relationship Name
- Policy
- Relationship Type
- Lookup
- Refers To
- TransactionSecurityPolicy
|
| PolicyOutcome |
- Type
- picklist
- Properties
- Nillable, Restricted picklist
- Description
- The result of the transaction policy. Possible values are:
-
Block—The user was blocked
from performing the operation that triggered the policy.
-
Error—The policy caused an
undefined error when it executed.
-
ExemptNoAction—The user is
exempt from transaction security policies, so the policy didn’t
trigger.
-
MeteringBlock—The policy
took longer than 3 seconds to process, so the user was blocked from
performing the operation.
-
MeteringNoAction—The policy
took longer than 3 seconds to process, but the user isn't blocked from
performing the operation.
-
NoAction—The policy didn't
trigger.
-
Notified—A notification was
sent to the recipient.
|
| Score |
- Type
- double
- Properties
- Filter, Nillable, Sort
- Description
- A number from 0 through 1 that represents the anomaly score for the API
execution or export tracked by this event. The anomaly score shows how the
user's current API activity is different from their typical activity. A low
score indicates that the user's current API activity is similar to their usual
activity, a high score indicates that it's different.
|
| SecurityEventData |
- Type
- textarea
- Properties
- Nillable
- Description
- The set of features about the API activity that triggered this anomaly
event.
Let’s say, for example, that a user typically downloads 10 accounts
but then they deviate from that pattern and download 1,000 accounts. This
event is triggered and the contributing features are captured in this field.
Potential features include row count, column count, average row size, the
day of week, and the browser’s user agent used for the report activity. The
data captured in this field also shows how much a particular feature
contributed to this anomaly event being triggered, represented as a
percentage. The data is in JSON format.
- Example
- This example shows that the average row count contributed more than 95% to
the anomaly being triggered. Other anomalous attributes, such as the
autonomous system, day of the week the report was run, the browser used, and
the number of columns, contributed much
less.
1[
2 {
3 "featureName": "rowCount",
4 "featureValue": "1937568",
5 "featureContribution": “95.00 %"
6 },
7 {
8 "featureName": "autonomousSystem",
9 "featureValue": "Bigleaf Networks, Inc.",
10 "featureContribution": “1.62 %"
11 },
12 {
13 "featureName": "dayOfWeek",
14 "featureValue": "Sunday",
15 "featureContribution": “1.42 %"
16 },
17 {
18 "featureName": "userAgent",
19 "featureValue": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36}",
20 "featureContribution": “1.21 %"
21 },
22 {
23 "featureName": "periodOfDay",
24 "featureValue": “Evening”,
25 "featureContribution": “.09 %"
26 },
27 {
28 "featureName": "averageRowSize",
29 "featureValue": "744",
30 "featureContribution": “0.08 %"
31 },
32 {
33 "featureName": "screenResolution",
34 "featureValue": "900x1440",
35 "featureContribution": “0.07 %"
36 }
37 ]
|
| SessionKey |
- Type
- string
- Properties
- Nillable
- Description
- The user’s unique session ID. Use this value to identify all user events
within a session. When a user logs out and logs in again, a new session is
started. For example, vMASKIU6AxEr+Op5.
|
| SourceIp |
- Type
- string
- Properties
- Nillable
- Description
- The source IP address of the client that logged in. For example, 126.7.4.2.
|
| Summary |
- Type
- textarea
- Properties
- Nillable
- Description
- A text summary of the report anomaly that caused this event to be
created.
- Example
-
- Report was exported from an infrequent
network (BigLeaf Networks Inc.)
- Report was generated with an unusually high
number of rows (111141)
|
| UniversalAnomalyEventNumber |
- Type
- string
- Properties
- Autonumber, Defaulted on create, Filter, idLookup, Sort
- Description
- An auto-incremented reference number automatically assigned to each threat
anomaly record upon creation.
|
| UserId |
- Type
- reference
- Properties
- Nillable
- Description
- The origin user’s unique ID. For example,
005B0000001vURv.
- This is a polymorphic relationship field.
- Relationship Name
- User
- Relationship Type
- Lookup
- Refers To
- User
|
| Username |
- Type
- string
- Properties
- Nillable
- Description
- The origin username in the format of user@company.com
at the time the event was created.
|