SEF Elements
Actor
Actor IP |
Represents the IP address of the system an action was initiated on or from, if applicable. |
Actor Endpoint |
The device, application, or asset through which the actor took the action. |
Original Actor |
The original actor who performed the action that was determined by looking at a series of events. For instance, if we see a series of three events:
|
Original actor endpoint |
The actor endpoint associated with the original actor. |
Asset
Accessed Asset | A destination asset provides log records indicating its activity information during the specified time period. |
Active Asset | A monitored resource, such as a database, a host server, a compute resource, or an application server. |
Risky Asset |
Underlying components (such as VMs, servers, databases, and software applications) throughout your enterprise that have shown unusual activity. |
Destination
Destination account
|
This could represent the secure shell (SSH) account used to log into a network host, or the single sign-on (SSO) account used to access a network resource. These can be different than the actor account on the host the request is made from. Real world scenario:User bkeen is logged into his laptop (laptop_226 / 10.2.0.226), and initiates an SSH login to webServer1 (10.2.43.16) as root. SEF characterization:
ActorEndpointAccountName = bkeen ActorEndpointName = laptop_226 ActorEndpointNwAddress = 10.2.0.226 DestinationEndpointName = webServer1 DestinationEndpointNwAddress = 10.2.43.16 DestinationEndpointAccountName = root |
Destination effective account |
For instance, if |
Destination endpoint |
The container asset where the destination resource resides. |
sefDestination Fields | sefDestination | Field Properties |
Source
Source account |
The account used by the actor at the source endpoint to access the source resource (such as a host, a service, or an application). |
Source endpoint |
The container asset where the source resource resides. For instance, if the source resource is a table in a database, then the source endpoint is associated with the database. |
Source resource | The resource that contributed to the action of the destination resource. For instance, if you copy a file /etc/passwd to /tmp/x , then the destination resource is /tmp/x , and the source resource is /etc/passwd .
|
User
User | Underlying components (such as VMs, servers, databases, and software applications) throughout your enterprise that have shown unusual activity. |
Active User |
Active users are those users with log records indicating the activity they initiated during a specified time period |
Risky User |
Users that have shown unusual activity compared to their typical activity and behavioral patterns. |