SEF Elements

Actor

Actor IP

Represents the IP address of the system an action was initiated on or from, if applicable.

Actor Endpoint

The device, application, or asset through which the actor took the action.

Original Actor

The original actor who performed the action that was determined by looking at a series of events. For instance, if we see a series of three events:

JSMITH_us (owned by John Smith) logged in to machine abc123 (with IP of 10.228.241.156).
5 minutes after the first login, FJOHNSON_us logged in to machine xyz123 (IP 10.248.30.150) from 10.228.241.156.
5 minutes from the second login, PANDERSON logged in to machine idc123 (with IP 10.268.251.154) from IP 10.248.30.150.

The original actor may be deemed by the event enrichment service to be John Smith for all three logins, although different accounts (belonging to different persons) were used in each login action.

Original actor endpoint

The actor endpoint associated with the original actor.

Asset

Accessed Asset

A destination asset provides log records indicating its activity information during the specified time period.

Active Asset

A monitored resource, such as a database, a host server, a compute resource, or an application server.

Risky Asset

Underlying components (such as VMs, servers, databases, and software applications) throughout your enterprise that have shown unusual activity.

Destination

Destination account

Example

This could represent the secure shell (SSH) account used to log into a network host, or the single sign-on (SSO) account used to access a network resource. These can be different than the actor account on the host the request is made from.

Real world scenario:

User bkeen is logged into his laptop (laptop_226 / 10.2.0.226), and initiates an SSH login to webServer1 (10.2.43.16) as root.

SEF characterization:

ActorEndpointAccountName = bkeen 
ActorEndpointName = laptop_226 
ActorEndpointNwAddress = 10.2.0.226 
DestinationEndpointName = webServer1 
DestinationEndpointNwAddress = 10.2.43.16 
DestinationEndpointAccountName = root

Destination effective account

For instance, if JSMITH_it invokes a definer's rights procedure defined by FJOHNSON on a database to create a table, then the destination account is JSMITH_it, whereas the destination effective account is FJOHNSON.

Destination endpoint

The container asset where the destination resource resides.

sefDestination Fields sefDestination | Field Properties

Source

Source account

The account used by the actor at the source endpoint to access the source resource (such as a host, a service, or an application).

Source endpoint

The container asset where the source resource resides. For instance, if the source resource is a table in a database, then the source endpoint is associated with the database.

Source resource The resource that contributed to the action of the destination resource. For instance, if you copy a file /etc/passwd to /tmp/x, then the destination resource is /tmp/x, and the source resource is /etc/passwd.

User

User

Underlying components (such as VMs, servers, databases, and software applications) throughout your enterprise that have shown unusual activity.

Active User

Active users are those users with log records indicating the activity they initiated during a specified time period

Risky User

Users that have shown unusual activity compared to their typical activity and behavioral patterns.