time
Integer
Number of milliseconds after the Unix epoch that the event occurred.
severity_id
Integer
Severity of the audited event.
type_uid
Integer
Combination of the audited event's class, activity, and category. See OCSF Type Mapping.
metadata
Document
Metadata about the event such as product and schema version.
actor
Document
Information about the user who performed the action.
Note
Log messages may contain additional fields depending on the event that was logged.
OCSF Category Mapping
This table describes the category_uid
values:
category_uid | Category |
---|---|
| System Activity |
| Findings |
| IAM |
| Network Activity |
| Discovery |
| Application Activity |
OCSF Class Mapping
For a complete list of OCSF class_uids
and how they map to
different classes, see the OCSF Documentation.
OCSF Type Mapping
The type_uid
field represents a combination of the audited event's
class, activity, and category. The resulting UUID indicates the type of
activity that occurred.
Specifically, type_uid
is ( class_uid * 100 ) + (activity_id)
,
with category_id
being the thousands place in a class_id
.
This table describes how audited actions map to type_uid
:
Action Type | type_uid | Category | Class | Activity |
---|---|---|---|---|
|
| Configuration | Device Config State | Log |
|
| System | Process Activity | Other |
|
| Discovery | Device Config State |
|
|
| Application | API Activity |
|
|
| IAM | Authentication | Logon |
|
| Network | Network Activity | Open |
|
| IAM | Entity Management | Create |
|
| IAM | Entity Management | Create |
|
| IAM | Entity Management | Create |
|
| IAM | Account Change | Create |
|
| IAM | Account Change | Create |
|
| IAM | Account Change | Unknown |
|
| IAM | Account Change | Delete |
|
| IAM | Account Change | Delete |
|
| IAM | Entity Management | Delete |
|
| IAM | Entity Management | Delete |
|
| IAM | Entity Management | Delete |
|
| IAM | Account Change | Attach Policy |
|
| IAM | Account Change | Delete |
|
| IAM | Account Change | Delete |
|
| Configuration | Device Config State | Log |
|
| Application | API Activity | Read |
|
| IAM | Account Change | Attach Policy |
|
| IAM | Account Change | Attach Policy |
|
| IAM | Entity Management | Create |
|
| IAM | Authentication | Logoff |
|
| Configuration | Device Config State | Log |
|
| Configuration | Device Config State | Log |
|
| IAM | Entity Management | Update |
|
| Configuration | Device Config State | Log |
|
| IAM | Account Change | Detach Policy |
|
| IAM | Account Change | Detach Policy |
|
| IAM | Account Change | Detach Policy |
|
| System | Process | Other |
|
| Configuration | Device Config State | Log |
|
| Configuration | Device Config State | Log |
|
| System | Process | Terminate |
|
| System | Process | Launch |
|
| Configuration | Device Config State | Log |
|
| IAM | Account Change | Other |
|
| IAM | Account Change | Other |
Examples
The following examples show OCSF schema log messages for different action types.
Authenticate Action
{ "activity_id" : 1, "category_uid" : 3, "class_uid" : 3002, "time" : 1710715316123, "severity_id" : 1, "type_uid" : 300201, "metadata" : { "correlation_uid" : "20ec4769-984d-445c-aea7-da0429da9122", "product" : "MongoDB Server", "version" : "1.0.0" }, "actor" : { "user" : { "type_id" : 1, "name" : "admin.admin", "groups" : [ { "name" : "admin.root" } ] } }, "src_endpoint" : { "ip" : "127.0.0.1", "port" : 56692 }, "dst_endpoint" : { "ip" : "127.0.0.1", "port" : 20040 }, "user" : { "type_id" : 1, "name" : "admin.admin" }, "auth_protocol" : "SCRAM-SHA-256", "unmapped" : { "atype" : "authenticate" } }
AuthCheck Action
{ "activity_id" : 0, "category_uid" : 6, "class_uid" : 6003, "time" : 1710715315002, "severity_id" : 1, "type_uid" : 600300, "metadata" : { "correlation_uid" : "af4510fb-0a9f-49aa-b988-06259a7a861d", "product" : "MongoDB Server", "version" : "1.0.0" }, "actor" : {}, "src_endpoint" : { "ip" : "127.0.0.1", "port" : 45836 }, "dst_endpoint" : { "ip" : "127.0.0.1", "port" : 20040 }, "api" : { "operation" : "getParameter", "request" : { "uid" : "admin" }, "response" : { "code" : 13, "error" : "Unauthorized" } } }
Follow Lee on X/Twitter - Father, Husband, Serial builder creating AI, crypto, games & web tools. We are friends :) AI Will Come To Life!
Check out: eBank.nz (Art Generator) |
Netwrck.com (AI Tools) |
Text-Generator.io (AI API) |
BitBank.nz (Crypto AI) |
ReadingTime (Kids Reading) |
RewordGame |
BigMultiplayerChess |
WebFiddle |
How.nz |
Helix AI Assistant