{ "attributes": { "dataSource.vendor": "Ping Identity", "dataSource.name": "PingOne MFA", "dataSource.category": "security", "metadata.product.vendor_name": "Ping Identity", "metadata.product.name": "PingOne MFA", "metadata.version": "1.0.0" }, "formats": [ { "format": "$unmapped.{parse=json}$", "rewrites": [ { "input": "unmapped.timestamp", "output": "timestamp", "match": ".*", "replace": "$0" }, { "input": "unmapped.recordedAt", "output": "recorded_at", "match": ".*", "replace": "$0" }, { "input": "unmapped.user", "output": "user.email_addr", "match": ".*", "replace": "$0" }, { "input": "unmapped.source\\.ip", "output": "src_endpoint.ip", "match": ".*", "replace": "$0" }, { "input": "unmapped.action\\.type", "output": "activity_name", "match": ".*", "replace": "$0" }, { "input": "unmapped.factor", "output": "mfa_factors", "match": ".*", "replace": "$0" }, { "input": "unmapped.result\\.status", "output": "status_detail", "match": ".*", "replace": "$0" }, { "input": "unmapped.description", "output": "message", "match": ".*", "replace": "$0" }, { "input": "unmapped.sessionId", "output": "session.uid", "match": ".*", "replace": "$0" }, { "input": "unmapped.dataSource", "output": "metadata.product.name", "match": ".*", "replace": "$0" }, { "input": "unmapped.dataSource\\.vendor", "output": "metadata.product.vendor_name", "match": ".*", "replace": "$0" }, { "input": "unmapped.dataSource\\.name", "output": "metadata.product.name", "match": ".*", "replace": "$0" }, { "input": "unmapped.dataSource\\.category", "output": "metadata.product.category", "match": ".*", "replace": "$0" } ] } ], "mappings": { "version": 1, "mappings": [ { "predicate": "activity_name = *", "transformations": [ { "constant": { "value": 3002, "field": "class_uid" } }, { "constant": { "value": "Authentication", "field": "class_name" } }, { "constant": { "value": 3, "field": "category_uid" } }, { "constant": { "value": "Identity & Access Management", "field": "category_name" } }, { "constant": { "value": 1, "field": "activity_id", "predicate": "activity_name = 'MFA.AUTHENTICATE'" } }, { "constant": { "value": "Logon", "field": "activity_name", "predicate": "activity_name = 'MFA.AUTHENTICATE'" } }, { "constant": { "value": 99, "field": "activity_id", "predicate": "activity_name = 'MFA.ENROLL'" } }, { "constant": { "value": "Other", "field": "activity_name", "predicate": "activity_name = 'MFA.ENROLL'" } }, { "constant": { "value": 1, "field": "status_id", "predicate": "status_detail = 'SUCCESS'" } }, { "constant": { "value": "Success", "field": "status", "predicate": "status_detail = 'SUCCESS'" } }, { "constant": { "value": 2, "field": "status_id", "predicate": "status_detail = 'FAILURE'" } }, { "constant": { "value": "Failure", "field": "status", "predicate": "status_detail = 'FAILURE'" } }, { "constant": { "value": 1, "field": "severity_id" } }, { "constant": { "value": "Informational", "field": "severity" } }, { "constant": { "value": 300201, "field": "type_uid" } }, { "copy": { "from": "user.email_addr", "to": "user.email_addr" } }, { "copy": { "from": "user.email_addr", "to": "user.name" } }, { "copy": { "from": "src_endpoint.ip", "to": "src_endpoint.ip" } }, { "copy": { "from": "mfa_factors", "to": "mfa_factors" } }, { "copy": { "from": "session.uid", "to": "session.uid" } }, { "copy": { "from": "status_detail", "to": "status_detail" } }, { "copy": { "from": "recorded_at", "to": "recorded_at" } }, { "copy": { "from": "message", "to": "message" } }, { "copy": { "from": "metadata.product.name", "to": "metadata.product.name" } }, { "copy": { "from": "metadata.product.vendor_name", "to": "metadata.product.vendor_name" } }, { "copy": { "from": "metadata.product.category", "to": "metadata.product.category" } } ] } ] }, "observables": { "fields": [ { "name": "user.email_addr", "type": "User" }, { "name": "user.name", "type": "User" }, { "name": "src_endpoint.ip", "type": "IP Address" }, { "name": "session.uid", "type": "Other" } ] } }