Event types we support
Learn how to create, tune, and manage custom detection rules in Xpernix to reduce false positives and surface the alerts that matter to your environment.
Overview
Xpernix ships with hundreds of pre-built detection rules mapped to MITRE ATT&CK. But every environment is different — a rule that fires on every failed login makes sense for some orgs and creates noise for others. This guide explains how to create and tune rules for your specific context.
Okta System Logs
The System Log contains details of all logged events for an organization, including user authentication, password resets, rate limit errors, user lifecycle information, and any other activity that takes place within the Okta Organization.
The System Log should be the first stop for troubleshooting any Okta issue or learning more about an environment.
[
{
"actor": {
"id": "00uttidj01jqL21aM1d6",
"type": "User",
"alternateId": "[email protected]",
"displayName": "John Doe",
"detailEntry": null
},
"client": {
"userAgent": {
"os": "Mac OS X",
"browser": "CHROME"
},
"zone": null,
"device": "Computer",
"id": null,
"ipAddress": "10.0.0.1",
"geographicalContext": {
"city": "New York",
"state": "New York",
"country": "United States",
"postalCode": 10013,
"geolocation": {
"lat": 40.3157,
"lon": -74.01
}
}
},
"device": {
"id": "guofdhyjex1feOgbN1d9",
"name": "Mac15,6",
"os_platform": "OSX",
"os_version": "14.6.0",
"managed": false,
"registered": true,
"device_integrator": null,
"disk_encryption_type": "ALL_INTERNAL_VOLUMES",
"screen_lock_type": "BIOMETRIC",
"jailbreak": null,
"secure_hardware_present": true
},
"authenticationContext": {
"authenticationProvider": null,
"credentialProvider": null,
"credentialType": null,
"issuer": null,
"interface": null,
"authenticationStep": 0,
"rootSessionId": "idxBager62CSveUkTxvgRtonA",
"externalSessionId": "idxBager62CSveUkTxvgRtonA"
},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"outcome": {
"result": "SUCCESS",
"reason": null
},
"published": "2024-08-13T15:58:20.353Z",
"securityContext": {
"asNumber": 394089,
"asOrg": "ASN 0000",
"isp": "google",
"domain": null,
"isProxy": false
},
"severity": "INFO",
"debugContext": {
"debugData": {
"requestId": "ab609228fe84ce59cdcbfa690bcce016",
"requestUri": "/idp/idx/authenticators/poll",
"url": "/idp/idx/authenticators/poll"
}
},
"legacyEventType": "core.user_auth.login_success",
"transaction": {
"type": "WEB",
"id": "ab609228fe84ce59cdcbfa690bgce016",
"detail": null
},
"uuid": "dc9fd3c0-598c-11ef-8478-2b7584bf8d5a",
"version": 0,
"request": {
"ipChain": [
{
"ip": "10.0.0.1",
"geographicalContext": {
"city": "New York",
"state": "New York",
"country": "United States",
"postalCode": 10013,
"geolocation": {
"lat": 40.3157,
"lon": -74.01
}
},
"version": "V4",
"source": null
}
]
},
"target": [
{
"id": "pfdfdhyjf0HMbkP2e1d7",
"type": "AuthenticatorEnrollment",
"alternateId": "unknown",
"displayName": "Okta Verify",
"detailEntry": null
},
{
"id": "0oatxlef9sQvvqInq5d6",
"type": "AppInstance",
"alternateId": "Okta Admin Console",
"displayName": "Okta Admin Console",
"detailEntry": null
}
]
}
]
AWS CloudTrail Logs
{"Records": [{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EXAMPLE6E4XEGITWATV6R",
"arn": "arn:aws:iam::123456789012:user/Mateo",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Mateo",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:17:28Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StartInstances",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"requestParameters": {
"instancesSet": {
"items": [
{
"instanceId": "i-EXAMPLE56126103cb"
},
{
"instanceId": "i-EXAMPLEaff4840c22"
}
]
}
},
"responseElements": {
"requestId": "e4336db0-149f-4a6b-844d-EXAMPLEb9d16",
"instancesSet": {
"items": [
{
"instanceId": "i-EXAMPLEaff4840c22",
"currentState": {
"code": 0,
"name": "pending"
},
"previousState": {
"code": 80,
"name": "stopped"
}
},
{
"instanceId": "i-EXAMPLE56126103cb",
"currentState": {
"code": 0,
"name": "pending"
},
"previousState": {
"code": 80,
"name": "stopped"
}
}
]
}
},
"requestID": "e4336db0-149f-4a6b-844d-EXAMPLEb9d16",
"eventID": "e755e09c-42f9-4c5c-9064-EXAMPLE228c7",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}]}
AWS S3 Access Logs
Windows Event Logs
Kubernetes Audit Logs
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Metadata",
"requestURI": "/api/v1/namespaces/default/pods",
"verb": "list",
"user": {"username": "kubernetes-admin"},
"objectRef": {"resource": "pods", "namespace": "default"},
"responseStatus": {"code": 200}
}
Getting Help
Your Xpernix detection engineer reviews all custom rules on request. Open a ticket in your portal or ask in your dedicated Slack channel.
Ready to get started?
Book a free discovery call — we'll have your managed SIEM environment live within hours.
Book a Discovery Call