Silverfort Universal MFA
Overview
Silverfort Universal MFA is an identity security solution that provides Multi-Factor Authentication (MFA) for Windows Logon, RDP, VPN access, and other resources across on-premises environments, without requiring changes to applications or infrastructure.
- Vendor: Silverfort
- Supported environment: On Premise
- Detection based on: Telemetry
- Supported application or feature: Authentication Logs, DailyAuthStatistics
Specification
Prerequisites
- Resource:
- Self-managed syslog forwarder
- Network:
- Outbound traffic allowed
- Permissions:
- Admin access to Silverfort Universal MFA Console
- Root access to the Linux server with the syslog forwarder
Transport Protocol/Method
- Indirect Syslog
Logs details
- Supported functionalities: See section Overview
- Supported type(s) of structure: CEF (Common Event Format)
- Supported verbosity level: Informational
Note
Log levels are based on the taxonomy of RFC5424. Adapt according to the terminology used by the editor.
Step-by-Step Configuration Procedure
Instructions on the 3rd Party Solution
This setup guide will show you how to forward your Silverfort Universal MFA logs to Sekoia.io by means of a syslog transport channel.
Configure Syslog Forwarding
-
Log into the Silverfort Universal MFA console and navigate to:
SYSTEM SETTINGS > Notifications > Syslog -
Add a new Syslog Server and configure the following fields:
- Server Name: Enter a descriptive name for the syslog destination.
- Host: Enter the IP address or hostname of your syslog forwarder.
- Protocol: Select
TCP(recommended).
-
Save the configuration.
Instruction on Sekoia
Configure Your Intake
This section will guide you through creating the intake object in Sekoia, which provides a unique identifier called the "Intake key." The Intake key is essential for later configuration, as it references the Community, Entity, and Parser (Intake Format) used when receiving raw events on Sekoia.
- Go to the Sekoia Intake page.
- Click on the
+ New Intakebutton at the top right of the page. - Search for your Intake by the product name in the search bar.
- Give it a Name and associate it with an Entity (and a Community if using multi-tenant mode).
- Click on
Create.
Note
For more details on how to use the Intake page and to find the Intake key you just created, refer to this documentation.
Configure a forwarder
To forward events using syslog to Sekoia.io, you need to update the syslog header with the intake key you previously created. Here is an example of your message before the forwarder
<%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG RAW_MESSAGE
<%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG [SEKOIA@53288 intake_key=\"YOUR_INTAKE_KEY\"] RAW_MESSAGE
To achieve this you can:
- Use the Sekoia.io forwarder which is the official supported way to collect data using the syslog protocol in Sekoia.io. In charge of centralizing data coming from many equipments/sources and forwarding them to Sekoia.io with the apporpriated format, it is a prepackaged option. You only have to provide your intake key as parameter.
- Use your own Syslog service instance. Maybe you already have an intance of one of these components on your side and want to reuse it in order to centralize data before forwarding them to Sekoia.io. When using this mode, you have to configure and maintain your component in order to respect the expected Sekoia.io format.
Warning
Only the Sekoia.io forwarder is officially supported. Other options are documented for reference purposes but do not have official support.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
CEF:0|Silverfort|Admin Console|5.3.5.0-RC|Authentication|Authentication request|2|server_name="server01" rt="2026-02-23T13:50:02+00:00" suser="jane.smith@example.com" sntdom="example.com" shost="hostname" src="192.0.2.10" destinationServiceName="krbtgt" dhost="nt authority" dntdom="example.com" app="Kerberos" cs1Label=SilverfortReqRisk cs1="Medium" cs2Label=SilverfortReqResult cs2="Denied (Bad server 0x7)" cs3Label=SilverfortPolicyAction cs3="n/a" cs4Label=SilverfortPolicyId cs4="-1" cs5Label=SilverfortMfaResponse cs5="n/a" cs6Label=SilverfortMfaResponseTime cs6="n/a" cs7Label=SilverfortReqRiskIndicators cs7="User_is_at_high_risk,Password-based,Print_Nightmare_Fix_Artifact,Shared_account," cs8Label=SilverfortPolicyName cs8="n/a" cs9Label=Country cs9="n/a" cs10Label=City cs10="n/a" cs11Label=Coordinates cs11="n/a" cs12Label=RequestID cs12="1269a6d6-599a-4baa-9f7b-d95edabf7b5d" syslog_id=6010
CEF:0|Silverfort|Admin Console|5.3.5.0-RC|Authentication|Authentication request|2|server_name="server01" rt="2026-02-23T13:49:23+00:00" suser="UserName$" sntdom="example.com" shost="hostname" src="192.0.2.11" destinationServiceName="krbtgt" dhost="example.com" dntdom="example.com" app="Kerberos" cs1Label=SilverfortReqRisk cs1="Low" cs2Label=SilverfortReqResult cs2="Allowed" cs3Label=SilverfortPolicyAction cs3="n/a" cs4Label=SilverfortPolicyId cs4="-1" cs5Label=SilverfortMfaResponse cs5="n/a" cs6Label=SilverfortMfaResponseTime cs6="n/a" cs7Label=SilverfortReqRiskIndicators cs7="Password-based,New_host_for_user," cs8Label=SilverfortPolicyName cs8="n/a" cs9Label=Country cs9="n/a" cs10Label=City cs10="n/a" cs11Label=Coordinates cs11="n/a" cs12Label=RequestID cs12="09c62bfc-5f31-453a-b631-e56d107d982a" syslog_id=6010
CEF:0|Silverfort|Admin Console|5.3.5.0-RC|Authentication|Authentication request|2|server_name="server01" rt="2026-02-23T13:50:34+00:00" suser="john.doe@example.com" sntdom="example.com" shost="hostname" src="undefined" destinationServiceName="" dhost="machine02" dntdom="example.com" app="NTLM" cs1Label=SilverfortReqRisk cs1="Low" cs2Label=SilverfortReqResult cs2="Allowed" cs3Label=SilverfortPolicyAction cs3="n/a" cs4Label=SilverfortPolicyId cs4="-1" cs5Label=SilverfortMfaResponse cs5="n/a" cs6Label=SilverfortMfaResponseTime cs6="n/a" cs7Label=SilverfortReqRiskIndicators cs7="n/a" cs8Label=SilverfortPolicyName cs8="n/a" cs9Label=Country cs9="n/a" cs10Label=City cs10="n/a" cs11Label=Coordinates cs11="n/a" cs12Label=RequestID cs12="792d53ba-5d52-4e67-9f04-5ab28311c432" syslog_id=6010
0|Silverfort|Admin Console|5.3.5.0-RC| dataType=DailyAuthStatistic timestamp="2026-02-25T14:00:00+00:00" server_name="server01" authentications="1234"
CEF:0|Silverfort|Admin Console|5.3.5.0-RC|MFA|MFA request|2|rt="2026-02-16T13:44:43+00:00" server_name="server01" suser="johndoe@example.org" sntdom="example.org" shost="hostname" src="192.0.2.12" destinationServiceName="service" dhost="example.org" dntdom="example.org" app="Kerberos" cs1Label=SilverfortReqRisk cs1="Medium" cs2Label=SilverfortReqResult cs2="Allowed" cs3Label=SilverfortPolicyAction cs3="MFA" cs4Label=SilverfortPolicyId cs4="4" cs5Label=SilverfortMfaResponse cs5="Approved" cs6Label=SilverfortMfaResponseTime cs6="8s" cs7Label=SilverfortReqRiskIndicators cs7="Password-based,Host_with_privilege_escalation_path,Domain_admin,Suspected_service_account," cs8Label=SilverfortPolicyName cs8="policy" cs9Label=Country cs9="n/a" cs10Label=City cs10="n/a" cs11Label=Coordinates cs11="n/a" cs12Label=RequestID cs12="f31df161-137d-4f0b-9661-9751034f73c2" syslog_id=1234
CEF:0|Silverfort|Admin Console|5.3.5.0-RC|MFA|MFA request|2|rt="2026-02-23T13:48:56+00:00" server_name="server01" suser="bob.martin@example.com" sntdom="example.com" shost="hostname" src="undefined" destinationServiceName="" dhost="machine06" dntdom="example.com" app="NTLM" cs1Label=SilverfortReqRisk cs1="Medium" cs2Label=SilverfortReqResult cs2="Allowed" cs3Label=SilverfortPolicyAction cs3="MFA" cs4Label=SilverfortPolicyId cs4="2" cs5Label=SilverfortMfaResponse cs5="Unpaired" cs6Label=SilverfortMfaResponseTime cs6="5000" cs7Label=SilverfortReqRiskIndicators cs7="Host_with_privilege_escalation_path,Suspected_service_account,,User_with_old_password" cs8Label=SilverfortPolicyName cs8="MFA_Allow_RDP_Access" cs9Label=Country cs9="n/a" cs10Label=City cs10="n/a" cs11Label=Coordinates cs11="n/a" cs12Label=RequestID cs12="f31df161-137d-4f0b-9661-9751034f73c2" syslog_id=6030
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Authentication logs |
Provides authentication request logs for Windows Logon, RDP and VPN |
Third-party application logs |
Provides MFA request and response events |
Application logs |
Daily authentication counts per Silverfort server |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | event, metric |
| Category | authentication |
| Type | allowed, denied, info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "CEF:0|Silverfort|Admin Console|5.3.5.0-RC|Authentication|Authentication request|2|server_name=\"server01\" rt=\"2026-02-23T13:50:02+00:00\" suser=\"jane.smith@example.com\" sntdom=\"example.com\" shost=\"hostname\" src=\"192.0.2.10\" destinationServiceName=\"krbtgt\" dhost=\"nt authority\" dntdom=\"example.com\" app=\"Kerberos\" cs1Label=SilverfortReqRisk cs1=\"Medium\" cs2Label=SilverfortReqResult cs2=\"Denied (Bad server 0x7)\" cs3Label=SilverfortPolicyAction cs3=\"n/a\" cs4Label=SilverfortPolicyId cs4=\"-1\" cs5Label=SilverfortMfaResponse cs5=\"n/a\" cs6Label=SilverfortMfaResponseTime cs6=\"n/a\" cs7Label=SilverfortReqRiskIndicators cs7=\"User_is_at_high_risk,Password-based,Print_Nightmare_Fix_Artifact,Shared_account,\" cs8Label=SilverfortPolicyName cs8=\"n/a\" cs9Label=Country cs9=\"n/a\" cs10Label=City cs10=\"n/a\" cs11Label=Coordinates cs11=\"n/a\" cs12Label=RequestID cs12=\"1269a6d6-599a-4baa-9f7b-d95edabf7b5d\" syslog_id=6010",
"event": {
"action": "Authentication",
"category": [
"authentication"
],
"kind": "event",
"outcome": "failure",
"reason": "Authentication request",
"severity": 2,
"type": [
"denied"
]
},
"@timestamp": "2026-02-23T13:50:02Z",
"destination": {
"address": "nt authority.example.com",
"domain": "example.com"
},
"host": {
"domain": "example.com",
"name": "hostname"
},
"network": {
"protocol": "kerberos"
},
"observer": {
"hostname": "server01",
"product": "Admin Console",
"vendor": "Silverfort",
"version": "5.3.5.0-RC"
},
"related": {
"hosts": [
"example.com",
"server01"
],
"ip": [
"192.0.2.10"
],
"user": [
"jane.smith@example.com"
]
},
"service": {
"name": "krbtgt"
},
"silverfort": {
"destination_host": "nt authority",
"policy_id": "-1",
"request_id": "1269a6d6-599a-4baa-9f7b-d95edabf7b5d",
"result": "Denied (Bad server 0x7)",
"risk": "Medium",
"risk_indicators": "User_is_at_high_risk,Password-based,Print_Nightmare_Fix_Artifact,Shared_account,",
"source_host": "hostname",
"syslog_id": "6010"
},
"source": {
"address": "example.com",
"domain": "example.com",
"ip": "192.0.2.10",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"user": {
"domain": "example.com",
"email": "jane.smith@example.com",
"name": "jane.smith@example.com"
}
}
{
"message": "CEF:0|Silverfort|Admin Console|5.3.5.0-RC|Authentication|Authentication request|2|server_name=\"server01\" rt=\"2026-02-23T13:49:23+00:00\" suser=\"UserName$\" sntdom=\"example.com\" shost=\"hostname\" src=\"192.0.2.11\" destinationServiceName=\"krbtgt\" dhost=\"example.com\" dntdom=\"example.com\" app=\"Kerberos\" cs1Label=SilverfortReqRisk cs1=\"Low\" cs2Label=SilverfortReqResult cs2=\"Allowed\" cs3Label=SilverfortPolicyAction cs3=\"n/a\" cs4Label=SilverfortPolicyId cs4=\"-1\" cs5Label=SilverfortMfaResponse cs5=\"n/a\" cs6Label=SilverfortMfaResponseTime cs6=\"n/a\" cs7Label=SilverfortReqRiskIndicators cs7=\"Password-based,New_host_for_user,\" cs8Label=SilverfortPolicyName cs8=\"n/a\" cs9Label=Country cs9=\"n/a\" cs10Label=City cs10=\"n/a\" cs11Label=Coordinates cs11=\"n/a\" cs12Label=RequestID cs12=\"09c62bfc-5f31-453a-b631-e56d107d982a\" syslog_id=6010",
"event": {
"action": "Authentication",
"category": [
"authentication"
],
"kind": "event",
"outcome": "success",
"reason": "Authentication request",
"severity": 2,
"type": [
"allowed"
]
},
"@timestamp": "2026-02-23T13:49:23Z",
"destination": {
"address": "example.com.example.com",
"domain": "example.com"
},
"host": {
"domain": "example.com",
"name": "hostname"
},
"network": {
"protocol": "kerberos"
},
"observer": {
"hostname": "server01",
"product": "Admin Console",
"vendor": "Silverfort",
"version": "5.3.5.0-RC"
},
"related": {
"hosts": [
"example.com",
"server01"
],
"ip": [
"192.0.2.11"
],
"user": [
"UserName$"
]
},
"service": {
"name": "krbtgt"
},
"silverfort": {
"destination_host": "example.com",
"policy_id": "-1",
"request_id": "09c62bfc-5f31-453a-b631-e56d107d982a",
"result": "Allowed",
"risk": "Low",
"risk_indicators": "Password-based,New_host_for_user,",
"source_host": "hostname",
"syslog_id": "6010"
},
"source": {
"address": "example.com",
"domain": "example.com",
"ip": "192.0.2.11",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"user": {
"domain": "example.com",
"name": "UserName$"
}
}
{
"message": "CEF:0|Silverfort|Admin Console|5.3.5.0-RC|Authentication|Authentication request|2|server_name=\"server01\" rt=\"2026-02-23T13:50:34+00:00\" suser=\"john.doe@example.com\" sntdom=\"example.com\" shost=\"hostname\" src=\"undefined\" destinationServiceName=\"\" dhost=\"machine02\" dntdom=\"example.com\" app=\"NTLM\" cs1Label=SilverfortReqRisk cs1=\"Low\" cs2Label=SilverfortReqResult cs2=\"Allowed\" cs3Label=SilverfortPolicyAction cs3=\"n/a\" cs4Label=SilverfortPolicyId cs4=\"-1\" cs5Label=SilverfortMfaResponse cs5=\"n/a\" cs6Label=SilverfortMfaResponseTime cs6=\"n/a\" cs7Label=SilverfortReqRiskIndicators cs7=\"n/a\" cs8Label=SilverfortPolicyName cs8=\"n/a\" cs9Label=Country cs9=\"n/a\" cs10Label=City cs10=\"n/a\" cs11Label=Coordinates cs11=\"n/a\" cs12Label=RequestID cs12=\"792d53ba-5d52-4e67-9f04-5ab28311c432\" syslog_id=6010",
"event": {
"action": "Authentication",
"category": [
"authentication"
],
"kind": "event",
"outcome": "success",
"reason": "Authentication request",
"severity": 2,
"type": [
"allowed"
]
},
"@timestamp": "2026-02-23T13:50:34Z",
"destination": {
"address": "machine02.example.com",
"domain": "example.com"
},
"host": {
"domain": "example.com",
"name": "hostname"
},
"network": {
"protocol": "ntlm"
},
"observer": {
"hostname": "server01",
"product": "Admin Console",
"vendor": "Silverfort",
"version": "5.3.5.0-RC"
},
"related": {
"hosts": [
"example.com",
"server01"
],
"user": [
"john.doe@example.com"
]
},
"silverfort": {
"destination_host": "machine02",
"policy_id": "-1",
"request_id": "792d53ba-5d52-4e67-9f04-5ab28311c432",
"result": "Allowed",
"risk": "Low",
"source_host": "hostname",
"syslog_id": "6010"
},
"user": {
"domain": "example.com",
"email": "john.doe@example.com",
"name": "john.doe@example.com"
}
}
{
"message": "0|Silverfort|Admin Console|5.3.5.0-RC| dataType=DailyAuthStatistic timestamp=\"2026-02-25T14:00:00+00:00\" server_name=\"server01\" authentications=\"1234\"",
"event": {
"category": [
"authentication"
],
"kind": "metric",
"type": [
"info"
]
},
"@timestamp": "2026-02-25T14:00:00Z",
"observer": {
"hostname": "server01",
"product": "Admin Console",
"vendor": "Silverfort"
},
"related": {
"hosts": [
"server01"
]
},
"silverfort": {
"authentications": 1234,
"data_type": "DailyAuthStatistic"
}
}
{
"message": "CEF:0|Silverfort|Admin Console|5.3.5.0-RC|MFA|MFA request|2|rt=\"2026-02-16T13:44:43+00:00\" server_name=\"server01\" suser=\"johndoe@example.org\" sntdom=\"example.org\" shost=\"hostname\" src=\"192.0.2.12\" destinationServiceName=\"service\" dhost=\"example.org\" dntdom=\"example.org\" app=\"Kerberos\" cs1Label=SilverfortReqRisk cs1=\"Medium\" cs2Label=SilverfortReqResult cs2=\"Allowed\" cs3Label=SilverfortPolicyAction cs3=\"MFA\" cs4Label=SilverfortPolicyId cs4=\"4\" cs5Label=SilverfortMfaResponse cs5=\"Approved\" cs6Label=SilverfortMfaResponseTime cs6=\"8s\" cs7Label=SilverfortReqRiskIndicators cs7=\"Password-based,Host_with_privilege_escalation_path,Domain_admin,Suspected_service_account,\" cs8Label=SilverfortPolicyName cs8=\"policy\" cs9Label=Country cs9=\"n/a\" cs10Label=City cs10=\"n/a\" cs11Label=Coordinates cs11=\"n/a\" cs12Label=RequestID cs12=\"f31df161-137d-4f0b-9661-9751034f73c2\" syslog_id=1234",
"event": {
"action": "MFA",
"category": [
"authentication"
],
"kind": "event",
"outcome": "success",
"reason": "MFA request",
"severity": 2,
"type": [
"allowed"
]
},
"@timestamp": "2026-02-16T13:44:43Z",
"destination": {
"address": "example.org.example.org",
"domain": "example.org"
},
"host": {
"domain": "example.org",
"name": "hostname"
},
"network": {
"protocol": "kerberos"
},
"observer": {
"hostname": "server01",
"product": "Admin Console",
"vendor": "Silverfort",
"version": "5.3.5.0-RC"
},
"related": {
"hosts": [
"example.org",
"server01"
],
"ip": [
"192.0.2.12"
],
"user": [
"johndoe@example.org"
]
},
"service": {
"name": "service"
},
"silverfort": {
"destination_host": "example.org",
"mfa_response": "Approved",
"mfa_response_time": "8s",
"policy_action": "MFA",
"policy_id": "4",
"policy_name": "policy",
"request_id": "f31df161-137d-4f0b-9661-9751034f73c2",
"result": "Allowed",
"risk": "Medium",
"risk_indicators": "Password-based,Host_with_privilege_escalation_path,Domain_admin,Suspected_service_account,",
"source_host": "hostname",
"syslog_id": "1234"
},
"source": {
"address": "example.org",
"domain": "example.org",
"ip": "192.0.2.12",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"user": {
"domain": "example.org",
"email": "johndoe@example.org",
"name": "johndoe@example.org"
}
}
{
"message": "CEF:0|Silverfort|Admin Console|5.3.5.0-RC|MFA|MFA request|2|rt=\"2026-02-23T13:48:56+00:00\" server_name=\"server01\" suser=\"bob.martin@example.com\" sntdom=\"example.com\" shost=\"hostname\" src=\"undefined\" destinationServiceName=\"\" dhost=\"machine06\" dntdom=\"example.com\" app=\"NTLM\" cs1Label=SilverfortReqRisk cs1=\"Medium\" cs2Label=SilverfortReqResult cs2=\"Allowed\" cs3Label=SilverfortPolicyAction cs3=\"MFA\" cs4Label=SilverfortPolicyId cs4=\"2\" cs5Label=SilverfortMfaResponse cs5=\"Unpaired\" cs6Label=SilverfortMfaResponseTime cs6=\"5000\" cs7Label=SilverfortReqRiskIndicators cs7=\"Host_with_privilege_escalation_path,Suspected_service_account,,User_with_old_password\" cs8Label=SilverfortPolicyName cs8=\"MFA_Allow_RDP_Access\" cs9Label=Country cs9=\"n/a\" cs10Label=City cs10=\"n/a\" cs11Label=Coordinates cs11=\"n/a\" cs12Label=RequestID cs12=\"f31df161-137d-4f0b-9661-9751034f73c2\" syslog_id=6030",
"event": {
"action": "MFA",
"category": [
"authentication"
],
"kind": "event",
"outcome": "success",
"reason": "MFA request",
"severity": 2,
"type": [
"allowed"
]
},
"@timestamp": "2026-02-23T13:48:56Z",
"destination": {
"address": "machine06.example.com",
"domain": "example.com"
},
"host": {
"domain": "example.com",
"name": "hostname"
},
"network": {
"protocol": "ntlm"
},
"observer": {
"hostname": "server01",
"product": "Admin Console",
"vendor": "Silverfort",
"version": "5.3.5.0-RC"
},
"related": {
"hosts": [
"example.com",
"server01"
],
"user": [
"bob.martin@example.com"
]
},
"silverfort": {
"destination_host": "machine06",
"mfa_response": "Unpaired",
"mfa_response_time": "5000",
"policy_action": "MFA",
"policy_id": "2",
"policy_name": "MFA_Allow_RDP_Access",
"request_id": "f31df161-137d-4f0b-9661-9751034f73c2",
"result": "Allowed",
"risk": "Medium",
"risk_indicators": "Host_with_privilege_escalation_path,Suspected_service_account,,User_with_old_password",
"source_host": "hostname",
"syslog_id": "6030"
},
"user": {
"domain": "example.com",
"email": "bob.martin@example.com",
"name": "bob.martin@example.com"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
destination.address |
keyword |
Destination network address. |
destination.domain |
keyword |
The domain name of the destination. |
destination.ip |
ip |
IP address of the destination. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.outcome |
keyword |
The outcome of the event. The lowest level categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.severity |
long |
Numeric severity of the event. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
host.domain |
keyword |
Name of the directory the group is a member of. |
host.name |
keyword |
Name of the host. |
network.protocol |
keyword |
Application protocol name. |
observer.hostname |
keyword |
Hostname of the observer. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
observer.version |
keyword |
Observer version. |
service.name |
keyword |
Name of the service. |
silverfort.authentications |
long |
Number of authentications for daily statistics |
silverfort.city |
keyword |
City from which the authentication originated |
silverfort.coordinates |
keyword |
Geographic coordinates of the authentication source |
silverfort.country |
keyword |
Country from which the authentication originated |
silverfort.data_type |
keyword |
Type of data contained in the event (e.g., DailyAuthStatistic) |
silverfort.destination_host |
keyword |
Target host of the authentication attempt |
silverfort.mfa_response |
keyword |
Response from the MFA challenge |
silverfort.mfa_response_time |
keyword |
Time taken to respond to the MFA challenge |
silverfort.policy_action |
keyword |
Action taken by the policy |
silverfort.policy_id |
keyword |
Unique identifier of the policy |
silverfort.policy_name |
keyword |
Name of the policy that was applied |
silverfort.request_id |
keyword |
Unique identifier for the authentication request |
silverfort.result |
keyword |
Result of the authentication attempt |
silverfort.risk |
keyword |
Risk level associated with the authentication attempt |
silverfort.risk_indicators |
keyword |
Indicators that contributed to the risk assessment |
silverfort.source_host |
keyword |
Host that initiated the connection |
silverfort.syslog_id |
keyword |
Syslog message identifier |
source.domain |
keyword |
The domain name of the source. |
source.ip |
ip |
IP address of the source. |
user.domain |
keyword |
Name of the directory the user is a member of. |
user.email |
keyword |
User email address. |
user.name |
keyword |
Short name or login of the user. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.