diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Illumio_Auditable_Events_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Illumio_Auditable_Events_CL.json index 4c1f72620ac..d20f4dddd1d 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/Illumio_Auditable_Events_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/Illumio_Auditable_Events_CL.json @@ -44,6 +44,14 @@ { "name": "version", "type": "int" + }, + { + "name": "TenantId", + "type": "String" + }, + { + "Name": "_ItemId", + "Type": "String" } ] } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Illumio_Flow_Events_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Illumio_Flow_Events_CL.json index eb227cb2124..22b37dcfa08 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/Illumio_Flow_Events_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/Illumio_Flow_Events_CL.json @@ -45,6 +45,10 @@ "name": "un", "type": "string" }, + { + "name": "sn", + "type": "string" + }, { "name": "src_ip", "type": "string" @@ -128,6 +132,18 @@ { "name": "version", "type": "int" - } + }, + { + "name": "icmp_type", + "type": "int" + }, + { + "name": "TenantId", + "type": "String" + }, + { + "Name": "_ItemId", + "Type": "String" + } ] } \ No newline at end of file diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv index 564e352ab06..b6daf77a2af 100644 --- a/ASIM/dev/ASimTester/ASimTester.csv +++ b/ASIM/dev/ASimTester/ASimTester.csv @@ -547,13 +547,13 @@ EventOwner,string,Optional,ProcessEvent,,, EventOwner,string,Optional,RegistryEvent,,, EventOwner,string,Optional,UserManagement,,, EventOwner,string,Optional,WebSession,,, -EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|ASA|Microsoft Defender for IoT|ISE|M365 Defender for Endpoint|Meraki|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra XDR|SentinelOne|WAF|FalconHost|Carbon Black Cloud|Cortex Data Lake|Workspace, -EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|WAF|Security Events|Exchange 365|Dataminr Pulse|ISE|XDR|Meraki|FalconHost|SentinelOne|Carbon Black Cloud|BloxOne, +EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|ASA|Microsoft Defender for IoT|ISE|M365 Defender for Endpoint|Meraki|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra XDR|SentinelOne|WAF|FalconHost|Carbon Black Cloud|Cortex Data Lake|Workspace|Core, +EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|WAF|Security Events|Exchange 365|Dataminr Pulse|ISE|XDR|Meraki|FalconHost|SentinelOne|Carbon Black Cloud|BloxOne|Core, EventProduct,string,Mandatory,Common,,, EventProduct,string,Mandatory,DhcpEvent,,BloxOne, EventProduct,string,Mandatory,FileEvent,Enumerated,Security Events|Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive|SentinelOne|Carbon Black Cloud|Workspace, EventProduct,string,Mandatory,Dns,Enumerated,Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream|SentinelOne|FortiGate|BloxOne, -EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|ISE|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki|Zeek|Firewall|ASA|Cynerio|SentinelOne|WAF|Firepower|FalconHost|Carbon Black Cloud|Cortex Data Lake, +EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|ISE|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki|Zeek|Firewall|ASA|Cynerio|SentinelOne|WAF|Firepower|FalconHost|Carbon Black Cloud|Cortex Data Lake|Core, EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events|SentinelOne|Carbon Black Cloud|Vision One, EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne|Carbon Black Cloud|Vision One, EventProduct,string,Mandatory,WebSession,Enumerated,IIS|Squid Proxy|ZIA Proxy|Vectra Stream|PanOS|CDL|Fireware|Meraki|Web Security Gateway|Zeek|Dataminr Pulse|HTTP Server|Fortigate|WAF|ASM|NetScaler|Firepower|Cortex Data Lake|Firewall, @@ -677,13 +677,13 @@ EventUid,string,Recommended,ProcessEvent,,, EventUid,string,Recommended,RegistryEvent,,, EventUid,string,Recommended,UserManagement,,, EventUid,string,Recommended,WebSession,,, -EventVendor,string,Mandatory,Authentication,Enumerated,Salesforce|AWS|Barracuda|Cisco|Microsoft|Okta|PostgreSQL|OpenBSD|Linux|Vectra|SentinelOne|CrowdStrike|VMware|Google, -EventVendor,string,Mandatory,AuditEvent,Enumerated,Microsoft|AWS|Barracuda|Cisco|Dataminr|Vectra|CrowdStrike|SentinelOne|VMware|Infoblox, +EventVendor,string,Mandatory,Authentication,Enumerated,Salesforce|AWS|Barracuda|Cisco|Microsoft|Okta|PostgreSQL|OpenBSD|Linux|Vectra|SentinelOne|CrowdStrike|VMware|Google|Illumio, +EventVendor,string,Mandatory,AuditEvent,Enumerated,Microsoft|AWS|Barracuda|Cisco|Dataminr|Vectra|CrowdStrike|SentinelOne|VMware|Infoblox|Illumio, EventVendor,string,Mandatory,Common,,, EventVendor,string,Mandatory,DhcpEvent,,Infoblox, EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft|SentinelOne|VMware|Google, EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI|SentinelOne|Fortinet, -EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Barracuda|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne|CrowdStrike|VMware|SonicWall, +EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Barracuda|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne|CrowdStrike|VMware|SonicWall|Illumio, EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft|SentinelOne|VMware|TrendMicro, EventVendor,string,Mandatory,WebSession,Enumerated,Apache|Barracuda|Fortinet|Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr|Citrix|F5|SonicWall, EventVendor,string,Mandatory,UserManagement,Enumerated,Microsoft|Linux|Cisco|SentinelOne, diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml index 2557fb3ae20..eac7faf071b 100644 --- a/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml +++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml @@ -33,6 +33,7 @@ Parsers: - _ASim_AuditEvent_SentinelOne - _ASim_AuditEvent_VMwareCarbonBlackCloud - _ASim_AuditEvent_InfobloxBloxOne + - _ASim_AuditEvent_IllumioSaaSCore ParserParams: - Name: pack Type: bool @@ -56,5 +57,6 @@ ParserQuery: | ASimAuditEventSentinelOne (BuiltInDisabled or ('ExcludeASimAuditEventSentinelOne' in (DisabledParsers))), ASimAuditEventCrowdStrikeFalconHost(BuiltInDisabled or ('ExcludeASimAuditEventCrowdStrikeFalconHost' in (DisabledParsers))), ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))), - ASimAuditEventInfobloxBloxOne(BuiltInDisabled or ('ExcludeASimAuditEventInfobloxBloxOne' in (DisabledParsers))) + ASimAuditEventInfobloxBloxOne(BuiltInDisabled or ('ExcludeASimAuditEventInfobloxBloxOne' in (DisabledParsers))), + ASimAuditEventIllumioSaaSCore(BuiltInDisabled or ('ExcludeASimAuditEventIllumioSaaSCore' in (DisabledParsers))) diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventIllumioSaaSCore.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventIllumioSaaSCore.yaml new file mode 100644 index 00000000000..bfdc84b9af8 --- /dev/null +++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventIllumioSaaSCore.yaml @@ -0,0 +1,375 @@ +Parser: + Title: Audit Event ASIM parser for Illumio SaaS Core audit events + Version: "0.2.1" + LastUpdated: Aug 20, 2024 +Product: + Name: Illumio Core +Normalization: + Schema: AuditEvent + Version: "0.1" +References: + - Title: ASIM Audit Event Schema + Link: https://aka.ms/ASimAuditEventDoc + - Title: ASIM + Link: https://aka.ms/AboutASIM + - Title: Illumio Core API schema + Link: https://docs.illumio.com/core/24.1/Content/Guides/events-administration/events-described/list-of-event-types.htm +Description: | + This ASIM parser supports normalizing Illumio Core audit events logs ingested in 'Illumio_Auditable_Events_CL' table to the ASIM Audit Event schema. +ParserName: ASimAuditEventIllumioSaaSCore +EquivalentBuiltInParser: _ASim_AuditEvent_IllumioSaaSCore +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let EventTypeLookup = datatable( + event_type: string, // what Illumio sends + Operation: string, + ObjectType:string, // an enumerated list [ Configuration Atom, Policy Rule, Cloud Resource, Other], + Object:string, + EventType: string, // an enumerated list [ Set, Read, Create, Delete, Execute, Install, Clear, Enable, Disable, Other ] event type + ) + [ + 'access_restriction.create', 'Access restriction created', 'Cloud Resource', 'Access_restriction', 'Create', + 'access_restriction.delete', 'Access restriction deleted', 'Cloud Resource', 'Access_restriction', 'Delete', + 'access_restriction.update', 'Access restriction updated', 'Cloud Resource', 'Access_restriction', 'Set', + 'agent.activate', 'Agent paired', 'Cloud Resource', 'Agent', 'Other', + 'agent.activate_clone', 'Agent clone activated', 'Cloud Resource', 'Agent', 'Other', + 'agent.clone_detected', 'Agent clone detected', 'Cloud Resource', 'Agent', 'Other', + 'agent.deactivate', 'Agent unpaired', 'Cloud Resource', 'Agent', 'Other', + 'agent.generate_maintenance_token', 'Generate maintenance token for any agent', 'Cloud Resource', 'Agent', 'Other', + 'agent.goodbye', 'Agent disconnected', 'Cloud Resource', 'Agent', 'Other', + 'agent.machine_identifier', 'Agent machine identifiers updated', 'Cloud Resource', 'Agent', 'Other', + 'agent.refresh_token', 'Agent refreshed token', 'Cloud Resource', 'Agent', 'Other', + 'agent.refresh_policy', 'Success or failure to apply policy on VEN', 'Cloud Resource', 'Agent', 'Other', + 'agent.request_upgrade', 'VEN upgrade request sent', 'Cloud Resource', 'Agent', 'Other', + 'agent.service_not_available', 'Agent reported a service not running', 'Cloud Resource', 'Agent', 'Other', + 'agent.suspend', 'Agent suspended', 'Cloud Resource', 'Agent', 'Other', + 'agent.tampering', 'Agent firewall tampered', 'Cloud Resource', 'Agent', 'Other', + 'agent.unsuspend', 'Agent unsuspended', 'Cloud Resource', 'Agent', 'Other', + 'agent.update', 'Agent properties updated.', 'Cloud Resource', 'Agent', 'Set', + 'agent.update_interactive_users', 'Agent interactive users updated', 'Cloud Resource', 'Agent', 'Set', + 'agent.update_iptables_href', 'Agent updated existing iptables href', 'Cloud Resource', 'Agent', 'Set', + 'agent.update_running_containers', 'Agent updated existing containers', 'Cloud Resource', 'Agent', 'Set', + 'agent.upload_existing_ip_table_rules', 'Agent existing IP tables uploaded', 'Cloud Resource', 'Agent', 'Other', + 'agent.upload_support_report', 'Agent support report uploaded', 'Cloud Resource', 'Agent', 'Other', + 'agent_support_report_request.create', 'Agent support report request created', 'Cloud Resource', 'Agent_support_report_request', 'Create', + 'agent_support_report_request.delete', 'Agent support report request deleted', 'Cloud Resource', 'Agent_support_report_request', 'Delete', + 'agents.clear_conditions', 'Condition cleared from a list of VENs', 'Cloud Resource', 'Agents', 'Other', + 'agents.unpair', 'Multiple agents unpaired', 'Cloud Resource', 'Agents', 'Other', + 'api_key.create', 'API key created', 'Cloud Resource', 'Api_key', 'Create', + 'api_key.delete', 'API key deleted', 'Cloud Resource', 'Api_key', 'Delete', + 'api_key.update', 'API key updated', 'Cloud Resource', 'Api_key', 'Set', + 'auth_security_principal.create', 'RBAC auth security principal created', 'Cloud Resource', 'Auth_security_principal', 'Create', + 'auth_security_principal.delete', 'RBAC auth security principal deleted', 'Cloud Resource', 'Auth_security_principal', 'Delete', + 'auth_security_principal.update', 'RBAC auth security principal updated', 'Cloud Resource', 'Auth_security_principal', 'Set', + 'authentication_settings.update', 'Authentication settings updated', 'Other', 'Authentication_settings', 'Set', + 'cluster.create', 'PCE cluster created', 'Cloud Resource', 'Cluster', 'Create', + 'cluster.delete', 'PCE cluster deleted', 'Cloud Resource', 'Cluster', 'Delete', + 'cluster.update', 'PCE cluster updated', 'Cloud Resource', 'Cluster', 'Set', + 'container_workload.update', 'Container workload updated', 'Cloud Resource', 'Container_workload', 'Set', + 'container_cluster.create', 'Container cluster created', 'Cloud Resource', 'Container_cluster', 'Create', + 'container_cluster.delete', 'Container cluster deleted', 'Cloud Resource', 'Container_cluster', 'Delete', + 'container_cluster.update', 'Container cluster updated', 'Cloud Resource', 'Container_cluster', 'Set', + 'container_cluster.update_label_map', 'Container cluster label mappings updated all at once', 'Cloud Resource', 'Container_cluster', 'Set', + 'container_cluster.update_services', 'Container cluster services updated, created, or deleted by Kubelink', 'Cloud Resource', 'Container_cluster', 'Set', + 'container_workload_profile.create', 'Container workload profile created', 'Cloud Resource', 'Container_workload_profile', 'Create', + 'container_workload_profile.delete', 'Container workload profile deleted', 'Cloud Resource', 'Container_workload_profile', 'Delete', + 'container_workload_profile.update', 'Container workload profile updated', 'Cloud Resource', 'Container_workload_profile', 'Set', + 'database.temp_table_autocleanup_started', 'DB temp table cleanup started', 'Other', 'Database', 'Other', + 'database.temp_table_autocleanup_completed', 'DB temp table cleanup completed', 'Other', 'Database', 'Other', + 'domain.create', 'Domain created', 'Other', 'Domain', 'Create', + 'domain.delete', 'Domain deleted', 'Other', 'Domain', 'Delete', + 'domain.update', 'Domain updated', 'Other', 'Domain', 'Set', + 'enforcement_boundary.create', 'Enforcement boundary created', 'Cloud Resource', 'Enforcement_boundary', 'Create', + 'enforcement_boundary.delete', 'Enforcement boundary deleted', 'Cloud Resource', 'Enforcement_boundary', 'Delete', + 'enforcement_boundary.update', 'Enforcement boundary updated', 'Cloud Resource', 'Enforcement_boundary', 'Set', + 'event_settings.update', 'Event settings updated', 'Other', 'Event_settings', 'Set', + 'firewall_settings.update', 'Global policy settings updated', 'Other', 'Firewall_settings', 'Set', + 'group.create', 'Group created', 'Other', 'Group', 'Create', + 'group.update', 'Group updated', 'Other', 'Group', 'Set', + 'ip_list.create', 'IP list created', 'Cloud Resource', 'Ip_list', 'Create', + 'ip_list.delete', 'IP list deleted', 'Cloud Resource', 'Ip_list', 'Delete', + 'ip_list.update', 'IP list updated', 'Cloud Resource', 'Ip_list', 'Set', + 'ip_lists.delete', 'IP lists deleted', 'Cloud Resource', 'Ip_lists', 'Delete', + 'ip_tables_rule.create', 'IP tables rules created', 'Cloud Resource', 'Ip_tables_rule', 'Create', + 'ip_tables_rule.delete', 'IP tables rules deleted', 'Cloud Resource', 'Ip_tables_rule', 'Delete', + 'ip_tables_rule.update', 'IP tables rules updated', 'Cloud Resource', 'Ip_tables_rule', 'Set', + 'job.delete', 'Job deleted', 'Other', 'Job', 'Delete', + 'label.create', 'Label created', 'Cloud Resource', 'Label', 'Create', + 'label.delete', 'Label deleted', 'Cloud Resource', 'Label', 'Delete', + 'label.update', 'Label updated', 'Cloud Resource', 'Label', 'Set', + 'label_group.create', 'Label group created', 'Cloud Resource', 'Label_group', 'Create', + 'label_group.delete', 'Label group deleted', 'Cloud Resource', 'Label_group', 'Delete', + 'label_group.update', 'Label group updated', 'Cloud Resource', 'Label_group', 'Set', + 'labels.delete', 'Labels deleted', 'Cloud Resource', 'Labels', 'Delete', + 'ldap_config.create', 'LDAP configuration created', 'Other', 'Ldap_config', 'Create', + 'ldap_config.delete', 'LDAP configuration deleted', 'Other', 'Ldap_config', 'Delete', + 'ldap_config.update', 'LDAP configuration updated', 'Other', 'Ldap_config', 'Set', + 'ldap_config.verify_connection', 'LDAP server connection verified', 'Other', 'Ldap_config', 'Other', + 'license.delete', 'License deleted', 'Other', 'License', 'Delete', + 'license.update', 'License updated', 'Other', 'License', 'Set', + 'login_proxy_ldap_config.create', 'Interservice call to login service to create LDAP config', 'Other', 'Login_proxy_ldap_config', 'Create', + 'login_proxy_ldap_config.delete', 'Interservice call to login service to delete LDAP config', 'Other', 'Login_proxy_ldap_config', 'Delete', + 'login_proxy_ldap_config.update', 'Interservice call to login service to update LDAP config', 'Other', 'Login_proxy_ldap_config', 'Set', + 'login_proxy_ldap_config.verify_connection', 'Interservice call to login service to verify connection to the LDAP server', 'Other', 'Login_proxy_ldap_config', 'Other', + 'login_proxy_msp_tenants.create', 'New MSP tenant created', 'Other', 'Login_proxy_msp_tenants', 'Create', + 'login_proxy_msp_tenants.delete', 'MSP tenant deleted', 'Other', 'Login_proxy_msp_tenants', 'Delete', + 'login_proxy_msp_tenants.update', 'MSP tenant updated', 'Other', 'Login_proxy_msp_tenants', 'Set', + 'login_proxy_orgs.create', 'New managed organization created', 'Other', 'Login_proxy_orgs', 'Create', + 'login_proxy_orgs.delete', 'Managed organization deleted', 'Other', 'Login_proxy_orgs', 'Delete', + 'login_proxy_orgs.update', 'Managed organization updated', 'Other', 'Login_proxy_orgs', 'Set', + 'lost_agent.found', 'Lost agent found', 'Cloud Resource', 'Lost_agent', 'Other', + 'network.create', 'Network created', 'Cloud Resource', 'Network', 'Create', + 'network.delete', 'Network deleted', 'Cloud Resource', 'Network', 'Delete', + 'network.update', 'Network updated', 'Cloud Resource', 'Network', 'Set', + 'network_device.ack_enforcement_instructions_applied', 'Enforcement instruction applied to a network device', 'Cloud Resource', 'Network_device', 'Other', + 'network_device.assign_workload', 'Existing or new unmanaged workload assigned to a network device', 'Cloud Resource', 'Network_device', 'Other', + 'network_device.create', 'Network device created', 'Cloud Resource', 'Network_device', 'Create', + 'network_device.delete', 'Network device deleted', 'Cloud Resource', 'Network_device', 'Delete', + 'network_device.update', 'Network device updated', 'Cloud Resource', 'Network_device', 'Set', + 'network_devices.ack_multi_enforcement_instructions_applied', 'Enforcement instructions applied to multiple network devices', 'Cloud Resource', 'Network_devices', 'Other', + 'network_endpoint.create', 'Network endpoint created', 'Cloud Resource', 'Network_endpoint', 'Create', + 'network_endpoint.delete', 'Network endpoint deleted', 'Cloud Resource', 'Network_endpoint', 'Delete', + 'network_endpoint.update', 'Network endpoint updated', 'Cloud Resource', 'Network_endpoint', 'Set', + 'network_enforcement_node.activate', 'Network enforcement node activated', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.clear_conditions', 'Network enforcement node conditions cleared', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.deactivate', 'Network enforcement node deactivated', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.degraded', 'Network enforcement node failed or primary lost connectivity to secondary', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.missed_heartbeats', 'Network enforcement node did not heartbeat for more than 15 minutes', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.missed_heartbeats_check', 'Network enforcement node missed heartbeats check', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.network_devices_network_endpoints_workloads', 'Workload added to network endpoint', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.policy_ack', 'Network enforcement node acknowledgment of policy', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.request_policy', 'Network enforcement node policy requested', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.update_status', 'Network enforcement node reports when switches are not reachable', 'Cloud Resource', 'Network_enforcement_node', 'Set', + 'network_enforcement_nodes.clear_conditions', 'A condition was cleared from a list of network enforcement nodes', 'Cloud Resource', 'Network_enforcement_nodes', 'Other', + 'nfc.activate', 'Network function controller created', 'Other', 'Nfc', 'Other', + 'nfc.delete', 'Network function controller deleted', 'Other', 'Nfc', 'Delete', + 'nfc.update_discovered_virtual_servers', 'Network function controller virtual servers discovered', 'Cloud Resource', 'Nfc', 'Set', + 'nfc.update_policy_status', 'Network function controller policy status', 'Other', 'Nfc', 'Set', + 'nfc.update_slb_state', 'Network function controller SLB state updated', 'Other', 'Nfc', 'Set', + 'org.create', 'Organization created', 'Other', 'Org', 'Create', + 'org.recalc_rules', 'Rules for organization recalculated', 'Other', 'Org', 'Other', + 'org.update', 'Organization information updated', 'Other', 'Org', 'Set', + 'pairing_profile.create', 'Pairing profile created', 'Cloud Resource', 'Pairing_profile', 'Create', + 'pairing_profile.create_pairing_key', 'Pairing profile pairing key created', 'Cloud Resource', 'Pairing_profile', 'Create', + 'pairing_profile.delete', 'Pairing profile deleted', 'Cloud Resource', 'Pairing_profile', 'Delete', + 'pairing_profile.update', 'Pairing profile updated', 'Cloud Resource', 'Pairing_profile', 'Set', + 'pairing_profile.delete_all_pairing_keys', 'Pairing keys deleted from pairing profile', 'Cloud Resource', 'Pairing_profile', 'Delete', + 'pairing_profiles.delete', 'Pairing profiles deleted', 'Cloud Resource', 'Pairing_profiles', 'Delete', + 'password_policy.create', 'Password policy created', 'Cloud Resource', 'Password_policy', 'Create', + 'password_policy.delete', 'Password policy deleted', 'Cloud Resource', 'Password_policy', 'Delete', + 'password_policy.update', 'Password policy updated', 'Cloud Resource', 'Password_policy', 'Set', + 'permission.create', 'RBAC permission created', 'Cloud Resource', 'Permission', 'Create', + 'permission.delete', 'RBAC permission deleted', 'Cloud Resource', 'Permission', 'Delete', + 'permission.update', 'RBAC permission updated', 'Cloud Resource', 'Permission', 'Set', + 'radius_config.create', 'Create domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Create', + 'radius_config.delete', 'Delete domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Delete', + 'radius_config.update', 'Update domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Set', + 'radius_config.verify_shared_secret', 'Verify RADIUS shared secret', 'Cloud Resource', 'Radius_config', 'Other', + 'request.authentication_failed', 'API request authentication failed', 'Other', 'Request', 'Other', + 'request.authorization_failed', 'API request authorization failed', 'Other', 'Request', 'Other', + 'request.internal_server_error', 'API request failed due to internal server error', 'Other', 'Request', 'Other', + 'request.service_unavailable', 'API request failed due to unavailable service', 'Other', 'Request', 'Other', + 'request.unknown_server_error', 'API request failed due to unknown server error', 'Other', 'Request', 'Other', + 'resource.create', 'Login resource created', 'Other', 'Resource', 'Create', + 'resource.delete', 'Login resource deleted', 'Other', 'Resource', 'Delete', + 'resource.update', 'Login resource updated', 'Other', 'Resource', 'Set', + 'rule_set.create', 'Rule set created', 'Policy Rule', 'Rule_set', 'Create', + 'rule_set.delete', 'Rule set deleted', 'Policy Rule', 'Rule_set', 'Delete', + 'rule_set.update', 'Rule set updated', 'Policy Rule', 'Rule_set', 'Set', + 'rule_sets.delete', 'Rule sets deleted', 'Policy Rule', 'Rule_sets', 'Delete', + 'saml_acs.update', 'SAML assertion consumer services updated', 'Other', 'Saml_acs', 'Set', + 'saml_config.create', 'SAML configuration created', 'Cloud Resource', 'Saml_config', 'Create', + 'saml_config.delete', 'SAML configuration deleted', 'Cloud Resource', 'Saml_config', 'Delete', + 'saml_config.pce_signing_cert', 'Generate a new cert for signing SAML AuthN requests', 'Cloud Resource', 'Saml_config', 'Other', + 'saml_config.update', 'SAML configuration updated', 'Cloud Resource', 'Saml_config', 'Set', + 'saml_sp_config.create', 'SAML Service Provider created', 'Cloud Resource', 'Saml_sp_config', 'Create', + 'saml_sp_config.delete', 'SAML Service Provider deleted', 'Cloud Resource', 'Saml_sp_config', 'Delete', + 'saml_sp_config.update', 'SAML Service Provider updated', 'Cloud Resource', 'Saml_sp_config', 'Set', + 'sec_policy.create', 'Security policy created', 'Other', 'Sec_policy', 'Create', + 'sec_policy_pending.delete', 'Pending security policy deleted', 'Other', 'Sec_policy_pending', 'Delete', + 'sec_policy.restore', 'Security policy restored', 'Other', 'Sec_policy', 'Other', + 'sec_rule.create', 'Security policy rules created', 'Policy Rule', 'Sec_rule', 'Create', + 'sec_rule.delete', 'Security policy rules deleted', 'Policy Rule', 'Sec_rule', 'Delete', + 'sec_rule.update', 'Security policy rules updated', 'Policy Rule', 'Sec_rule', 'Set', + 'secure_connect_gateway.create', 'SecureConnect gateway created', 'Other', 'Secure_connect_gateway', 'Create', + 'secure_connect_gateway.delete', 'SecureConnect gateway deleted', 'Other', 'Secure_connect_gateway', 'Delete', + 'secure_connect_gateway.update', 'SecureConnect gateway updated', 'Other', 'Secure_connect_gateway', 'Set', + 'security_principal.create', 'RBAC security principal created', 'Other', 'Security_principal', 'Create', + 'security_principal.delete', 'RBAC security principal bulk deleted', 'Other', 'Security_principal', 'Delete', + 'security_principal.update', 'RBAC security principal bulk updated', 'Other', 'Security_principal', 'Set', + 'security_principals.bulk_create', 'RBAC security principals bulk created', 'Other', 'Security_principals', 'Other', + 'service.create', 'Service created', 'Other', 'Service', 'Create', + 'service.delete', 'Service deleted', 'Other', 'Service', 'Delete', + 'service.update', 'Service updated', 'Other', 'Service', 'Set', + 'service_account.create', 'Service account created', 'Other', 'Service_account', 'Create', + 'service_account.delete', 'Service account deleted', 'Other', 'Service_account', 'Delete', + 'service_account.update', 'Service account updated', 'Other', 'Service_account', 'Set', + 'service_binding.create', 'Service binding created', 'Other', 'Service_binding', 'Create', + 'service_binding.delete', 'Service binding created', 'Other', 'Service_binding', 'Delete', + 'service_bindings.delete', 'Service bindings deleted', 'Other', 'Service_bindings', 'Delete', + 'service_bindings.delete', 'Service binding deleted', 'Other', 'Service_bindings', 'Delete', + 'services.delete', 'Services deleted', 'Other', 'Services', 'Delete', + 'settings.update', 'Explorer settings updated', 'Other', 'Settings', 'Set', + 'slb.create', 'Server load balancer created', 'Other', 'Slb', 'Create', + 'slb.delete', 'Server load balancer deleted', 'Other', 'Slb', 'Delete', + 'slb.update', 'Server load balancer updated', 'Other', 'Slb', 'Set', + 'support_report.upload', 'Support report uploaded', 'Other', 'Support_report', 'Other', + 'syslog_destination.create', 'syslog remote destination created', 'Other', 'Syslog_destination', 'Create', + 'syslog_destination.delete', 'syslog remote destination deleted', 'Other', 'Syslog_destination', 'Delete', + 'syslog_destination.update', 'syslog remote destination updated', 'Other', 'Syslog_destination', 'Set', + 'system_task.agent_missed_heartbeats_check', 'Agent missed heartbeats', 'Cloud Resource', 'System_task', 'Other', + 'system_task.agent_missing_heartbeats_after_upgrade', 'VEN missing heartbeat after upgrade', 'Cloud Resource', 'System_task', 'Other', + 'system_task.agent_offline_check', 'Agents marked offline', 'Cloud Resource', 'System_task', 'Other', + 'system_task.agent_self_signed_certs_check', 'VEN self signed certificate housekeeping check', 'Cloud Resource', 'System_task', 'Other', + 'system_task.agent_settings_invalidation_error_state_check', 'VEN settings invalidation error state check', 'Cloud Resource', 'System_task', 'Other', + 'system_task.agent_uninstall_timeout', 'VEN uninstall timeout', 'Cloud Resource', 'System_task', 'Other', + 'system_task.clear_auth_recover_condition', 'Clear VEN authentication recovery condition', 'Other', 'System_task', 'Other', + 'system_task.compute_policy_for_unmanaged_workloads', 'Compute policy for unmanaged workloads', 'Cloud Resource', 'System_task', 'Other', + 'system_task.delete_expired_service_account_api_keys', 'An expired service account api_key was successfully deleted', 'Cloud Resource', 'System_task', 'Delete', + 'system_task.delete_old_cached_perspectives', 'Delete old cached perspectives', 'Other', 'System_task', 'Delete', + 'system_task.endpoint_offline_check', 'Endpoint marked offline', 'Other', 'System_task', 'Other', + 'system_task.provision_container_cluster_services', 'Container cluster services provisioned', 'Cloud Resource', 'System_task', 'Other', + 'system_task.prune_old_log_events', 'Event pruning completed', 'Other', 'System_task', 'Other', + 'system_task.remove_stale_zone_subsets', 'Stale zone subnets removed', 'Other', 'System_task', 'Other', + 'system_task.set_server_sync_check', 'Set server synced', 'Other', 'System_task', 'Other', + 'system_task.vacuum_deactivated_agent_and_deleted_workloads', 'Deactivated and deleted workloads have been vacuumed', 'Cloud Resource', 'System_task', 'Other', + 'traffic_collector_setting.create', 'Traffic collector setting created', 'Other', 'Traffic_collector_setting', 'Create', + 'traffic_collector_setting.delete', 'Traffic collector setting deleted', 'Other', 'Traffic_collector_setting', 'Delete', + 'traffic_collector_setting.update', 'Traffic collector setting updated', 'Other', 'Traffic_collector_setting', 'Set', + 'trusted_proxy_ips.update', 'Trusted proxy IPs created or updated', 'Other', 'Trusted_proxy_ips', 'Set', + 'user.accept_invitation', 'User invitation accepted', 'Cloud Resource', 'User', 'Other', + 'user.authenticate', 'User authenticated', 'Cloud Resource', 'User', 'Other', + 'user.create', 'User created', 'Cloud Resource', 'User', 'Create', + 'user.delete', 'User deleted', 'Cloud Resource', 'User', 'Delete', + 'user.invite', 'User invited', 'Cloud Resource', 'User', 'Other', + 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set', + 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other', + 'user.pce_session_terminated', 'User session terminated', 'Cloud Resource', 'User', 'Other', + 'user.login_session_terminated', 'User login session terminated', 'Cloud Resource', 'User', 'Other', + 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other', + 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set', + 'user.update_password', 'User password updated', 'Cloud Resource', 'User', 'Set', + 'user.use_expired_password', 'User entered expired password', 'Cloud Resource', 'User', 'Other', + 'user.verify_mfa', 'User verified MFA', 'Cloud Resource', 'User', 'Other', + 'users.auth_token', 'Auth token returned for user authentication on PCE', 'Other', 'Users', 'Other', + 'user_local_profile.create', 'User local profile created', 'Other', 'User_local_profile', 'Create', + 'user_local_profile.delete', 'User local profile deleted', 'Other', 'User_local_profile', 'Delete', + 'user_local_profile.reinvite', 'User local profile reinvited', 'Other', 'User_local_profile', 'Other', + 'user_local_profile.update_password', 'User local password updated', 'Other', 'User_local_profile', 'Set', + 'ven_settings.update', 'VEN settings updated', 'Other', 'Ven_settings', 'Set', + 'ven_software.upgrade', 'VEN software release upgraded', 'Other', 'Ven_software', 'Set', + 'ven_software_release.create', 'VEN software release created', 'Other', 'Ven_software_release', 'Create', + 'ven_software_release.delete', 'VEN software release deleted', 'Other', 'Ven_software_release', 'Delete', + 'ven_software_release.deploy', 'VEN software release deployed', 'Other', 'Ven_software_release', 'Other', + 'ven_software_release.update', 'VEN software release updated', 'Other', 'Ven_software_release', 'Set', + 'ven_software_releases.set_default_version', 'Default VEN software version set', 'Other', 'Ven_software_releases', 'Other', + 'virtual_server.create', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Create', + 'virtual_server.delete', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Delete', + 'virtual_server.update', 'Virtual server updated', 'Cloud Resource', 'Virtual_server', 'Set', + 'virtual_service.create', 'Virtual service created', 'Cloud Resource', 'Virtual_service', 'Create', + 'virtual_service.delete', 'Virtual service deleted', 'Cloud Resource', 'Virtual_service', 'Delete', + 'virtual_service.update', 'Virtual service updated', 'Cloud Resource', 'Virtual_service', 'Set', + 'virtual_services.bulk_create', 'Virtual services created in bulk', 'Cloud Resource', 'Virtual_services', 'Other', + 'virtual_services.bulk_update', 'Virtual services updated in bulk', 'Cloud Resource', 'Virtual_services', 'Other', + 'vulnerability.create', 'Vulnerability record created', 'Other', 'Vulnerability', 'Create', + 'vulnerability.delete', 'Vulnerability record deleted', 'Other', 'Vulnerability', 'Delete', + 'vulnerability.update', 'Vulnerability record updated', 'Other', 'Vulnerability', 'Set', + 'vulnerability_report.delete', 'Vulnerability report deleted', 'Other', 'Vulnerability_report', 'Delete', + 'vulnerability_report.update', 'Vulnerability report updated', 'Other', 'Vulnerability_report', 'Set', + 'workload.create', 'Workload created', 'Cloud Resource', 'Workload', 'Create', + 'workload.delete', 'Workload deleted', 'Cloud Resource', 'Workload', 'Delete', + 'workload.online', 'Workload online', 'Cloud Resource', 'Workload', 'Other', + 'workload.recalc_rules', 'Workload policy recalculated', 'Cloud Resource', 'Workload', 'Other', + 'workload.redetect_network', 'Workload network redetected', 'Cloud Resource', 'Workload', 'Other', + 'workload.undelete', 'Workload undeleted', 'Cloud Resource', 'Workload', 'Other', + 'workload.update', 'Workload settings updated', 'Cloud Resource', 'Workload', 'Set', + 'workload.upgrade', 'Workload upgraded', 'Cloud Resource', 'Workload', 'Set', + 'workload_interface.create', 'Workload interface created', 'Cloud Resource', 'Workload_interface', 'Create', + 'workload_interface.delete', 'Workload interface deleted', 'Cloud Resource', 'Workload_interface', 'Delete', + 'workload_interface.update', 'Workload interface updated', 'Cloud Resource', 'Workload_interface', 'Set', + 'workload_interfaces.update', 'Workload interfaces updated', 'Cloud Resource', 'Workload_interfaces', 'Set', + '', 'For example, IP address changes, new interface added, and interface shut down.', 'Other', '', 'Other', + 'workload_service_report.update', 'Workload service report updated', 'Cloud Resource', 'Workload_service_report', 'Set', + 'workload_settings.update', 'Workload settings updated', 'Cloud Resource', 'Workload_settings', 'Set', + 'workloads.apply_policy', 'Workloads policies applied', 'Cloud Resource', 'Workloads', 'Other', + 'workloads.bulk_create', 'Workloads created in bulk', 'Cloud Resource', 'Workloads', 'Other', + 'workloads.bulk_delete', 'Workloads deleted in bulk', 'Cloud Resource', 'Workloads', 'Other', + 'workloads.bulk_update', 'Workloads updated in bulk', 'Cloud Resource', 'Workloads', 'Other', + 'workloads.remove_labels', 'Workloads labels removed', 'Cloud Resource', 'Workloads', 'Other', + 'workloads.set_flow_reporting_frequency', 'Workload flow reporting frequency changed', 'Cloud Resource', 'Workloads', 'Other', + 'workloads.set_labels', 'Workload labels applied', 'Cloud Resource', 'Workloads', 'Other', + 'workloads.unpair', 'Workloads unpaired', 'Cloud Resource', 'Workloads', 'Other', + 'workloads.update', 'Workloads updated', 'Cloud Resource', 'Workloads', 'Set' + ]; + let EventSeverityLookup = datatable( + severity: string, + EventSeverity: string + ) + [ + "err", "High", + "info", "Informational", + "warning", "Medium" + ]; + let EventResultLookup = datatable( + status: string, + EventResult: string + ) + [ + "success", "Success", + "failure", "Failure", + "", "NA" + ]; + let parser = (disabled: bool = false) { + Illumio_Auditable_Events_CL + | where not(disabled) and event_type !startswith "user" // filter out user auth events + | lookup EventTypeLookup on event_type // fetch Object, ObjectType,EventType, Operation from lookup + | lookup EventSeverityLookup on severity // fetch EventSeverity from lookup + | lookup EventResultLookup on status // fetch EventResult from lookup + | extend + ActorUsername = case( + isnotnull(created_by.system), "System", + isnotnull(created_by.user), created_by.user.username, + isnotnull(created_by.agent), created_by.agent.hostname, + "Unknown" + ) + | extend ActorUsernameType = "Simple", + temp_resource_changes = parse_json(resource_changes), + temp_notifications = parse_json(notifications) + | extend + NewValue = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].changes, ''), + EventMessage = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].resource, ''), + SrcIpAddr = iff(action.src_ip == 'FILTERED', "", action.src_ip), + EventCount = int(1), + EventStartTime = TimeGenerated, + EventEndTime= TimeGenerated, + EventProduct = 'Core', + EventVendor = 'Illumio', + EventSchemaVersion = '0.1.0', + EventSchema = 'AuditEvent', + Dvc = pce_fqdn, + EventType = iff(isnull(EventType), event_type, EventType), + EventOriginalUid = href, + EventUid = _ItemId + //aliases + | extend + IpAddr = SrcIpAddr, + User = ActorUsername, + Value = NewValue + | project-away + temp_*, + event_type, // used by EventType + severity, // used by EventSeverity + resource_changes, // used by NewValue and EventMessage + notifications, + version, // simply drop version, no need to translate + action, //used by src_ip + status, // used by EventResult + created_by, // used by ActorUsername and ActorType + pce_fqdn, // used by Dvc + href, // used by EventOriginalUid + TenantId + }; + parser(disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml b/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml index 391081912b7..5860d33976a 100644 --- a/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml +++ b/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml @@ -33,6 +33,7 @@ Parsers: - _Im_AuditEvent_SentinelOne - _Im_AuditEvent_VMwareCarbonBlackCloud - _Im_AuditEvent_InfobloxBloxOne + - _Im_AuditEvent_IllumioSaaSCore ParserParams: - Name: starttime Type: datetime @@ -87,5 +88,6 @@ ParserQuery: | vimAuditEventSentinelOne (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventSentinelOne' in (DisabledParsers)))), vimAuditEventCrowdStrikeFalconHost(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCrowdStrikeFalconHost' in (DisabledParsers)))), vimAuditEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers)))), - vimAuditEventInfbloxBloxOne(starttime=starttime, endtime=endtime, eventresult=eventresult,operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventInfbloxBloxOne' in (DisabledParsers)))) + vimAuditEventInfbloxBloxOne(starttime=starttime, endtime=endtime, eventresult=eventresult,operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventInfbloxBloxOne' in (DisabledParsers)))), + vimAuditEventIllumioSaaSCore(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventIllumioSaaSCore' in (DisabledParsers)))) diff --git a/Parsers/ASimAuditEvent/Parsers/vimAuditEventIllumioSaaSCore.yaml b/Parsers/ASimAuditEvent/Parsers/vimAuditEventIllumioSaaSCore.yaml new file mode 100644 index 00000000000..bc8fbd57943 --- /dev/null +++ b/Parsers/ASimAuditEvent/Parsers/vimAuditEventIllumioSaaSCore.yaml @@ -0,0 +1,434 @@ +Parser: + Title: Audit Event ASIM parser for Illumio SaaS Core audit events + Version: '0.2.1' + LastUpdated: Aug 20, 2024 +Product: + Name: Illumio Core +Normalization: + Schema: AuditEvent + Version: "0.1" +References: + - Title: ASIM Audit Event Schema + Link: https://aka.ms/ASimAuditEventDoc + - Title: ASIM + Link: https://aka.ms/AboutASIM + - Title: Illumio Core API schema + Link: https://docs.illumio.com/core/24.1/Content/Guides/events-administration/events-described/list-of-event-types.htm +Description: | + This ASIM parser supports normalizing Illumio Core audit events logs ingested in 'Illumio_Auditable_Events_CL' table to the ASIM Audit Event schema. +ParserName: vimAuditEventIllumioSaaSCore +EquivalentBuiltInParser: _Im_AuditEvent_IllumioSaaSCore +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: srcipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: actorusername_has_any + Type: dynamic + Default: dynamic([]) + - Name: operation_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventtype_in + Type: dynamic + Default: dynamic([]) + - Name: eventresult + Type: string + Default: '*' + - Name: object_has_any + Type: dynamic + Default: dynamic([]) + - Name: newvalue_has_any + Type: dynamic + Default: dynamic([]) + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let EventTypeLookup = datatable( + event_type: string, // what Illumio sends + Operation: string, + ObjectType:string, // an enumerated list [ Configuration Atom, Policy Rule, Cloud Resource, Other], + Object:string, + EventType: string, // an enumerated list [ Set, Read, Create, Delete, Execute, Install, Clear, Enable, Disable, Other ] event type + ) + [ + 'access_restriction.create', 'Access restriction created', 'Cloud Resource', 'Access_restriction', 'Create', + 'access_restriction.delete', 'Access restriction deleted', 'Cloud Resource', 'Access_restriction', 'Delete', + 'access_restriction.update', 'Access restriction updated', 'Cloud Resource', 'Access_restriction', 'Set', + 'agent.activate', 'Agent paired', 'Cloud Resource', 'Agent', 'Other', + 'agent.activate_clone', 'Agent clone activated', 'Cloud Resource', 'Agent', 'Other', + 'agent.clone_detected', 'Agent clone detected', 'Cloud Resource', 'Agent', 'Other', + 'agent.deactivate', 'Agent unpaired', 'Cloud Resource', 'Agent', 'Other', + 'agent.generate_maintenance_token', 'Generate maintenance token for any agent', 'Cloud Resource', 'Agent', 'Other', + 'agent.goodbye', 'Agent disconnected', 'Cloud Resource', 'Agent', 'Other', + 'agent.machine_identifier', 'Agent machine identifiers updated', 'Cloud Resource', 'Agent', 'Other', + 'agent.refresh_token', 'Agent refreshed token', 'Cloud Resource', 'Agent', 'Other', + 'agent.refresh_policy', 'Success or failure to apply policy on VEN', 'Cloud Resource', 'Agent', 'Other', + 'agent.request_upgrade', 'VEN upgrade request sent', 'Cloud Resource', 'Agent', 'Other', + 'agent.service_not_available', 'Agent reported a service not running', 'Cloud Resource', 'Agent', 'Other', + 'agent.suspend', 'Agent suspended', 'Cloud Resource', 'Agent', 'Other', + 'agent.tampering', 'Agent firewall tampered', 'Cloud Resource', 'Agent', 'Other', + 'agent.unsuspend', 'Agent unsuspended', 'Cloud Resource', 'Agent', 'Other', + 'agent.update', 'Agent properties updated.', 'Cloud Resource', 'Agent', 'Set', + 'agent.update_interactive_users', 'Agent interactive users updated', 'Cloud Resource', 'Agent', 'Set', + 'agent.update_iptables_href', 'Agent updated existing iptables href', 'Cloud Resource', 'Agent', 'Set', + 'agent.update_running_containers', 'Agent updated existing containers', 'Cloud Resource', 'Agent', 'Set', + 'agent.upload_existing_ip_table_rules', 'Agent existing IP tables uploaded', 'Cloud Resource', 'Agent', 'Other', + 'agent.upload_support_report', 'Agent support report uploaded', 'Cloud Resource', 'Agent', 'Other', + 'agent_support_report_request.create', 'Agent support report request created', 'Cloud Resource', 'Agent_support_report_request', 'Create', + 'agent_support_report_request.delete', 'Agent support report request deleted', 'Cloud Resource', 'Agent_support_report_request', 'Delete', + 'agents.clear_conditions', 'Condition cleared from a list of VENs', 'Cloud Resource', 'Agents', 'Other', + 'agents.unpair', 'Multiple agents unpaired', 'Cloud Resource', 'Agents', 'Other', + 'api_key.create', 'API key created', 'Cloud Resource', 'Api_key', 'Create', + 'api_key.delete', 'API key deleted', 'Cloud Resource', 'Api_key', 'Delete', + 'api_key.update', 'API key updated', 'Cloud Resource', 'Api_key', 'Set', + 'auth_security_principal.create', 'RBAC auth security principal created', 'Cloud Resource', 'Auth_security_principal', 'Create', + 'auth_security_principal.delete', 'RBAC auth security principal deleted', 'Cloud Resource', 'Auth_security_principal', 'Delete', + 'auth_security_principal.update', 'RBAC auth security principal updated', 'Cloud Resource', 'Auth_security_principal', 'Set', + 'authentication_settings.update', 'Authentication settings updated', 'Other', 'Authentication_settings', 'Set', + 'cluster.create', 'PCE cluster created', 'Cloud Resource', 'Cluster', 'Create', + 'cluster.delete', 'PCE cluster deleted', 'Cloud Resource', 'Cluster', 'Delete', + 'cluster.update', 'PCE cluster updated', 'Cloud Resource', 'Cluster', 'Set', + 'container_workload.update', 'Container workload updated', 'Cloud Resource', 'Container_workload', 'Set', + 'container_cluster.create', 'Container cluster created', 'Cloud Resource', 'Container_cluster', 'Create', + 'container_cluster.delete', 'Container cluster deleted', 'Cloud Resource', 'Container_cluster', 'Delete', + 'container_cluster.update', 'Container cluster updated', 'Cloud Resource', 'Container_cluster', 'Set', + 'container_cluster.update_label_map', 'Container cluster label mappings updated all at once', 'Cloud Resource', 'Container_cluster', 'Set', + 'container_cluster.update_services', 'Container cluster services updated, created, or deleted by Kubelink', 'Cloud Resource', 'Container_cluster', 'Set', + 'container_workload_profile.create', 'Container workload profile created', 'Cloud Resource', 'Container_workload_profile', 'Create', + 'container_workload_profile.delete', 'Container workload profile deleted', 'Cloud Resource', 'Container_workload_profile', 'Delete', + 'container_workload_profile.update', 'Container workload profile updated', 'Cloud Resource', 'Container_workload_profile', 'Set', + 'database.temp_table_autocleanup_started', 'DB temp table cleanup started', 'Other', 'Database', 'Other', + 'database.temp_table_autocleanup_completed', 'DB temp table cleanup completed', 'Other', 'Database', 'Other', + 'domain.create', 'Domain created', 'Other', 'Domain', 'Create', + 'domain.delete', 'Domain deleted', 'Other', 'Domain', 'Delete', + 'domain.update', 'Domain updated', 'Other', 'Domain', 'Set', + 'enforcement_boundary.create', 'Enforcement boundary created', 'Cloud Resource', 'Enforcement_boundary', 'Create', + 'enforcement_boundary.delete', 'Enforcement boundary deleted', 'Cloud Resource', 'Enforcement_boundary', 'Delete', + 'enforcement_boundary.update', 'Enforcement boundary updated', 'Cloud Resource', 'Enforcement_boundary', 'Set', + 'event_settings.update', 'Event settings updated', 'Other', 'Event_settings', 'Set', + 'firewall_settings.update', 'Global policy settings updated', 'Other', 'Firewall_settings', 'Set', + 'group.create', 'Group created', 'Other', 'Group', 'Create', + 'group.update', 'Group updated', 'Other', 'Group', 'Set', + 'ip_list.create', 'IP list created', 'Cloud Resource', 'Ip_list', 'Create', + 'ip_list.delete', 'IP list deleted', 'Cloud Resource', 'Ip_list', 'Delete', + 'ip_list.update', 'IP list updated', 'Cloud Resource', 'Ip_list', 'Set', + 'ip_lists.delete', 'IP lists deleted', 'Cloud Resource', 'Ip_lists', 'Delete', + 'ip_tables_rule.create', 'IP tables rules created', 'Cloud Resource', 'Ip_tables_rule', 'Create', + 'ip_tables_rule.delete', 'IP tables rules deleted', 'Cloud Resource', 'Ip_tables_rule', 'Delete', + 'ip_tables_rule.update', 'IP tables rules updated', 'Cloud Resource', 'Ip_tables_rule', 'Set', + 'job.delete', 'Job deleted', 'Other', 'Job', 'Delete', + 'label.create', 'Label created', 'Cloud Resource', 'Label', 'Create', + 'label.delete', 'Label deleted', 'Cloud Resource', 'Label', 'Delete', + 'label.update', 'Label updated', 'Cloud Resource', 'Label', 'Set', + 'label_group.create', 'Label group created', 'Cloud Resource', 'Label_group', 'Create', + 'label_group.delete', 'Label group deleted', 'Cloud Resource', 'Label_group', 'Delete', + 'label_group.update', 'Label group updated', 'Cloud Resource', 'Label_group', 'Set', + 'labels.delete', 'Labels deleted', 'Cloud Resource', 'Labels', 'Delete', + 'ldap_config.create', 'LDAP configuration created', 'Other', 'Ldap_config', 'Create', + 'ldap_config.delete', 'LDAP configuration deleted', 'Other', 'Ldap_config', 'Delete', + 'ldap_config.update', 'LDAP configuration updated', 'Other', 'Ldap_config', 'Set', + 'ldap_config.verify_connection', 'LDAP server connection verified', 'Other', 'Ldap_config', 'Other', + 'license.delete', 'License deleted', 'Other', 'License', 'Delete', + 'license.update', 'License updated', 'Other', 'License', 'Set', + 'login_proxy_ldap_config.create', 'Interservice call to login service to create LDAP config', 'Other', 'Login_proxy_ldap_config', 'Create', + 'login_proxy_ldap_config.delete', 'Interservice call to login service to delete LDAP config', 'Other', 'Login_proxy_ldap_config', 'Delete', + 'login_proxy_ldap_config.update', 'Interservice call to login service to update LDAP config', 'Other', 'Login_proxy_ldap_config', 'Set', + 'login_proxy_ldap_config.verify_connection', 'Interservice call to login service to verify connection to the LDAP server', 'Other', 'Login_proxy_ldap_config', 'Other', + 'login_proxy_msp_tenants.create', 'New MSP tenant created', 'Other', 'Login_proxy_msp_tenants', 'Create', + 'login_proxy_msp_tenants.delete', 'MSP tenant deleted', 'Other', 'Login_proxy_msp_tenants', 'Delete', + 'login_proxy_msp_tenants.update', 'MSP tenant updated', 'Other', 'Login_proxy_msp_tenants', 'Set', + 'login_proxy_orgs.create', 'New managed organization created', 'Other', 'Login_proxy_orgs', 'Create', + 'login_proxy_orgs.delete', 'Managed organization deleted', 'Other', 'Login_proxy_orgs', 'Delete', + 'login_proxy_orgs.update', 'Managed organization updated', 'Other', 'Login_proxy_orgs', 'Set', + 'lost_agent.found', 'Lost agent found', 'Cloud Resource', 'Lost_agent', 'Other', + 'network.create', 'Network created', 'Cloud Resource', 'Network', 'Create', + 'network.delete', 'Network deleted', 'Cloud Resource', 'Network', 'Delete', + 'network.update', 'Network updated', 'Cloud Resource', 'Network', 'Set', + 'network_device.ack_enforcement_instructions_applied', 'Enforcement instruction applied to a network device', 'Cloud Resource', 'Network_device', 'Other', + 'network_device.assign_workload', 'Existing or new unmanaged workload assigned to a network device', 'Cloud Resource', 'Network_device', 'Other', + 'network_device.create', 'Network device created', 'Cloud Resource', 'Network_device', 'Create', + 'network_device.delete', 'Network device deleted', 'Cloud Resource', 'Network_device', 'Delete', + 'network_device.update', 'Network device updated', 'Cloud Resource', 'Network_device', 'Set', + 'network_devices.ack_multi_enforcement_instructions_applied', 'Enforcement instructions applied to multiple network devices', 'Cloud Resource', 'Network_devices', 'Other', + 'network_endpoint.create', 'Network endpoint created', 'Cloud Resource', 'Network_endpoint', 'Create', + 'network_endpoint.delete', 'Network endpoint deleted', 'Cloud Resource', 'Network_endpoint', 'Delete', + 'network_endpoint.update', 'Network endpoint updated', 'Cloud Resource', 'Network_endpoint', 'Set', + 'network_enforcement_node.activate', 'Network enforcement node activated', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.clear_conditions', 'Network enforcement node conditions cleared', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.deactivate', 'Network enforcement node deactivated', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.degraded', 'Network enforcement node failed or primary lost connectivity to secondary', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.missed_heartbeats', 'Network enforcement node did not heartbeat for more than 15 minutes', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.missed_heartbeats_check', 'Network enforcement node missed heartbeats check', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.network_devices_network_endpoints_workloads', 'Workload added to network endpoint', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.policy_ack', 'Network enforcement node acknowledgment of policy', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.request_policy', 'Network enforcement node policy requested', 'Cloud Resource', 'Network_enforcement_node', 'Other', + 'network_enforcement_node.update_status', 'Network enforcement node reports when switches are not reachable', 'Cloud Resource', 'Network_enforcement_node', 'Set', + 'network_enforcement_nodes.clear_conditions', 'A condition was cleared from a list of network enforcement nodes', 'Cloud Resource', 'Network_enforcement_nodes', 'Other', + 'nfc.activate', 'Network function controller created', 'Other', 'Nfc', 'Other', + 'nfc.delete', 'Network function controller deleted', 'Other', 'Nfc', 'Delete', + 'nfc.update_discovered_virtual_servers', 'Network function controller virtual servers discovered', 'Cloud Resource', 'Nfc', 'Set', + 'nfc.update_policy_status', 'Network function controller policy status', 'Other', 'Nfc', 'Set', + 'nfc.update_slb_state', 'Network function controller SLB state updated', 'Other', 'Nfc', 'Set', + 'org.create', 'Organization created', 'Other', 'Org', 'Create', + 'org.recalc_rules', 'Rules for organization recalculated', 'Other', 'Org', 'Other', + 'org.update', 'Organization information updated', 'Other', 'Org', 'Set', + 'pairing_profile.create', 'Pairing profile created', 'Cloud Resource', 'Pairing_profile', 'Create', + 'pairing_profile.create_pairing_key', 'Pairing profile pairing key created', 'Cloud Resource', 'Pairing_profile', 'Create', + 'pairing_profile.delete', 'Pairing profile deleted', 'Cloud Resource', 'Pairing_profile', 'Delete', + 'pairing_profile.update', 'Pairing profile updated', 'Cloud Resource', 'Pairing_profile', 'Set', + 'pairing_profile.delete_all_pairing_keys', 'Pairing keys deleted from pairing profile', 'Cloud Resource', 'Pairing_profile', 'Delete', + 'pairing_profiles.delete', 'Pairing profiles deleted', 'Cloud Resource', 'Pairing_profiles', 'Delete', + 'password_policy.create', 'Password policy created', 'Cloud Resource', 'Password_policy', 'Create', + 'password_policy.delete', 'Password policy deleted', 'Cloud Resource', 'Password_policy', 'Delete', + 'password_policy.update', 'Password policy updated', 'Cloud Resource', 'Password_policy', 'Set', + 'permission.create', 'RBAC permission created', 'Cloud Resource', 'Permission', 'Create', + 'permission.delete', 'RBAC permission deleted', 'Cloud Resource', 'Permission', 'Delete', + 'permission.update', 'RBAC permission updated', 'Cloud Resource', 'Permission', 'Set', + 'radius_config.create', 'Create domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Create', + 'radius_config.delete', 'Delete domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Delete', + 'radius_config.update', 'Update domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Set', + 'radius_config.verify_shared_secret', 'Verify RADIUS shared secret', 'Cloud Resource', 'Radius_config', 'Other', + 'request.authentication_failed', 'API request authentication failed', 'Other', 'Request', 'Other', + 'request.authorization_failed', 'API request authorization failed', 'Other', 'Request', 'Other', + 'request.internal_server_error', 'API request failed due to internal server error', 'Other', 'Request', 'Other', + 'request.service_unavailable', 'API request failed due to unavailable service', 'Other', 'Request', 'Other', + 'request.unknown_server_error', 'API request failed due to unknown server error', 'Other', 'Request', 'Other', + 'resource.create', 'Login resource created', 'Other', 'Resource', 'Create', + 'resource.delete', 'Login resource deleted', 'Other', 'Resource', 'Delete', + 'resource.update', 'Login resource updated', 'Other', 'Resource', 'Set', + 'rule_set.create', 'Rule set created', 'Policy Rule', 'Rule_set', 'Create', + 'rule_set.delete', 'Rule set deleted', 'Policy Rule', 'Rule_set', 'Delete', + 'rule_set.update', 'Rule set updated', 'Policy Rule', 'Rule_set', 'Set', + 'rule_sets.delete', 'Rule sets deleted', 'Policy Rule', 'Rule_sets', 'Delete', + 'saml_acs.update', 'SAML assertion consumer services updated', 'Other', 'Saml_acs', 'Set', + 'saml_config.create', 'SAML configuration created', 'Cloud Resource', 'Saml_config', 'Create', + 'saml_config.delete', 'SAML configuration deleted', 'Cloud Resource', 'Saml_config', 'Delete', + 'saml_config.pce_signing_cert', 'Generate a new cert for signing SAML AuthN requests', 'Cloud Resource', 'Saml_config', 'Other', + 'saml_config.update', 'SAML configuration updated', 'Cloud Resource', 'Saml_config', 'Set', + 'saml_sp_config.create', 'SAML Service Provider created', 'Cloud Resource', 'Saml_sp_config', 'Create', + 'saml_sp_config.delete', 'SAML Service Provider deleted', 'Cloud Resource', 'Saml_sp_config', 'Delete', + 'saml_sp_config.update', 'SAML Service Provider updated', 'Cloud Resource', 'Saml_sp_config', 'Set', + 'sec_policy.create', 'Security policy created', 'Other', 'Sec_policy', 'Create', + 'sec_policy_pending.delete', 'Pending security policy deleted', 'Other', 'Sec_policy_pending', 'Delete', + 'sec_policy.restore', 'Security policy restored', 'Other', 'Sec_policy', 'Other', + 'sec_rule.create', 'Security policy rules created', 'Policy Rule', 'Sec_rule', 'Create', + 'sec_rule.delete', 'Security policy rules deleted', 'Policy Rule', 'Sec_rule', 'Delete', + 'sec_rule.update', 'Security policy rules updated', 'Policy Rule', 'Sec_rule', 'Set', + 'secure_connect_gateway.create', 'SecureConnect gateway created', 'Other', 'Secure_connect_gateway', 'Create', + 'secure_connect_gateway.delete', 'SecureConnect gateway deleted', 'Other', 'Secure_connect_gateway', 'Delete', + 'secure_connect_gateway.update', 'SecureConnect gateway updated', 'Other', 'Secure_connect_gateway', 'Set', + 'security_principal.create', 'RBAC security principal created', 'Other', 'Security_principal', 'Create', + 'security_principal.delete', 'RBAC security principal bulk deleted', 'Other', 'Security_principal', 'Delete', + 'security_principal.update', 'RBAC security principal bulk updated', 'Other', 'Security_principal', 'Set', + 'security_principals.bulk_create', 'RBAC security principals bulk created', 'Other', 'Security_principals', 'Other', + 'service.create', 'Service created', 'Other', 'Service', 'Create', + 'service.delete', 'Service deleted', 'Other', 'Service', 'Delete', + 'service.update', 'Service updated', 'Other', 'Service', 'Set', + 'service_account.create', 'Service account created', 'Other', 'Service_account', 'Create', + 'service_account.delete', 'Service account deleted', 'Other', 'Service_account', 'Delete', + 'service_account.update', 'Service account updated', 'Other', 'Service_account', 'Set', + 'service_binding.create', 'Service binding created', 'Other', 'Service_binding', 'Create', + 'service_binding.delete', 'Service binding created', 'Other', 'Service_binding', 'Delete', + 'service_bindings.delete', 'Service bindings deleted', 'Other', 'Service_bindings', 'Delete', + 'service_bindings.delete', 'Service binding deleted', 'Other', 'Service_bindings', 'Delete', + 'services.delete', 'Services deleted', 'Other', 'Services', 'Delete', + 'settings.update', 'Explorer settings updated', 'Other', 'Settings', 'Set', + 'slb.create', 'Server load balancer created', 'Other', 'Slb', 'Create', + 'slb.delete', 'Server load balancer deleted', 'Other', 'Slb', 'Delete', + 'slb.update', 'Server load balancer updated', 'Other', 'Slb', 'Set', + 'support_report.upload', 'Support report uploaded', 'Other', 'Support_report', 'Other', + 'syslog_destination.create', 'syslog remote destination created', 'Other', 'Syslog_destination', 'Create', + 'syslog_destination.delete', 'syslog remote destination deleted', 'Other', 'Syslog_destination', 'Delete', + 'syslog_destination.update', 'syslog remote destination updated', 'Other', 'Syslog_destination', 'Set', + 'system_task.agent_missed_heartbeats_check', 'Agent missed heartbeats', 'Cloud Resource', 'System_task', 'Other', + 'system_task.agent_missing_heartbeats_after_upgrade', 'VEN missing heartbeat after upgrade', 'Cloud Resource', 'System_task', 'Other', + 'system_task.agent_offline_check', 'Agents marked offline', 'Cloud Resource', 'System_task', 'Other', + 'system_task.agent_self_signed_certs_check', 'VEN self signed certificate housekeeping check', 'Cloud Resource', 'System_task', 'Other', + 'system_task.agent_settings_invalidation_error_state_check', 'VEN settings invalidation error state check', 'Cloud Resource', 'System_task', 'Other', + 'system_task.agent_uninstall_timeout', 'VEN uninstall timeout', 'Cloud Resource', 'System_task', 'Other', + 'system_task.clear_auth_recover_condition', 'Clear VEN authentication recovery condition', 'Other', 'System_task', 'Other', + 'system_task.compute_policy_for_unmanaged_workloads', 'Compute policy for unmanaged workloads', 'Cloud Resource', 'System_task', 'Other', + 'system_task.delete_expired_service_account_api_keys', 'An expired service account api_key was successfully deleted', 'Cloud Resource', 'System_task', 'Delete', + 'system_task.delete_old_cached_perspectives', 'Delete old cached perspectives', 'Other', 'System_task', 'Delete', + 'system_task.endpoint_offline_check', 'Endpoint marked offline', 'Other', 'System_task', 'Other', + 'system_task.provision_container_cluster_services', 'Container cluster services provisioned', 'Cloud Resource', 'System_task', 'Other', + 'system_task.prune_old_log_events', 'Event pruning completed', 'Other', 'System_task', 'Other', + 'system_task.remove_stale_zone_subsets', 'Stale zone subnets removed', 'Other', 'System_task', 'Other', + 'system_task.set_server_sync_check', 'Set server synced', 'Other', 'System_task', 'Other', + 'system_task.vacuum_deactivated_agent_and_deleted_workloads', 'Deactivated and deleted workloads have been vacuumed', 'Cloud Resource', 'System_task', 'Other', + 'traffic_collector_setting.create', 'Traffic collector setting created', 'Other', 'Traffic_collector_setting', 'Create', + 'traffic_collector_setting.delete', 'Traffic collector setting deleted', 'Other', 'Traffic_collector_setting', 'Delete', + 'traffic_collector_setting.update', 'Traffic collector setting updated', 'Other', 'Traffic_collector_setting', 'Set', + 'trusted_proxy_ips.update', 'Trusted proxy IPs created or updated', 'Other', 'Trusted_proxy_ips', 'Set', + 'user.accept_invitation', 'User invitation accepted', 'Cloud Resource', 'User', 'Other', + 'user.authenticate', 'User authenticated', 'Cloud Resource', 'User', 'Other', + 'user.create', 'User created', 'Cloud Resource', 'User', 'Create', + 'user.delete', 'User deleted', 'Cloud Resource', 'User', 'Delete', + 'user.invite', 'User invited', 'Cloud Resource', 'User', 'Other', + 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set', + 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other', + 'user.pce_session_terminated', 'User session terminated', 'Cloud Resource', 'User', 'Other', + 'user.login_session_terminated', 'User login session terminated', 'Cloud Resource', 'User', 'Other', + 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other', + 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set', + 'user.update_password', 'User password updated', 'Cloud Resource', 'User', 'Set', + 'user.use_expired_password', 'User entered expired password', 'Cloud Resource', 'User', 'Other', + 'user.verify_mfa', 'User verified MFA', 'Cloud Resource', 'User', 'Other', + 'users.auth_token', 'Auth token returned for user authentication on PCE', 'Other', 'Users', 'Other', + 'user_local_profile.create', 'User local profile created', 'Other', 'User_local_profile', 'Create', + 'user_local_profile.delete', 'User local profile deleted', 'Other', 'User_local_profile', 'Delete', + 'user_local_profile.reinvite', 'User local profile reinvited', 'Other', 'User_local_profile', 'Other', + 'user_local_profile.update_password', 'User local password updated', 'Other', 'User_local_profile', 'Set', + 'ven_settings.update', 'VEN settings updated', 'Other', 'Ven_settings', 'Set', + 'ven_software.upgrade', 'VEN software release upgraded', 'Other', 'Ven_software', 'Set', + 'ven_software_release.create', 'VEN software release created', 'Other', 'Ven_software_release', 'Create', + 'ven_software_release.delete', 'VEN software release deleted', 'Other', 'Ven_software_release', 'Delete', + 'ven_software_release.deploy', 'VEN software release deployed', 'Other', 'Ven_software_release', 'Other', + 'ven_software_release.update', 'VEN software release updated', 'Other', 'Ven_software_release', 'Set', + 'ven_software_releases.set_default_version', 'Default VEN software version set', 'Other', 'Ven_software_releases', 'Other', + 'virtual_server.create', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Create', + 'virtual_server.delete', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Delete', + 'virtual_server.update', 'Virtual server updated', 'Cloud Resource', 'Virtual_server', 'Set', + 'virtual_service.create', 'Virtual service created', 'Cloud Resource', 'Virtual_service', 'Create', + 'virtual_service.delete', 'Virtual service deleted', 'Cloud Resource', 'Virtual_service', 'Delete', + 'virtual_service.update', 'Virtual service updated', 'Cloud Resource', 'Virtual_service', 'Set', + 'virtual_services.bulk_create', 'Virtual services created in bulk', 'Cloud Resource', 'Virtual_services', 'Other', + 'virtual_services.bulk_update', 'Virtual services updated in bulk', 'Cloud Resource', 'Virtual_services', 'Other', + 'vulnerability.create', 'Vulnerability record created', 'Other', 'Vulnerability', 'Create', + 'vulnerability.delete', 'Vulnerability record deleted', 'Other', 'Vulnerability', 'Delete', + 'vulnerability.update', 'Vulnerability record updated', 'Other', 'Vulnerability', 'Set', + 'vulnerability_report.delete', 'Vulnerability report deleted', 'Other', 'Vulnerability_report', 'Delete', + 'vulnerability_report.update', 'Vulnerability report updated', 'Other', 'Vulnerability_report', 'Set', + 'workload.create', 'Workload created', 'Cloud Resource', 'Workload', 'Create', + 'workload.delete', 'Workload deleted', 'Cloud Resource', 'Workload', 'Delete', + 'workload.online', 'Workload online', 'Cloud Resource', 'Workload', 'Other', + 'workload.recalc_rules', 'Workload policy recalculated', 'Cloud Resource', 'Workload', 'Other', + 'workload.redetect_network', 'Workload network redetected', 'Cloud Resource', 'Workload', 'Other', + 'workload.undelete', 'Workload undeleted', 'Cloud Resource', 'Workload', 'Other', + 'workload.update', 'Workload settings updated', 'Cloud Resource', 'Workload', 'Set', + 'workload.upgrade', 'Workload upgraded', 'Cloud Resource', 'Workload', 'Set', + 'workload_interface.create', 'Workload interface created', 'Cloud Resource', 'Workload_interface', 'Create', + 'workload_interface.delete', 'Workload interface deleted', 'Cloud Resource', 'Workload_interface', 'Delete', + 'workload_interface.update', 'Workload interface updated', 'Cloud Resource', 'Workload_interface', 'Set', + 'workload_interfaces.update', 'Workload interfaces updated', 'Cloud Resource', 'Workload_interfaces', 'Set', + '', 'For example, IP address changes, new interface added, and interface shut down.', 'Other', '', 'Other', + 'workload_service_report.update', 'Workload service report updated', 'Cloud Resource', 'Workload_service_report', 'Set', + 'workload_settings.update', 'Workload settings updated', 'Cloud Resource', 'Workload_settings', 'Set', + 'workloads.apply_policy', 'Workloads policies applied', 'Cloud Resource', 'Workloads', 'Other', + 'workloads.bulk_create', 'Workloads created in bulk', 'Cloud Resource', 'Workloads', 'Other', + 'workloads.bulk_delete', 'Workloads deleted in bulk', 'Cloud Resource', 'Workloads', 'Other', + 'workloads.bulk_update', 'Workloads updated in bulk', 'Cloud Resource', 'Workloads', 'Other', + 'workloads.remove_labels', 'Workloads labels removed', 'Cloud Resource', 'Workloads', 'Other', + 'workloads.set_flow_reporting_frequency', 'Workload flow reporting frequency changed', 'Cloud Resource', 'Workloads', 'Other', + 'workloads.set_labels', 'Workload labels applied', 'Cloud Resource', 'Workloads', 'Other', + 'workloads.unpair', 'Workloads unpaired', 'Cloud Resource', 'Workloads', 'Other', + 'workloads.update', 'Workloads updated', 'Cloud Resource', 'Workloads', 'Set' + ]; + let EventSeverityLookup = datatable( + severity: string, + EventSeverity: string + ) + [ + "err", "High", + "info", "Informational", + "warning", "Medium" + ]; + let EventResultLookup = datatable( + status: string, + EventResult: string + ) + [ + "success", "Success", + "failure", "Failure", + "", "NA" + ]; + let parser= ( + starttime:datetime=datetime(null), + endtime:datetime=datetime(null), + srcipaddr_has_any_prefix:dynamic=dynamic([]), + eventresult:string='*', + actorusername_has_any:dynamic=dynamic([]), + eventtype_in:dynamic=dynamic([]), + operation_has_any:dynamic=dynamic([]), // not sure if this is required + object_has_any:dynamic=dynamic([]), // not sure if this is required + newvalue_has_any:dynamic=dynamic([]), // not mapped yet + disabled:bool = false + ){ + Illumio_Auditable_Events_CL + | where not(disabled) and (event_type !startswith "user") // filter out user auth events + and ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)) + and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(action.src_ip, srcipaddr_has_any_prefix)) + | lookup EventTypeLookup on event_type // fetch Object, ObjectType,EventType, Operation from lookup + | lookup EventSeverityLookup on severity // fetch EventSeverity from lookup + | lookup EventResultLookup on status // fetch EventResult from lookup + | extend temp_resource_changes = parse_json(resource_changes) + | extend temp_notifications = parse_json(notifications) + | extend + NewValue = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].changes, ''), + EventMessage = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].resource, ''), + SrcIpAddr = iff(action.src_ip == 'FILTERED', "", action.src_ip) + | extend + ActorUsername = case( + isnotnull(created_by.system), "System", + isnotnull(created_by.user), created_by.user.username, + isnotnull(created_by.agent), created_by.agent.hostname, + "Unknown" + ) + | extend ActorUsernameType = "Simple" + // ***** parser filter params ***** + | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in)) + and (eventresult == "*" or EventResult =~ eventresult) and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any)) + and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any)) + and (array_length(object_has_any) == 0 or Object has_any (object_has_any)) + and (array_length(newvalue_has_any) == 0) + // ***** parser filter params ***** + | extend + EventCount = int(1), + EventStartTime = TimeGenerated, + EventEndTime= TimeGenerated, + EventProduct = 'Core', + EventVendor = 'Illumio', + EventSchemaVersion = '0.1.0', + EventSchema = 'AuditEvent', + Dvc = pce_fqdn, + EventType = iff(isnull(EventType), event_type, EventType), + EventOriginalUid = href, + EventUid = _ItemId + //aliases + | extend + IpAddr = SrcIpAddr, + User = ActorUsername, + Value = NewValue + | project-away + event_type, // used by EventType + severity, // used by EventSeverity + temp_*, + resource_changes, // used by NewValue and EventMessage + notifications, + version, // simply drop version, no need to translate + action, //used by src_ip + status, // used by EventResult + created_by, // used by ActorUsername and ActorType + pce_fqdn, // used by Dvc + href, // used by EventOriginalUid + TenantId + }; + parser ( + starttime = starttime, + endtime = endtime, + srcipaddr_has_any_prefix = srcipaddr_has_any_prefix, + actorusername_has_any = actorusername_has_any, + eventtype_in = eventtype_in, + eventresult = eventresult, + operation_has_any = operation_has_any, + object_has_any=object_has_any, + newvalue_has_any=newvalue_has_any, + disabled=disabled + ) \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/Tests/Illumio_Core_AuditEvent_DataTest.csv b/Parsers/ASimAuditEvent/Tests/Illumio_Core_AuditEvent_DataTest.csv new file mode 100644 index 00000000000..abadbb2de81 --- /dev/null +++ b/Parsers/ASimAuditEvent/Tests/Illumio_Core_AuditEvent_DataTest.csv @@ -0,0 +1,8 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 100 records (100.0%) for field [EventProduct] of type [Enumerated]: [""Core""] (Schema:AuditEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 100 records (100.0%) for field [EventVendor] of type [Enumerated]: [""Illumio""] (Schema:AuditEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 63 records (63.0%) for field [IpAddr] of type [IP Address]: [""Unknown""] (Schema:AuditEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 63 records (63.0%) for field [SrcIpAddr] of type [IP Address]: [""Unknown""] (Schema:AuditEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 75 records (75.0%) for field [ObjectType] of type [Enumerated]: [""Cloud Resource""] (Schema:AuditEvent)" +"(2) Info: Empty value in 100 records (100.0%) in optional field [EventMessage] (Schema:AuditEvent)" +"(2) Info: Empty value in 100 records (100.0%) in recommended field [NewValue] (Schema:AuditEvent)" diff --git a/Parsers/ASimAuditEvent/Tests/Illumio_Core_AuditEvent_SchemaTest.csv b/Parsers/ASimAuditEvent/Tests/Illumio_Core_AuditEvent_SchemaTest.csv new file mode 100644 index 00000000000..71098c985eb --- /dev/null +++ b/Parsers/ASimAuditEvent/Tests/Illumio_Core_AuditEvent_SchemaTest.csv @@ -0,0 +1,101 @@ +Result +"(1) Warning: Missing recommended field [Dst]" +"(1) Warning: Missing recommended field [DvcAction]" +"(1) Warning: Missing recommended field [DvcDomain]" +"(1) Warning: Missing recommended field [DvcHostname]" +"(1) Warning: Missing recommended field [DvcIpAddr]" +"(1) Warning: Missing recommended field [EventResultDetails]" +"(1) Warning: Missing recommended field [EventUid]" +"(1) Warning: Missing recommended field [ObjectId]" +"(1) Warning: Missing recommended field [Src]" +"(1) Warning: Missing recommended field [TargetHostname]" +"(1) Warning: Missing recommended field [TargetIpAddr]" +"(2) Info: Missing optional alias [Application] aliasing non-existent column [TargetAppName]" +"(2) Info: Missing optional alias [Process] aliasing non-existent column [ActingProcessName]" +"(2) Info: Missing optional field [ActingAppId]" +"(2) Info: Missing optional field [ActingAppName]" +"(2) Info: Missing optional field [ActingAppType]" +"(2) Info: Missing optional field [ActingOriginalAppType]" +"(2) Info: Missing optional field [ActorOriginalUserType]" +"(2) Info: Missing optional field [ActorScopeId]" +"(2) Info: Missing optional field [ActorScope]" +"(2) Info: Missing optional field [ActorSessionId]" +"(2) Info: Missing optional field [ActorUserAadId]" +"(2) Info: Missing optional field [ActorUserId]" +"(2) Info: Missing optional field [ActorUserSid]" +"(2) Info: Missing optional field [ActorUserType]" +"(2) Info: Missing optional field [AdditionalFields]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcFQDN]" +"(2) Info: Missing optional field [DvcId]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOsVersion]" +"(2) Info: Missing optional field [DvcOs]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSeverity]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOriginalType]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [HttpUserAgent]" +"(2) Info: Missing optional field [OldValue]" +"(2) Info: Missing optional field [OriginalObjectType]" +"(2) Info: Missing optional field [RuleName]" +"(2) Info: Missing optional field [RuleNumber]" +"(2) Info: Missing optional field [Rule]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcDomain]" +"(2) Info: Missing optional field [SrcDvcId]" +"(2) Info: Missing optional field [SrcDvcScopeId]" +"(2) Info: Missing optional field [SrcDvcScope]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcHostname]" +"(2) Info: Missing optional field [SrcOriginalRiskLevel]" +"(2) Info: Missing optional field [SrcPortNumber]" +"(2) Info: Missing optional field [SrcRiskLevel]" +"(2) Info: Missing optional field [TargetAppId]" +"(2) Info: Missing optional field [TargetAppName]" +"(2) Info: Missing optional field [TargetDescription]" +"(2) Info: Missing optional field [TargetDeviceType]" +"(2) Info: Missing optional field [TargetDomain]" +"(2) Info: Missing optional field [TargetDvcId]" +"(2) Info: Missing optional field [TargetDvcOs]" +"(2) Info: Missing optional field [TargetDvcScopeId]" +"(2) Info: Missing optional field [TargetDvcScope]" +"(2) Info: Missing optional field [TargetFQDN]" +"(2) Info: Missing optional field [TargetGeoCity]" +"(2) Info: Missing optional field [TargetGeoCountry]" +"(2) Info: Missing optional field [TargetGeoLatitude]" +"(2) Info: Missing optional field [TargetGeoLongitude]" +"(2) Info: Missing optional field [TargetGeoRegion]" +"(2) Info: Missing optional field [TargetOriginalAppType]" +"(2) Info: Missing optional field [TargetOriginalRiskLevel]" +"(2) Info: Missing optional field [TargetPortNumber]" +"(2) Info: Missing optional field [TargetRiskLevel]" +"(2) Info: Missing optional field [TargetUrl]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIpAddr]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" +"(2) Info: Missing optional field [ValueType]" +"(2) Info: extra unnormalized column [TenantId]" diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml index f83d0e8ae30..993ef29a56e 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml @@ -50,7 +50,8 @@ ParserQuery: | ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )), ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )), ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )), - ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )) + ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )), + ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )) Parsers: - _Im_Authentication_Empty - _ASim_Authentication_AADManagedIdentitySignInLogs @@ -80,3 +81,4 @@ Parsers: - _ASim_Authentication_CrowdStrikeFalconHost - _ASim_Authentication_GoogleWorkspace - _ASim_Authentication_SalesforceSC + - _ASim_Authentication_IllumioSaaSCore diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationIllumioSaaSCore.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationIllumioSaaSCore.yaml new file mode 100644 index 00000000000..e66ddb68e51 --- /dev/null +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationIllumioSaaSCore.yaml @@ -0,0 +1,87 @@ +Parser: + Title: Authentication ASIM parser for Illumio SaaS Core + Version: '0.3.0' + LastUpdated: Oct 1, 2024 +Product: + Name: Illumio +Normalization: + Schema: Authentication + Version: '0.1.3' +References: + - Title: ASIM Authentication Schema + Link: https://aka.ms/ASimAuthenticationDoc + - Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing Illumio sign in logs, stored in the Illumio_Auditable_Events_CL table, to the ASIM Authentication schema. +ParserName: ASimAuthenticationIllumioSaaSCore +EquivalentBuiltInParser: _ASim_Authentication_IllumioSaaSCore +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let EventTypeLookup = datatable( + event_type: string, // what Illumio sends + EventType: string, // an enumerated list [ Logon, Logoff, Elevate ] event type + EventResultDetails: string, + EventResult: string + ) + [ + 'user.authenticate', 'Logon', 'Other', 'Success', + 'user.login', 'Logon', 'Other', 'Success', + 'user.logout', 'Logoff', 'Other', 'Success', + 'user.sign_in', 'Logon', 'Other', 'Success', + 'user.sign_out', 'Logoff', 'Other', 'Success', + 'user.use_expired_password', 'Logon', 'Password expired', 'Success' + ]; + let user_events = dynamic(['user.sigin', 'user.login', 'user.sign_out', 'user.logout', 'user.authenticate', 'user.use_expired_password']); + let parser=(disabled: bool=false) { + Illumio_Auditable_Events_CL + | where not(disabled) and event_type in (user_events) // limited to user signin, login, logoff, signoff events only + | extend + EventProduct='Core' + , + EventVendor='Illumio' + , + EventSchema = 'Authentication' + , + EventCount=int(1) + , + EventSchemaVersion='0.1.3' + , + EventOriginalUid = href + | lookup EventTypeLookup on event_type //fetch EventType, EventResultDetails, EventResult + | extend + EventStartTime=TimeGenerated + , + EventEndTime=TimeGenerated + , + TargetUsername = case( + isnotnull(created_by.user), created_by.user.username, + "Unknown" + ), + TargetUsernameType = "Simple", + EventUid = _ItemId, + SrcIpAddr = iff(action.src_ip == 'FILTERED', "", action.src_ip) + // ** Aliases + | extend + Dvc=EventVendor + , + IpAddr=SrcIpAddr + , + User = TargetUsername + | project-away + TenantId, + href, + pce_fqdn, + created_by, + event_type, + status, + severity, + action, + resource_changes, + notifications, + version + }; + parser(disabled = disabled) \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml index d057c375e9d..745a0f71f22 100644 --- a/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml @@ -79,6 +79,7 @@ ParserQuery: | , vimAuthenticationSentinelOne (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) ))) , vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCrowdStrikeFalconHost' in (DisabledParsers) ))) , vimAuthenticationVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) ))) + , vimAuthenticationIllumioSaaSCore (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationIllumioSaaS' in (DisabledParsers) ))) }; Generic(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack) Parsers: @@ -109,3 +110,4 @@ Parsers: - _Im_Authentication_PaloAltoCortexDataLake - _Im_Authentication_VMwareCarbonBlackCloud - _Im_Authentication_CrowdStrikeFalconHost + - _Im_Authentication_IllumioSaaSCore diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationIllumioSaaSCore.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationIllumioSaaSCore.yaml new file mode 100644 index 00000000000..8767bb7ab03 --- /dev/null +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationIllumioSaaSCore.yaml @@ -0,0 +1,147 @@ +Parser: + Title: Authentication ASIM parser for Illumio SaaS Core + Version: '0.3.0' + LastUpdated: Oct 1, 2024 +Product: + Name: Illumio +Normalization: + Schema: Authentication + Version: '0.1.3' +References: + - Title: ASIM Authentication Schema + Link: https://aka.ms/ASimAuthenticationDoc + - Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing Illumio sign in logs, stored in the Illumio_Auditable_Events_CL table, to the ASIM Authentication schema. +ParserName: vimAuthenticationIllumioSaaSCore +EquivalentBuiltInParser: _Im_Authentication_IllumioSaaSCore +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: username_has_any + Type: dynamic + Default: dynamic([]) + - Name: targetappname_has_any + Type: dynamic + Default: dynamic([]) + - Name: srcipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: srchostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventtype_in + Type: dynamic + Default: dynamic([]) + - Name: eventresultdetails_in + Type: dynamic + Default: dynamic([]) + - Name: eventresult + Type: string + Default: '*' + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let EventTypeLookup = datatable( + event_type: string, // what Illumio sends + EventType: string, // an enumerated list [ Logon, Logoff, Elevate ] event type + EventResultDetails: string, + EventResult: string + ) + [ + 'user.authenticate', 'Logon', 'Other', 'Success', + 'user.login', 'Logon', 'Other', 'Success', + 'user.logout', 'Logoff', 'Other', 'Success', + 'user.sign_in', 'Logon', 'Other', 'Success', + 'user.sign_out', 'Logoff', 'Other', 'Success', + 'user.use_expired_password', 'Logon', 'Password expired', 'Success' + ]; + let user_events = dynamic(['user.sigin', 'user.login', 'user.sign_out', 'user.logout', 'user.authenticate', 'user.use_expired_password']); + let parser=( + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + username_has_any: dynamic = dynamic([]), + targetappname_has_any: dynamic = dynamic([]), + srcipaddr_has_any_prefix: dynamic = dynamic([]), + srchostname_has_any: dynamic = dynamic([]), + eventtype_in: dynamic = dynamic([]), + eventresultdetails_in: dynamic = dynamic([]), + eventresult: string = '*', + disabled: bool=false + ) { + Illumio_Auditable_Events_CL + | where not(disabled) and event_type in (user_events) // limited to user signin, login, logoff, signoff events only + | where + (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source + and (array_length(srchostname_has_any) == 0) // srchostname_has_any not available in source + | extend + EventProduct='Core' + , + EventVendor='Illumio' + , + EventSchema = 'Authentication' + , + EventCount=int(1) + , + EventSchemaVersion='0.1.3' + , + EventOriginalUid = href + | lookup EventTypeLookup on event_type //fetch EventType, EventResultDetails, EventResult + | where + (eventresult == "*" or (EventResult == eventresult)) + and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in)) + | extend + EventStartTime=TimeGenerated + , + EventEndTime=TimeGenerated + , + TargetUsername = case( + isnotnull(created_by.user), created_by.user.username, + "Unknown" + ), + TargetUsernameType = "Simple", + EventUid = _ItemId, + SrcIpAddr = iff(action.src_ip == 'FILTERED', "", action.src_ip) + // * prefiltering + | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any))) + and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)) + and ((array_length(eventtype_in) == 0) or EventType has_any (eventtype_in)) + // * prefiltering + // ** Aliases + | extend + Dvc=EventVendor + , + IpAddr=SrcIpAddr + , + User = TargetUsername + | project-away + TenantId, + href, + pce_fqdn, + created_by, + event_type, + status, + severity, + action, + resource_changes, + notifications, + version + }; + parser(starttime=starttime, + endtime=endtime, + username_has_any=username_has_any, + targetappname_has_any=targetappname_has_any, + srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, + srchostname_has_any=srchostname_has_any, + eventtype_in=eventtype_in, + eventresultdetails_in=eventresultdetails_in, + eventresult=eventresult, + disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Tests/Illumio_Core_Authentication_DataTest.csv b/Parsers/ASimAuthentication/Tests/Illumio_Core_Authentication_DataTest.csv new file mode 100644 index 00000000000..efa002b9d29 --- /dev/null +++ b/Parsers/ASimAuthentication/Tests/Illumio_Core_Authentication_DataTest.csv @@ -0,0 +1,4 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 100 records (100.0%) for field [EventProduct] of type [Enumerated]: [""Core""] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 100 records (100.0%) for field [EventVendor] of type [Enumerated]: [""Illumio""] (Schema:Authentication)" +"(2) Info: Empty value in 55 records (55.0%) in recommended field [SrcIpAddr] (Schema:Authentication)" diff --git a/Parsers/ASimAuthentication/Tests/Illumio_Core_Authentication_SchemaTest.csv b/Parsers/ASimAuthentication/Tests/Illumio_Core_Authentication_SchemaTest.csv new file mode 100644 index 00000000000..b3c8620cdc1 --- /dev/null +++ b/Parsers/ASimAuthentication/Tests/Illumio_Core_Authentication_SchemaTest.csv @@ -0,0 +1,108 @@ +Result +"(1) Warning: Missing recommended field [Dst]" +"(1) Warning: Missing recommended field [DvcAction]" +"(1) Warning: Missing recommended field [DvcDomain]" +"(1) Warning: Missing recommended field [DvcHostname]" +"(1) Warning: Missing recommended field [DvcIpAddr]" +"(1) Warning: Missing recommended field [EventSeverity]" +"(1) Warning: Missing recommended field [Src]" +"(1) Warning: Missing recommended field [TargetDomain]" +"(1) Warning: Missing recommended field [TargetHostname]" +"(2) Info: Missing optional alias [Application] aliasing non-existent column [TargetAppName]" +"(2) Info: Missing optional field [ActingAppId]" +"(2) Info: Missing optional field [ActingAppName]" +"(2) Info: Missing optional field [ActingAppType]" +"(2) Info: Missing optional field [ActingOriginalAppType]" +"(2) Info: Missing optional field [ActorOriginalUserType]" +"(2) Info: Missing optional field [ActorScopeId]" +"(2) Info: Missing optional field [ActorScope]" +"(2) Info: Missing optional field [ActorSessionId]" +"(2) Info: Missing optional field [ActorUserId]" +"(2) Info: Missing optional field [ActorUserType]" +"(2) Info: Missing optional field [AdditionalFields]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcFQDN]" +"(2) Info: Missing optional field [DvcId]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOsVersion]" +"(2) Info: Missing optional field [DvcOs]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventMessage]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSeverity]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOriginalType]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [HttpUserAgent]" +"(2) Info: Missing optional field [LogonMethod]" +"(2) Info: Missing optional field [LogonProtocol]" +"(2) Info: Missing optional field [LogonTarget]" +"(2) Info: Missing optional field [RuleName]" +"(2) Info: Missing optional field [RuleNumber]" +"(2) Info: Missing optional field [Rule]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcDomain]" +"(2) Info: Missing optional field [SrcDvcId]" +"(2) Info: Missing optional field [SrcDvcOs]" +"(2) Info: Missing optional field [SrcDvcScopeId]" +"(2) Info: Missing optional field [SrcDvcScope]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcHostname]" +"(2) Info: Missing optional field [SrcIsp]" +"(2) Info: Missing optional field [SrcOriginalRiskLevel]" +"(2) Info: Missing optional field [SrcPortNumber]" +"(2) Info: Missing optional field [SrcRiskLevel]" +"(2) Info: Missing optional field [TargetAppId]" +"(2) Info: Missing optional field [TargetAppName]" +"(2) Info: Missing optional field [TargetDescription]" +"(2) Info: Missing optional field [TargetDeviceType]" +"(2) Info: Missing optional field [TargetDvcId]" +"(2) Info: Missing optional field [TargetDvcOs]" +"(2) Info: Missing optional field [TargetDvcScopeId]" +"(2) Info: Missing optional field [TargetDvcScope]" +"(2) Info: Missing optional field [TargetFQDN]" +"(2) Info: Missing optional field [TargetGeoCity]" +"(2) Info: Missing optional field [TargetGeoCountry]" +"(2) Info: Missing optional field [TargetGeoLatitude]" +"(2) Info: Missing optional field [TargetGeoLongitude]" +"(2) Info: Missing optional field [TargetGeoRegion]" +"(2) Info: Missing optional field [TargetIpAddr]" +"(2) Info: Missing optional field [TargetOriginalAppType]" +"(2) Info: Missing optional field [TargetOriginalRiskLevel]" +"(2) Info: Missing optional field [TargetOriginalUserType]" +"(2) Info: Missing optional field [TargetPortNumber]" +"(2) Info: Missing optional field [TargetRiskLevel]" +"(2) Info: Missing optional field [TargetSessionId]" +"(2) Info: Missing optional field [TargetUrl]" +"(2) Info: Missing optional field [TargetUserId]" +"(2) Info: Missing optional field [TargetUserScopeId]" +"(2) Info: Missing optional field [TargetUserScope]" +"(2) Info: Missing optional field [TargetUserType]" +"(2) Info: Missing optional field [TargetUsername]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatField]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIpAddr]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" +"(2) Info: Missing optional field [User]" +"(2) Info: extra unnormalized column [_ItemId]" diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml index ed38fb8e31a..176aafd3daf 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml @@ -54,6 +54,7 @@ Parsers: - _ASim_NetworkSession_VMwareCarbonBlackCloud - _ASim_NetworkSession_PaloAltoCortexDataLake - _ASim_NetworkSession_SonicWallFirewall + - _ASim_NetworkSession_IllumioSaaSCore ParserParams: - Name: pack @@ -101,5 +102,6 @@ ParserQuery: | , ASimNetworkSessionVMwareCarbonBlackCloud (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) )) , ASimNetworkSessionPaloAltoCortexDataLake (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) )) , ASimNetworkSessionSonicWallFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSonicWallFirewall' in (DisabledParsers) )) + , ASimNetworkSessionIllumioSaaSCore (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionIllumioSaaSCore' in (DisabledParsers) )) }; NetworkSessionsGeneric (pack=pack) diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionIllumioSaaSCore.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionIllumioSaaSCore.yaml new file mode 100644 index 00000000000..a1a25a12efe --- /dev/null +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionIllumioSaaSCore.yaml @@ -0,0 +1,306 @@ +Parser: + Title: NetworkSession ASIM Parser for Illumio SaaS Core + Version: "0.1.0" + LastUpdated: Aug 21, 2024 +Product: + Name: Illumio SaaS Core +Normalization: + Schema: NetworkSession + Version: "0.2.6" +References: + - Title: ASIM Network Session Schema + Link: https://aka.ms/ASimNetworkSessionDoc + - Title: ASIM + Link: https://aka.ms/AboutASIM + - Title: Illumio SaaS Core Documentation + Link: https://docs.illumio.com/core/24.1/Content/Guides/events-administration/events-described/list-of-event-types.htm +Description: | + This ASIM parser supports normalizing Illumio SaaS Core logs to the ASIM Network Session normalized schema. These events are captured through Illumio Sentinel Integration data connector. +ParserName: ASimNetworkSessionIllumioSaaSCore +EquivalentBuiltInParser: _ASim_NetworkSession_IllumioSaaSCore +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let ProtocolLookup = datatable(proto:int, NetworkProtocol:string) [ + 0,"HOPOPT", + 1,"ICMP", + 2,"IGMP", + 3,"GGP", + 4,"IPv4", + 5,"ST", + 6,"TCP", + 7,"CBT", + 8,"EGP", + 9,"IGP", + 10,"BBN-RCC-MON", + 11,"NVP-II", + 12,"PUP", + 13,"ARGUS (deprecated)", + 14,"EMCON", + 15,"XNET", + 16,"CHAOS", + 17,"UDP", + 18,"MUX", + 19,"DCN-MEAS", + 20,"HMP", + 21,"PRM", + 22,"XNS-IDP", + 23,"TRUNK-1", + 24,"TRUNK-2", + 25,"LEAF-1", + 26,"LEAF-2", + 27,"RDP", + 28,"IRTP", + 29,"ISO-TP4", + 30,"NETBLT", + 31,"MFE-NSP", + 32,"MERIT-INP", + 33,"DCCP", + 34,"3PC", + 35,"IDPR", + 36,"XTP", + 37,"DDP", + 38,"IDPR-CMTP", + 39,"TP++", + 40,"IL", + 41,"IPv6", + 42,"SDRP", + 43,"IPv6-Route", + 44,"IPv6-Frag", + 45,"IDRP", + 46,"RSVP", + 47,"GRE", + 48,"DSR", + 49,"BNA", + 50,"ESP", + 51,"AH", + 52,"I-NLSP", + 53,"SWIPE (deprecated)", + 54,"NARP", + 55,"MOBILE", + 56,"TLSP", + 57,"SKIP", + 58,"IPv6-ICMP", + 59,"IPv6-NoNxt", + 60,"IPv6-Opts", + 61,"", + 62,"CFTP", + 63,"", + 64,"SAT-EXPAK", + 65,"KRYPTOLAN", + 66,"RVD", + 67,"IPPC", + 68,"", + 69,"SAT-MON", + 70,"VISA", + 71,"IPCV", + 72,"CPNX", + 73,"CPHB", + 74,"WSN", + 75,"PVP", + 76,"BR-SAT-MON", + 77,"SUN-ND", + 78,"WB-MON", + 79,"WB-EXPAK", + 80,"ISO-IP", + 81,"VMTP", + 82,"SECURE-VMTP", + 83,"VINES", + 84,"TTP", + 84,"IPTM", + 85,"NSFNET-IGP", + 86,"DGP", + 87,"TCF", + 88,"EIGRP", + 89,"OSPFIGP", + 90,"Sprite-RPC", + 91,"LARP", + 92,"MTP", + 93,"AX.25", + 94,"IPIP", + 95,"MICP (deprecated)", + 96,"SCC-SP", + 97,"ETHERIP", + 98,"ENCAP", + 99,"", + 100,"GMTP", + 101,"IFMP", + 102,"PNNI", + 103,"PIM", + 104,"ARIS", + 105,"SCPS", + 106,"QNX", + 107,"A/N", + 108,"IPComp", + 109,"SNP", + 110,"Compaq-Peer", + 111,"IPX-in-IP", + 112,"VRRP", + 113,"PGM", + 114,"", + 115,"L2TP", + 116,"DDX", + 117,"IATP", + 118,"STP", + 119,"SRP", + 120,"UTI", + 121,"SMP", + 122,"SM (deprecated)", + 123,"PTP", + 124,"ISIS over IPv4", + 125,"FIRE", + 126,"CRTP", + 127,"CRUDP", + 128,"SSCOPMCE", + 129,"IPLT", + 130,"SPS", + 131,"PIPE", + 132,"SCTP", + 133,"FC", + 134,"RSVP-E2E-IGNORE", + 135,"Mobility Header", + 136,"UDPLite", + 137,"MPLS-in-IP", + 138,"manet", + 139,"HIP", + 140,"Shim6", + 141,"WESP", + 142,"ROHC", + 143,"Ethernet", + 253,"", + 254,"", + 255,"Reserved" + ]; + let NetworkProtocolVersionLookup = datatable(version: int, NetworkProtocolVersion: string) + [ + 4,"IPv4", + 6,"IPv6" + ]; + let EventResultLookup = datatable(DvcAction: string, EventResult: string) + [ + "Deny", "Failure", + "Allow", "Success" + ]; + let DvcActionLookup = datatable(pd: int, DvcAction: string) + [ + // - Allow + // - Deny + // - Drop + // - Drop ICMP + // - Reset + // - Reset Source + // - Reset Destination + // - Encrypt + // - Decrypt + // - VPNroute + 2, "Deny", + 1, "Allow", + 0, "Allow" + ]; + let ClassLookup = datatable(class: string, ClassDetail: string) + [ + "M", "Multicast", + "B", "Broadcast", + "U", "Unicast" + ]; + let parser=(disabled:bool=false){ + Illumio_Flow_Events_CL + | where not(disabled) + | lookup ProtocolLookup on proto + | lookup NetworkProtocolVersionLookup on version + | lookup DvcActionLookup on pd //set DvcAction + | extend EventResult = iff(DvcAction == "Deny", "Failure", "Success") + | lookup ClassLookup on class + | extend + EventCount = flow_count, + EventStartTime = TimeGenerated, + EventEndTime= TimeGenerated, + EventType = 'Flow', + EventProduct = 'Core', + EventVendor = 'Illumio', + EventSchemaVersion = '0.2.6', + EventSchema = 'NetworkSession', + Dvc = pce_fqdn + | extend NetworkDirection = case( + dir=='I', 'Inbound', + dir=='O', 'Outbound', + 'Unknown' + ), + NetworkDuration = interval_sec, + DstBytes = tolong(dst_dbo), + SrcBytes = tolong(dst_dbi), + DstIpAddr = dst_ip, + SrcIpAddr = src_ip, + DstPortNumber = dst_port, + DstHostname = dst_hostname, + SrcHostname = src_hostname, + EventSeverity = case( + DvcAction=='Deny', 'Low', + 'Informational' + ) + | extend + SrcProcessName = iif(dir=='O', pn, ''), + DstProcessName = iif(dir=='I', pn, ''), + SrcUsername = iif(dir=='O', un, ''), + DstUsername = iif(dir=='I', un, '') + | extend + SrcUsernameType = _ASIM_GetUsernameType(SrcUsername), + DstUsernameType = _ASIM_GetUsernameType(DstUsername) + //Aliases + | extend + DvcIpAddr = SrcIpAddr, + DvcHostname = SrcHostname + | extend + AdditionalFields = bag_pack("Class", ClassDetail, + "Network",network, + "Source_Labels", src_labels, + "Dest_Labels", dst_labels, + "Src_href", src_href, // can this be stored in SrcId instead? + "Dst_href", dst_href // can this be stored in DvcId instead? + // need to add SN here + ) + // aliases + | extend + Duration = NetworkDuration, + User = DstUsername, + Hostname = DstHostname, + IpAddr = SrcIpAddr, + EventUid = _ItemId + | project-away + code, + icmp_type, + dst_dbi, + dst_dbo, + dst_tbi, + dst_tbo, + pce_fqdn, + proto, + dst_port, + src_ip, + dst_ip, + dst_hostname, + src_hostname, + dir, + flow_count, + src_href, + dst_href, + src_labels, + dst_labels, + network, + class, + org_id, + state, // decide how to use this + pd_qualifier, //decide how to use this + interval_sec, + version, + ddms, // not needed + tdms, // not needed + pn, + un, + pd, + ClassDetail, + TenantId + }; + parser(disabled=disabled) diff --git a/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml b/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml index 87df410c834..a74d49998b6 100644 --- a/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml +++ b/Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml @@ -53,6 +53,7 @@ Parsers: - _Im_NetworkSession_SonicWallFirewall - _Im_NetworkSession_MicrosoftSysmon - _Im_NetworkSession_MicrosoftSysmonWindowsEvent + - _Im_NetworkSession_IllumioSaaSCore ParserParams: - Name: starttime Type: datetime @@ -134,5 +135,6 @@ ParserQuery: | , vimNetworkSessionSonicWallFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSonicWallFirewall' in (DisabledParsers) )) , vimNetworkSessionMicrosoftSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSysmon' in (DisabledParsers) )) , vimNetworkSessionMicrosoftSysmonWindowsEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSysmonWindowsEvent' in (DisabledParsers) )) + , vimNetworkSessionIllumioSaaSCore (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionIllumioSaaSCore' in (DisabledParsers) )) }; NetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack) diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionIllumioSaaSCore.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionIllumioSaaSCore.yaml new file mode 100644 index 00000000000..8fcabcbc021 --- /dev/null +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionIllumioSaaSCore.yaml @@ -0,0 +1,385 @@ +Parser: + Title: NetworkSession ASIM Parser for Illumio SaaS Core + Version: "0.1.0" + LastUpdated: Aug 21, 2024 +Product: + Name: Illumio SaaS Core +Normalization: + Schema: NetworkSession + Version: "0.2.6" +References: + - Title: ASIM Network Session Schema + Link: https://aka.ms/ASimNetworkSessionDoc + - Title: ASIM + Link: https://aka.ms/AboutASIM + - Title: Illumio SaaS Core Documentation + Link: https://docs.illumio.com/core/24.1/Content/Guides/events-administration/events-described/list-of-event-types.htm +Description: | + This ASIM parser supports normalizing Illumio SaaS Core logs to the ASIM Network Session normalized schema. These events are captured through Illumio Sentinel Integration data connector. +ParserName: vimNetworkSessionIllumioSaaSCore +EquivalentBuiltInParser: _Im_NetworkSession_IllumioSaaSCore +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: srcipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: dstipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: ipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: dstportnumber + Type: int + Default: int(null) + - Name: hostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: dvcaction + Type: dynamic + Default: dynamic([]) + - Name: eventresult + Type: string + Default: "*" + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let ProtocolLookup = datatable(proto:int, NetworkProtocol:string) [ + 0,"HOPOPT", + 1,"ICMP", + 2,"IGMP", + 3,"GGP", + 4,"IPv4", + 5,"ST", + 6,"TCP", + 7,"CBT", + 8,"EGP", + 9,"IGP", + 10,"BBN-RCC-MON", + 11,"NVP-II", + 12,"PUP", + 13,"ARGUS (deprecated)", + 14,"EMCON", + 15,"XNET", + 16,"CHAOS", + 17,"UDP", + 18,"MUX", + 19,"DCN-MEAS", + 20,"HMP", + 21,"PRM", + 22,"XNS-IDP", + 23,"TRUNK-1", + 24,"TRUNK-2", + 25,"LEAF-1", + 26,"LEAF-2", + 27,"RDP", + 28,"IRTP", + 29,"ISO-TP4", + 30,"NETBLT", + 31,"MFE-NSP", + 32,"MERIT-INP", + 33,"DCCP", + 34,"3PC", + 35,"IDPR", + 36,"XTP", + 37,"DDP", + 38,"IDPR-CMTP", + 39,"TP++", + 40,"IL", + 41,"IPv6", + 42,"SDRP", + 43,"IPv6-Route", + 44,"IPv6-Frag", + 45,"IDRP", + 46,"RSVP", + 47,"GRE", + 48,"DSR", + 49,"BNA", + 50,"ESP", + 51,"AH", + 52,"I-NLSP", + 53,"SWIPE (deprecated)", + 54,"NARP", + 55,"MOBILE", + 56,"TLSP", + 57,"SKIP", + 58,"IPv6-ICMP", + 59,"IPv6-NoNxt", + 60,"IPv6-Opts", + 61,"", + 62,"CFTP", + 63,"", + 64,"SAT-EXPAK", + 65,"KRYPTOLAN", + 66,"RVD", + 67,"IPPC", + 68,"", + 69,"SAT-MON", + 70,"VISA", + 71,"IPCV", + 72,"CPNX", + 73,"CPHB", + 74,"WSN", + 75,"PVP", + 76,"BR-SAT-MON", + 77,"SUN-ND", + 78,"WB-MON", + 79,"WB-EXPAK", + 80,"ISO-IP", + 81,"VMTP", + 82,"SECURE-VMTP", + 83,"VINES", + 84,"TTP", + 84,"IPTM", + 85,"NSFNET-IGP", + 86,"DGP", + 87,"TCF", + 88,"EIGRP", + 89,"OSPFIGP", + 90,"Sprite-RPC", + 91,"LARP", + 92,"MTP", + 93,"AX.25", + 94,"IPIP", + 95,"MICP (deprecated)", + 96,"SCC-SP", + 97,"ETHERIP", + 98,"ENCAP", + 99,"", + 100,"GMTP", + 101,"IFMP", + 102,"PNNI", + 103,"PIM", + 104,"ARIS", + 105,"SCPS", + 106,"QNX", + 107,"A/N", + 108,"IPComp", + 109,"SNP", + 110,"Compaq-Peer", + 111,"IPX-in-IP", + 112,"VRRP", + 113,"PGM", + 114,"", + 115,"L2TP", + 116,"DDX", + 117,"IATP", + 118,"STP", + 119,"SRP", + 120,"UTI", + 121,"SMP", + 122,"SM (deprecated)", + 123,"PTP", + 124,"ISIS over IPv4", + 125,"FIRE", + 126,"CRTP", + 127,"CRUDP", + 128,"SSCOPMCE", + 129,"IPLT", + 130,"SPS", + 131,"PIPE", + 132,"SCTP", + 133,"FC", + 134,"RSVP-E2E-IGNORE", + 135,"Mobility Header", + 136,"UDPLite", + 137,"MPLS-in-IP", + 138,"manet", + 139,"HIP", + 140,"Shim6", + 141,"WESP", + 142,"ROHC", + 143,"Ethernet", + 253,"", + 254,"", + 255,"Reserved" + ]; + let NetworkProtocolVersionLookup = datatable(version: int, NetworkProtocolVersion: string) + [ + 4,"IPv4", + 6,"IPv6" + ]; + let EventResultLookup = datatable(DvcAction: string, EventResult: string) + [ + "Deny", "Failure", + "Allow", "Success" + ]; + let DvcActionLookup = datatable(pd: int, DvcAction: string) + [ + // - Allow + // - Deny + // - Drop + // - Drop ICMP + // - Reset + // - Reset Source + // - Reset Destination + // - Encrypt + // - Decrypt + // - VPNroute + 2, "Deny", + 1, "Allow", + 0, "Allow" + ]; + let ClassLookup = datatable(class: string, ClassDetail: string) + [ + "M", "Multicast", + "B", "Broadcast", + "U", "Unicast" + ]; + let parser = ( + starttime:datetime=datetime(null), + endtime:datetime=datetime(null), + srcipaddr_has_any_prefix:dynamic=dynamic([]), + dstipaddr_has_any_prefix:dynamic=dynamic([]), + ipaddr_has_any_prefix:dynamic=dynamic([]), + dstportnumber:int=int(null), + hostname_has_any:dynamic=dynamic([]), + dvcaction:dynamic=dynamic([]), + eventresult:string='*', + disabled:bool=false) + { + let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); + let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); + Illumio_Flow_Events_CL + | where not(disabled) + | where (isnull(starttime) or TimeGenerated>=starttime) + and (isnull(endtime) or TimeGenerated<=endtime) + // ***** parser filter params ***** + | where + (isnull(dstportnumber) or (dst_port == dstportnumber)) + | extend temp_isSrcMatch=has_any_ipv4_prefix(src_ip,src_or_any) + , temp_isDstMatch=has_any_ipv4_prefix(dst_ip,dst_or_any) + | extend ASimMatchingIpAddr = case( + array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-" // match not requested: probably most common case + , (temp_isSrcMatch and temp_isDstMatch), "Both" // has to be checked before the individual + , temp_isSrcMatch, "SrcIpAddr" + , temp_isDstMatch, "DstIpAddr" + , "No match" + ) + | where ASimMatchingIpAddr != "No match" + | extend temp_is_MatchSrcHostname = src_hostname has_any (hostname_has_any) + , temp_is_MatchDstHostname = dst_hostname has_any (hostname_has_any) + | extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,"-", + temp_is_MatchSrcHostname and temp_is_MatchDstHostname, "Both", + temp_is_MatchSrcHostname, "SrcHostname", + temp_is_MatchDstHostname, "DstHostname", + "No match" + ) + | where ASimMatchingHostname != "No match" + | project-away temp_* + // ***** parser filter params ***** + | lookup ProtocolLookup on proto + | lookup NetworkProtocolVersionLookup on version + | lookup DvcActionLookup on pd //set DvcAction + | extend EventResult = iff(DvcAction == "Deny", "Failure", "Success") + | lookup ClassLookup on class + // ***** parser filter params ***** + | where (array_length(dvcaction) == 0 or DvcAction in (dvcaction)) + and eventresult=='*' or (eventresult == EventResult) + and (array_length(hostname_has_any)==0 or dst_hostname has_any (hostname_has_any) or src_hostname has_any(hostname_has_any)) + // ***** parser filter params ***** + | extend + EventCount = flow_count, + EventStartTime = TimeGenerated, + EventEndTime= TimeGenerated, + EventType = 'Flow', + EventProduct = 'Core', + EventVendor = 'Illumio', + EventSchemaVersion = '0.2.6', + EventSchema = 'NetworkSession', + Dvc = pce_fqdn + | extend NetworkDirection = case( + dir=='I', 'Inbound', + dir=='O', 'Outbound', + 'Unknown' + ), + NetworkDuration = interval_sec, + DstBytes = tolong(dst_dbo), + SrcBytes = tolong(dst_dbi), + DstIpAddr = dst_ip, + SrcIpAddr = src_ip, + DstPortNumber = dst_port, + DstHostname = dst_hostname, + SrcHostname = src_hostname, + EventSeverity = case( + DvcAction=='Deny', 'Low', + 'Informational' + ) + | extend + SrcProcessName = iif(dir=='O', pn, ''), + DstProcessName = iif(dir=='I', pn, ''), + SrcUsername = iif(dir=='O', un, ''), + DstUsername = iif(dir=='I', un, '') + | extend + SrcUsernameType = _ASIM_GetUsernameType(SrcUsername), + DstUsernameType = _ASIM_GetUsernameType(DstUsername) + //Aliases + | extend + DvcIpAddr = SrcIpAddr, + DvcHostname = SrcHostname + | extend + AdditionalFields = bag_pack("Class", ClassDetail, + "Network",network, + "Source_Labels", src_labels, + "Dest_Labels", dst_labels, + "Src_href", src_href, // can this be stored in SrcId instead? + "Dst_href", dst_href // can this be stored in DvcId instead? + ) + // aliases + | extend + Duration = NetworkDuration, + User = DstUsername, + Hostname = DstHostname, + IpAddr = SrcIpAddr, + EventUid = _ItemId + | project-away + pce_fqdn, + icmp_type, + TenantId, + proto, + dst_port, + src_ip, + dst_ip, + code, + dst_dbi, + dst_dbo, + dst_tbi, + dst_tbo, + dst_hostname, + src_hostname, + dir, + flow_count, + src_href, + dst_href, + src_labels, + dst_labels, + network, + class, + org_id, + state, // decide how to use this + pd_qualifier, //decide how to use this + interval_sec, + version, + ddms, // not needed + tdms, // not needed + pn, + un, + pd, + ClassDetail + }; + parser(starttime=starttime, + endtime=endtime, + srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, + dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, + ipaddr_has_any_prefix=ipaddr_has_any_prefix, + dstportnumber=dstportnumber, + hostname_has_any=hostname_has_any, + dvcaction=dvcaction, + eventresult=eventresult, + disabled=disabled) diff --git a/Parsers/ASimNetworkSession/Tests/Illumio_Core_NetworkSession_DataTest.csv b/Parsers/ASimNetworkSession/Tests/Illumio_Core_NetworkSession_DataTest.csv new file mode 100644 index 00000000000..ca754f06964 --- /dev/null +++ b/Parsers/ASimNetworkSession/Tests/Illumio_Core_NetworkSession_DataTest.csv @@ -0,0 +1,12 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 100 records (100.0%) for field [EventProduct] of type [Enumerated]: [""Core""] (Schema:NetworkSession)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 100 records (100.0%) for field [EventVendor] of type [Enumerated]: [""Illumio""] (Schema:NetworkSession)" +"(2) Info: Empty value in 100 records (100.0%) in optional field [DstBytes] (Schema:NetworkSession)" +"(2) Info: Empty value in 100 records (100.0%) in optional field [DstProcessName] (Schema:NetworkSession)" +"(2) Info: Empty value in 100 records (100.0%) in optional field [DstUsername] (Schema:NetworkSession)" +"(2) Info: Empty value in 100 records (100.0%) in optional field [SrcBytes] (Schema:NetworkSession)" +"(2) Info: Empty value in 100 records (100.0%) in optional field [SrcProcessName] (Schema:NetworkSession)" +"(2) Info: Empty value in 3 records (3.0%) in recommended field [DstHostname] (Schema:NetworkSession)" +"(2) Info: Empty value in 97 records (97.0%) in optional field [SrcUsername] (Schema:NetworkSession)" +"(2) Info: Empty value in 97 records (97.0%) in recommended field [DvcHostname] (Schema:NetworkSession)" +"(2) Info: Empty value in 97 records (97.0%) in recommended field [SrcHostname] (Schema:NetworkSession)" diff --git a/Parsers/ASimNetworkSession/Tests/Illumio_Core_NetworkSession_SchemaTest.csv b/Parsers/ASimNetworkSession/Tests/Illumio_Core_NetworkSession_SchemaTest.csv new file mode 100644 index 00000000000..1c57e263f3e --- /dev/null +++ b/Parsers/ASimNetworkSession/Tests/Illumio_Core_NetworkSession_SchemaTest.csv @@ -0,0 +1,119 @@ +Result +"(0) Error: Missing field [DstUsernameType] is mandatory when field [DstUsername] exists" +"(0) Error: Missing field [SrcUsernameType] is mandatory when field [SrcUsername] exists" +"(1) Warning: Missing recommended field [ASimMatchingHostname]" +"(1) Warning: Missing recommended field [ASimMatchingIpAddr]" +"(1) Warning: Missing recommended field [DstDomain]" +"(1) Warning: Missing recommended field [Dst]" +"(1) Warning: Missing recommended field [DvcDomain]" +"(1) Warning: Missing recommended field [EventResultDetails]" +"(1) Warning: Missing recommended field [EventUid]" +"(1) Warning: Missing recommended field [SrcDomain]" +"(1) Warning: Missing recommended field [Src]" +"(2) Info: Missing optional alias [InnerVlanId] aliasing non-existent column [SrcVlanId]" +"(2) Info: Missing optional alias [OuterVlanId] aliasing non-existent column [DstVlanId]" +"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [NetworkSessionId]" +"(2) Info: Missing optional field [DstAppId]" +"(2) Info: Missing optional field [DstAppName]" +"(2) Info: Missing optional field [DstAppType]" +"(2) Info: Missing optional field [DstDescription]" +"(2) Info: Missing optional field [DstDeviceType]" +"(2) Info: Missing optional field [DstDvcId]" +"(2) Info: Missing optional field [DstFQDN]" +"(2) Info: Missing optional field [DstGeoCity]" +"(2) Info: Missing optional field [DstGeoCountry]" +"(2) Info: Missing optional field [DstGeoLatitude]" +"(2) Info: Missing optional field [DstGeoLongitude]" +"(2) Info: Missing optional field [DstGeoRegion]" +"(2) Info: Missing optional field [DstInterfaceGuid]" +"(2) Info: Missing optional field [DstInterfaceName]" +"(2) Info: Missing optional field [DstMacAddr]" +"(2) Info: Missing optional field [DstNatIpAddr]" +"(2) Info: Missing optional field [DstNatPortNumber]" +"(2) Info: Missing optional field [DstOriginalUserType]" +"(2) Info: Missing optional field [DstPackets]" +"(2) Info: Missing optional field [DstProcessGuid]" +"(2) Info: Missing optional field [DstProcessId]" +"(2) Info: Missing optional field [DstScopeId]" +"(2) Info: Missing optional field [DstUserId]" +"(2) Info: Missing optional field [DstUserType]" +"(2) Info: Missing optional field [DstVlanId]" +"(2) Info: Missing optional field [DstZone]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcFQDN]" +"(2) Info: Missing optional field [DvcId]" +"(2) Info: Missing optional field [DvcInboundInterface]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOsVersion]" +"(2) Info: Missing optional field [DvcOs]" +"(2) Info: Missing optional field [DvcOutboundInterface]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventMessage]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSeverity]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOriginalType]" +"(2) Info: Missing optional field [EventOriginalUid]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [NetworkApplicationProtocol]" +"(2) Info: Missing optional field [NetworkBytes]" +"(2) Info: Missing optional field [NetworkConnectionHistory]" +"(2) Info: Missing optional field [NetworkIcmpCode]" +"(2) Info: Missing optional field [NetworkIcmpType]" +"(2) Info: Missing optional field [NetworkPackets]" +"(2) Info: Missing optional field [NetworkRuleName]" +"(2) Info: Missing optional field [NetworkRuleNumber]" +"(2) Info: Missing optional field [NetworkSessionId]" +"(2) Info: Missing optional field [Rule]" +"(2) Info: Missing optional field [SrcAppId]" +"(2) Info: Missing optional field [SrcAppName]" +"(2) Info: Missing optional field [SrcAppType]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcDvcId]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcInterfaceGuid]" +"(2) Info: Missing optional field [SrcInterfaceName]" +"(2) Info: Missing optional field [SrcMacAddr]" +"(2) Info: Missing optional field [SrcNatIpAddr]" +"(2) Info: Missing optional field [SrcNatPortNumber]" +"(2) Info: Missing optional field [SrcOriginalUserType]" +"(2) Info: Missing optional field [SrcPackets]" +"(2) Info: Missing optional field [SrcPortNumber]" +"(2) Info: Missing optional field [SrcProcessGuid]" +"(2) Info: Missing optional field [SrcProcessId]" +"(2) Info: Missing optional field [SrcScopeId]" +"(2) Info: Missing optional field [SrcUserId]" +"(2) Info: Missing optional field [SrcUserType]" +"(2) Info: Missing optional field [SrcVlanId]" +"(2) Info: Missing optional field [SrcZone]" +"(2) Info: Missing optional field [TcpFlagsAck]" +"(2) Info: Missing optional field [TcpFlagsFin]" +"(2) Info: Missing optional field [TcpFlagsPsh]" +"(2) Info: Missing optional field [TcpFlagsRst]" +"(2) Info: Missing optional field [TcpFlagsSyn]" +"(2) Info: Missing optional field [TcpFlagsUrg]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIpAddr]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" +"(2) Info: extra unnormalized column [TenantId]" diff --git a/Sample Data/ASIM/Illumio_Auditable_Events_CL_Schema.csv b/Sample Data/ASIM/Illumio_Auditable_Events_CL_Schema.csv new file mode 100644 index 00000000000..86a7494113d --- /dev/null +++ b/Sample Data/ASIM/Illumio_Auditable_Events_CL_Schema.csv @@ -0,0 +1,15 @@ +ColumnName,ColumnOrdinal,DataType,ColumnType +TimeGenerated,0,"System.DateTime",datetime +href,1,"System.String",string +"pce_fqdn",2,"System.String",string +"created_by",3,"System.Object",dynamic +"event_type",4,"System.String",string +status,5,"System.String",string +severity,6,"System.String",string +action,7,"System.Object",dynamic +"resource_changes",8,"System.Object",dynamic +notifications,9,"System.Object",dynamic +version,10,"System.Int32",int +TenantId,11,"System.String",string +Type,12,"System.String",string +"_ResourceId",13,"System.String",string diff --git a/Sample Data/ASIM/Illumio_Core_AuditEvent_IngestedLogs.csv b/Sample Data/ASIM/Illumio_Core_AuditEvent_IngestedLogs.csv new file mode 100644 index 00000000000..cea6a8ab1c9 --- /dev/null +++ b/Sample Data/ASIM/Illumio_Core_AuditEvent_IngestedLogs.csv @@ -0,0 +1,122 @@ +TimeGenerated [Local Time],href,pce_fqdn,created_by,event_type,status,severity,action,resource_changes,notifications,version,TenantId,Type,_ResourceId +"9/16/2024, 5:13:27.340 AM",/orgs/1/events/49836586-288d-4837-a204-fe781017200d,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.update,failure,err,,[],"[{""uuid"":""22eaaea2-e0a8-4fe7-85b4-177098162ab5"",""notification_type"":""agent.policy_deploy_failed"",""info"":null}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"9/16/2024, 5:13:27.340 AM",/orgs/1/events/49836586-288d-4837-a204-fe781017200d,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.update,failure,err,,"[{""uuid"":""b5a16a21-620c-4485-8fed-642c3ee9ca41"",""resource"":{""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""},""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03"",""name"":null}},""changes"":{""security_policy_apply_status"":{""before"":""success"",""after"":""failure""}},""change_type"":""update""}]","[{""uuid"":""22eaaea2-e0a8-4fe7-85b4-177098162ab5"",""notification_type"":""agent.policy_deploy_failed"",""info"":null}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"9/16/2024, 5:13:27.340 AM",/orgs/1/events/49836586-288d-4837-a204-fe781017200d,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.update,failure,err,"{""uuid"":""5600a69f-297a-4642-8744-a8f083636fed"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}","[{""uuid"":""b5a16a21-620c-4485-8fed-642c3ee9ca41"",""resource"":{""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""},""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03"",""name"":null}},""changes"":{""security_policy_apply_status"":{""before"":""success"",""after"":""failure""}},""change_type"":""update""}]","[{""uuid"":""22eaaea2-e0a8-4fe7-85b4-177098162ab5"",""notification_type"":""agent.policy_deploy_failed"",""info"":null}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"9/16/2024, 5:12:21.562 AM",/orgs/1/events/dcaa0c83-931a-43fe-a0ec-4428198ca76e,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/23"",""hostname"":""self-serve-mnc-1-vm01""},""ven"":{""href"":""/orgs/1/vens/67a2a4df-0b51-4fa6-97e2-406cc898d293"",""hostname"":""self-serve-mnc-1-vm01""}}",agent.update,failure,err,,[],"[{""uuid"":""fd528f18-a69e-459d-9f1e-bf0f15fd3c97"",""notification_type"":""agent.policy_deploy_failed"",""info"":null}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"9/16/2024, 5:12:21.562 AM",/orgs/1/events/dcaa0c83-931a-43fe-a0ec-4428198ca76e,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/23"",""hostname"":""self-serve-mnc-1-vm01""},""ven"":{""href"":""/orgs/1/vens/67a2a4df-0b51-4fa6-97e2-406cc898d293"",""hostname"":""self-serve-mnc-1-vm01""}}",agent.update,failure,err,,"[{""uuid"":""63f8b209-752e-4bd5-844c-25f4ec58a6a7"",""resource"":{""ven"":{""href"":""/orgs/1/vens/67a2a4df-0b51-4fa6-97e2-406cc898d293"",""hostname"":""self-serve-mnc-1-vm01""},""agent"":{""href"":""/orgs/1/agents/23"",""hostname"":""self-serve-mnc-1-vm01"",""name"":null}},""changes"":{""security_policy_apply_status"":{""before"":""success"",""after"":""failure""}},""change_type"":""update""}]","[{""uuid"":""fd528f18-a69e-459d-9f1e-bf0f15fd3c97"",""notification_type"":""agent.policy_deploy_failed"",""info"":null}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"9/16/2024, 5:12:21.562 AM",/orgs/1/events/dcaa0c83-931a-43fe-a0ec-4428198ca76e,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/23"",""hostname"":""self-serve-mnc-1-vm01""},""ven"":{""href"":""/orgs/1/vens/67a2a4df-0b51-4fa6-97e2-406cc898d293"",""hostname"":""self-serve-mnc-1-vm01""}}",agent.update,failure,err,"{""uuid"":""0727f30f-cc02-4bf6-ac98-9fa2c15e25aa"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.240""}","[{""uuid"":""63f8b209-752e-4bd5-844c-25f4ec58a6a7"",""resource"":{""ven"":{""href"":""/orgs/1/vens/67a2a4df-0b51-4fa6-97e2-406cc898d293"",""hostname"":""self-serve-mnc-1-vm01""},""agent"":{""href"":""/orgs/1/agents/23"",""hostname"":""self-serve-mnc-1-vm01"",""name"":null}},""changes"":{""security_policy_apply_status"":{""before"":""success"",""after"":""failure""}},""change_type"":""update""}]","[{""uuid"":""fd528f18-a69e-459d-9f1e-bf0f15fd3c97"",""notification_type"":""agent.policy_deploy_failed"",""info"":null}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"9/24/2024, 7:36:03.369 PM",/orgs/1/events/69b09d8d-5487-46f5-ba2a-c9e3a241cf66,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/60"",""hostname"":""perf-workload-60""},""ven"":{""href"":""/orgs/1/vens/4316d5e8-4f7f-45c2-9b4a-aeaee49759b0"",""hostname"":""perf-workload-60""}}",request.invalid,failure,err,,[],"[{""uuid"":""2ac06126-7331-4e68-abdb-48365d33c6d5"",""notification_type"":""request.invalid"",""info"":{""api_endpoint"":""/api/v21/orgs/1/agents/60/running_containers"",""api_method"":""PUT"",""src_ip"":""10.6.16.96""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"9/24/2024, 7:36:03.369 PM",/orgs/1/events/69b09d8d-5487-46f5-ba2a-c9e3a241cf66,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/60"",""hostname"":""perf-workload-60""},""ven"":{""href"":""/orgs/1/vens/4316d5e8-4f7f-45c2-9b4a-aeaee49759b0"",""hostname"":""perf-workload-60""}}",agent.update_running_containers,failure,err,"{""uuid"":""77cb9e7d-66d0-4a7c-be8a-112593af3cc9"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":406,""src_ip"":""10.6.16.96"",""errors"":[{""token"":""container_update_disallowed"",""message"":""Containers cannot be added or updated when container mode if off""}]}",[],"[{""uuid"":""2ac06126-7331-4e68-abdb-48365d33c6d5"",""notification_type"":""request.invalid"",""info"":{""api_endpoint"":""/api/v21/orgs/1/agents/60/running_containers"",""api_method"":""PUT"",""src_ip"":""10.6.16.96""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"9/24/2024, 7:36:03.379 PM",/orgs/1/events/b03ffe37-5373-4a91-b934-a4e1ee7b3825,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/59"",""hostname"":""perf-workload-59""},""ven"":{""href"":""/orgs/1/vens/5852011d-7a0c-44f6-81e3-6acd33341748"",""hostname"":""perf-workload-59""}}",request.invalid,failure,err,,[],"[{""uuid"":""1da63c15-cb71-4912-a812-d1b65ef8f118"",""notification_type"":""request.invalid"",""info"":{""api_endpoint"":""/api/v21/orgs/1/agents/59/running_containers"",""api_method"":""PUT"",""src_ip"":""10.6.16.96""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"9/24/2024, 7:36:03.379 PM",/orgs/1/events/b03ffe37-5373-4a91-b934-a4e1ee7b3825,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/59"",""hostname"":""perf-workload-59""},""ven"":{""href"":""/orgs/1/vens/5852011d-7a0c-44f6-81e3-6acd33341748"",""hostname"":""perf-workload-59""}}",agent.update_running_containers,failure,err,"{""uuid"":""9f8c5eb3-b2fc-41c5-80d0-e81b44d32ddc"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":406,""src_ip"":""10.6.16.96"",""errors"":[{""token"":""container_update_disallowed"",""message"":""Containers cannot be added or updated when container mode if off""}]}",[],"[{""uuid"":""1da63c15-cb71-4912-a812-d1b65ef8f118"",""notification_type"":""request.invalid"",""info"":{""api_endpoint"":""/api/v21/orgs/1/agents/59/running_containers"",""api_method"":""PUT"",""src_ip"":""10.6.16.96""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:51:03.582 PM",/orgs/1/events/f6dbf159-f203-4961-8f5e-9a3bd931a944,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""95919287-278a-4dde-a78c-c7e80759486a"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T01:51:03.0000000Z"",""ending_timestamp"":""2024-10-08T01:51:03.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:51:03.582 PM",/orgs/1/events/f6dbf159-f203-4961-8f5e-9a3bd931a944,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""b327df0a-70ce-4956-8dba-ee1a923b00e8"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""95919287-278a-4dde-a78c-c7e80759486a"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T01:51:03.0000000Z"",""ending_timestamp"":""2024-10-08T01:51:03.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:51:11.284 PM",/orgs/1/events/0b41a7b6-3721-4f1d-b086-fa79ac6231c2,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""2364055d-ef2b-422e-acee-62304baf09ac"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:56:11.641 PM",/orgs/1/events/8b8c04d8-dced-4774-844a-0908246e65c4,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""b64da8db-a60f-4c36-9fe2-3205cda5f937"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 7:41:14.416 PM",/orgs/1/events/8ce39c5b-db8d-4dfe-8445-4b28510a7095,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""fa1626d1-4e57-461f-a98a-dba7266233ad"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 7:51:31.367 PM",/orgs/1/events/77c22a04-df34-4edc-aa3e-4c626429cf2a,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""04100c2e-0030-4fb3-93a6-8d80201b439c"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 7:54:43.440 PM",/orgs/1/events/06aabdad-1fb3-43c1-950c-d1bf5f94752b,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""836638d9-38e5-413e-b0e2-3122623527ca"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T02:54:42.0000000Z"",""ending_timestamp"":""2024-10-08T02:54:42.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 7:54:43.440 PM",/orgs/1/events/06aabdad-1fb3-43c1-950c-d1bf5f94752b,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""faf31556-67f9-4924-a9b5-3a4ea8bc4c10"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""836638d9-38e5-413e-b0e2-3122623527ca"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T02:54:42.0000000Z"",""ending_timestamp"":""2024-10-08T02:54:42.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 7:56:15.523 PM",/orgs/1/events/975895c8-3e61-43ad-9bfc-6f64232f8996,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""23feeedc-56b1-44c7-9188-a35fa832cb8f"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 7:56:39.212 PM",/orgs/1/events/f18f0e9d-7f97-4b98-97d8-d90f1fcf181d,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""cf50066e-75e0-4904-8dfc-c80a4f589690"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/lost_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 8:46:11.349 PM",/orgs/1/events/ba80b883-2b19-4a33-8cc2-dd48af2a9cc6,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""01a797ac-c85b-4ab3-b5ae-53f3ed3b633d"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T03:46:10.0000000Z"",""ending_timestamp"":""2024-10-08T03:46:10.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 8:46:11.349 PM",/orgs/1/events/ba80b883-2b19-4a33-8cc2-dd48af2a9cc6,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""7369f67f-a35f-4a32-b5bb-037d115375fb"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""01a797ac-c85b-4ab3-b5ae-53f3ed3b633d"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T03:46:10.0000000Z"",""ending_timestamp"":""2024-10-08T03:46:10.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 10:07:06.747 PM",/orgs/1/events/597d296d-430a-4d54-a7ea-34de6c4b9f51,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""07bfe408-4400-4099-b33a-7001043d6ad8"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 10:07:18.501 PM",/orgs/1/events/ee6c4b4a-2f2a-401d-8515-7dd9eae8db17,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""9c787fb0-497c-45eb-9638-e58e6eef7621"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T05:07:18.0000000Z"",""ending_timestamp"":""2024-10-08T05:07:18.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 10:07:18.501 PM",/orgs/1/events/ee6c4b4a-2f2a-401d-8515-7dd9eae8db17,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""13978fa4-2dcf-4f0e-94b2-55b733a756fd"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""9c787fb0-497c-45eb-9638-e58e6eef7621"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T05:07:18.0000000Z"",""ending_timestamp"":""2024-10-08T05:07:18.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 10:12:11.056 PM",/orgs/1/events/5d6fcd70-fb8d-4b7b-aa17-41c903ef0156,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""4c9d918c-4eb5-4a76-a48f-e88f05fed246"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 10:17:51.375 PM",/orgs/1/events/9094d51a-f4d0-4a77-9ac9-4744876a1d8f,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""887f81b1-add5-4180-b024-30b0a757f090"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T05:17:50.0000000Z"",""ending_timestamp"":""2024-10-08T05:17:50.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 10:17:51.375 PM",/orgs/1/events/9094d51a-f4d0-4a77-9ac9-4744876a1d8f,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""708c2a1b-c31a-44e3-b61a-cf34cb068b58"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""887f81b1-add5-4180-b024-30b0a757f090"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T05:17:50.0000000Z"",""ending_timestamp"":""2024-10-08T05:17:50.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 10:22:12.659 PM",/orgs/1/events/afab80b9-a54f-400f-a143-49c5141fcafe,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""791fe259-e013-4003-a9cd-ec827237c3f9"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 11:07:18.260 PM",/orgs/1/events/7ca7e3ae-d5e7-4307-8fbc-b85353b6f2ed,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""38ad35dd-2d62-4897-9cc0-ed608925c136"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T06:07:17.0000000Z"",""ending_timestamp"":""2024-10-08T06:07:17.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 11:07:18.260 PM",/orgs/1/events/7ca7e3ae-d5e7-4307-8fbc-b85353b6f2ed,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""a4affe2d-2db0-4570-bf76-e7ec22d25717"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""38ad35dd-2d62-4897-9cc0-ed608925c136"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T06:07:17.0000000Z"",""ending_timestamp"":""2024-10-08T06:07:17.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 11:07:40.192 PM",/orgs/1/events/5169d5fa-b7c1-45ae-8774-798cdc0d518d,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""56406505-0f4a-4c5d-875f-24302d739adf"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 11:12:35.859 PM",/orgs/1/events/50224dfe-0186-4be0-aae6-4dbc54aa7196,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""6c51adc1-ccfd-4e6e-a016-2ae272ce44f7"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 11:17:18.190 PM",/orgs/1/events/0b7b8055-a152-450a-836d-e1e2da943e40,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""f962a20e-b122-45f7-b909-0cbfe1130ea7"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T06:17:17.0000000Z"",""ending_timestamp"":""2024-10-08T06:17:17.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 11:17:18.190 PM",/orgs/1/events/0b7b8055-a152-450a-836d-e1e2da943e40,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""2e31df44-0dba-48b0-b590-01e5b6258c5c"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""f962a20e-b122-45f7-b909-0cbfe1130ea7"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T06:17:17.0000000Z"",""ending_timestamp"":""2024-10-08T06:17:17.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 11:53:02.954 PM",/orgs/1/events/e09a5922-6e6d-4e46-9034-497657757175,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""307da6af-59ee-427c-9013-a1c41b38c0e1"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 11:56:45.906 PM",/orgs/1/events/ce0881d4-32e0-4972-9fcc-59e31acc2276,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""4dda4586-da8b-4661-aaed-694e3d381c10"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/lost_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 11:57:19.082 PM",/orgs/1/events/99bc0814-9a79-49c4-af2a-8f5d1cf78785,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""3b10149b-bc46-4f36-8c2e-627f97e938e3"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T06:57:18.0000000Z"",""ending_timestamp"":""2024-10-08T06:57:18.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 11:57:19.082 PM",/orgs/1/events/99bc0814-9a79-49c4-af2a-8f5d1cf78785,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""3ace922c-0deb-4be9-a003-f9dad92653e8"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""3b10149b-bc46-4f36-8c2e-627f97e938e3"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T06:57:18.0000000Z"",""ending_timestamp"":""2024-10-08T06:57:18.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 11:57:46.457 PM",/orgs/1/events/a7bd9f82-1dba-444f-a43b-a8bf55fd59a2,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""fe27d5a2-c93a-4ca4-a292-4ed333932e6b"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/heartbeat"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 11:57:53.673 PM",/orgs/1/events/f3df1f8c-394c-4daf-9b06-dbcbf9b2dbd3,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""4949a72d-fe1e-4b90-8774-e59ecb890f71"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/lost_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 11:58:41.293 PM",/orgs/1/events/a4e332d4-80b1-400f-a00e-2d226ebaa32c,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""9540779f-04ec-46fa-a1d0-0e6d685bd966"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 11:59:44.753 PM",/orgs/1/events/4338729e-3d95-4b29-bb2e-51fe727a9b12,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""ea68f8b9-1b2b-4dcb-82cc-10743476eadd"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/heartbeat"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 12:23:36.722 AM",/orgs/1/events/c9e21ab3-fdf7-4cdd-a4c0-3f7556b9d83e,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""c6b147ea-4185-4a70-bf49-69e1bdfb11e1"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 12:27:49.111 AM",/orgs/1/events/2a6f5409-0897-4732-8e0e-d32af8cd9b7c,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""92794760-7bd8-4c7b-80e8-6e44d1f559c1"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T07:27:48.0000000Z"",""ending_timestamp"":""2024-10-08T07:27:48.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 12:27:49.111 AM",/orgs/1/events/2a6f5409-0897-4732-8e0e-d32af8cd9b7c,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""1cee643e-eae2-46e4-9dd4-7c221172dcfc"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""92794760-7bd8-4c7b-80e8-6e44d1f559c1"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T07:27:48.0000000Z"",""ending_timestamp"":""2024-10-08T07:27:48.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 12:44:14.659 AM",/orgs/1/events/eec072fc-c1d0-41db-953d-37ae13821157,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""c6c0f0d3-6e76-461a-9d70-d9de3c78f693"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 12:49:18.205 AM",/orgs/1/events/f6f2af05-2b9c-4db3-bd08-999c8d6bb328,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""00712aa9-790e-49dc-965a-2f543e98f947"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T07:49:17.0000000Z"",""ending_timestamp"":""2024-10-08T07:49:17.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 12:49:18.205 AM",/orgs/1/events/f6f2af05-2b9c-4db3-bd08-999c8d6bb328,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""28884a59-5b0f-4507-88f3-a654c6a9cde2"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""00712aa9-790e-49dc-965a-2f543e98f947"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T07:49:17.0000000Z"",""ending_timestamp"":""2024-10-08T07:49:17.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 12:54:10.148 AM",/orgs/1/events/39914587-8042-4880-801b-cc502b13869d,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""277f3313-eee5-42ad-b356-94fdf3ebfc13"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 12:59:20.455 AM",/orgs/1/events/70910ec8-72a3-4397-b6ba-cc8118ebeefc,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""2a24b5ca-e5eb-4b8b-b366-65c6bfd3430c"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 12:59:37.038 AM",/orgs/1/events/3e564f57-91ab-46ad-b65a-568059d1cd9e,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""ffe20ea9-b2fe-47bf-9d36-3379fe066198"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T07:59:36.0000000Z"",""ending_timestamp"":""2024-10-08T07:59:36.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 12:59:37.038 AM",/orgs/1/events/3e564f57-91ab-46ad-b65a-568059d1cd9e,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""e37ca7fd-404f-4eac-8534-d075efe99bbf"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""ffe20ea9-b2fe-47bf-9d36-3379fe066198"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T07:59:36.0000000Z"",""ending_timestamp"":""2024-10-08T07:59:36.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 2:09:36.661 AM",/orgs/1/events/ba6ac981-858e-49d2-bb0e-0b1b2922ad15,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""847cb148-16d5-4b51-8c6b-68b38df284a7"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 2:12:54.213 AM",/orgs/1/events/e449f122-db80-4b09-bcf1-b3b08f0d01f9,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""7b326c8d-63e2-4908-830c-a77a34625c51"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T09:12:53.0000000Z"",""ending_timestamp"":""2024-10-08T09:12:53.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 2:12:54.213 AM",/orgs/1/events/e449f122-db80-4b09-bcf1-b3b08f0d01f9,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""171ff226-594c-4e56-8de5-e37dca3b1a31"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""7b326c8d-63e2-4908-830c-a77a34625c51"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T09:12:53.0000000Z"",""ending_timestamp"":""2024-10-08T09:12:53.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 2:15:02.090 AM",/orgs/1/events/d486e478-b1e1-4770-b549-934afe102120,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""58a36009-3e3a-4f45-b1c0-72460c9afac7"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 2:45:56.533 AM",/orgs/1/events/582c8832-b347-4a67-b178-3b681e2317c3,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""ab553fc8-ec17-4ee5-aabd-971051b222e8"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 3:09:57.022 AM",/orgs/1/events/47b2d994-bf24-4919-afa4-751402bd9ef6,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""ffaf33be-8a39-445e-b314-c62d5f8b3f85"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 3:14:30.966 AM",/orgs/1/events/720385c9-4832-4359-8c10-ab451086cfd9,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""8a25fa17-f799-4fa5-8abf-c35362ff55bc"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T10:14:30.0000000Z"",""ending_timestamp"":""2024-10-08T10:14:30.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 3:14:30.966 AM",/orgs/1/events/720385c9-4832-4359-8c10-ab451086cfd9,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""2d1af777-97a7-4d21-959d-7a26825b654e"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""8a25fa17-f799-4fa5-8abf-c35362ff55bc"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T10:14:30.0000000Z"",""ending_timestamp"":""2024-10-08T10:14:30.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 3:16:10.293 AM",/orgs/1/events/38e80db5-4459-4ad6-b2da-7f85b1f99722,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""ed0f1dbe-87dc-4fc7-8ec5-44d7ae3f40b4"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 3:31:11.385 AM",/orgs/1/events/983ba2a2-6769-46c9-bf9f-d5cab20aa949,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""5b5d46a5-662c-4a7a-b7e1-2fea9f902abe"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 3:33:53.904 AM",/orgs/1/events/adac060e-1953-4a66-b668-485f030cbbec,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""80eab743-c51b-4106-abea-7a1c99057dff"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T10:33:53.0000000Z"",""ending_timestamp"":""2024-10-08T10:33:53.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 3:33:53.904 AM",/orgs/1/events/adac060e-1953-4a66-b668-485f030cbbec,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""b12dc79e-c033-40f0-a7a1-b4a1bfb08047"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""80eab743-c51b-4106-abea-7a1c99057dff"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T10:33:53.0000000Z"",""ending_timestamp"":""2024-10-08T10:33:53.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 4:10:00.532 AM",/orgs/1/events/809e2d6e-0054-43c4-ac88-c7f5ed03adff,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""bae05474-bd43-4d64-9a91-f687de4a12f8"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 4:13:31.008 AM",/orgs/1/events/8ca5b252-97ed-4bb6-99eb-b46e0168abf7,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""badf65f6-9e33-4f93-b684-856e2797f730"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T11:13:30.0000000Z"",""ending_timestamp"":""2024-10-08T11:13:30.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 4:13:31.008 AM",/orgs/1/events/8ca5b252-97ed-4bb6-99eb-b46e0168abf7,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""5c4f4f7c-3964-4c74-b8ae-a358b7908a8e"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""badf65f6-9e33-4f93-b684-856e2797f730"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T11:13:30.0000000Z"",""ending_timestamp"":""2024-10-08T11:13:30.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 4:31:14.940 AM",/orgs/1/events/39dd67a3-149a-4b74-9aa7-360d7430a10d,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""86d8dc79-1ac9-418e-8ea4-5bdb3881a108"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 4:35:08.026 AM",/orgs/1/events/537fcb21-3348-4a61-94e8-73e9480fb51f,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""3087cb85-2359-436f-992f-e300ee9fa356"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T11:35:07.0000000Z"",""ending_timestamp"":""2024-10-08T11:35:07.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 4:35:08.026 AM",/orgs/1/events/537fcb21-3348-4a61-94e8-73e9480fb51f,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""225592f2-14be-4dfd-b46f-99e9cc9c99df"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""3087cb85-2359-436f-992f-e300ee9fa356"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T11:35:07.0000000Z"",""ending_timestamp"":""2024-10-08T11:35:07.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 4:46:15.869 AM",/orgs/1/events/83bb37a7-2410-4206-b017-faf58cbf5d8c,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""1f88aa34-6b3e-4138-877f-3997ce00f145"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 5:10:16.255 AM",/orgs/1/events/dfaa1b91-a813-4e0e-9ae7-59e5b1aa6f00,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""1d7077a7-97de-4be7-9245-d34f925776d1"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 5:15:07.242 AM",/orgs/1/events/b1bfb622-48bb-48c9-b52a-f1a4d5d55009,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""f2860ef7-b8f0-44fc-85f0-ffe6dddcb27c"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T12:15:06.0000000Z"",""ending_timestamp"":""2024-10-08T12:15:06.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 5:15:07.242 AM",/orgs/1/events/b1bfb622-48bb-48c9-b52a-f1a4d5d55009,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""80166303-3005-4272-91c7-1c59a480d407"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""f2860ef7-b8f0-44fc-85f0-ffe6dddcb27c"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T12:15:06.0000000Z"",""ending_timestamp"":""2024-10-08T12:15:06.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 5:46:05.951 AM",/orgs/1/events/86ece2f7-10c9-4396-bc4d-5051a2ec28de,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""ec649339-5b1d-488f-b2ee-86eea7953490"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T12:46:05.0000000Z"",""ending_timestamp"":""2024-10-08T12:46:05.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 5:46:05.951 AM",/orgs/1/events/86ece2f7-10c9-4396-bc4d-5051a2ec28de,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""a9a69580-798d-49fc-a2d3-c0826e677763"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""ec649339-5b1d-488f-b2ee-86eea7953490"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T12:46:05.0000000Z"",""ending_timestamp"":""2024-10-08T12:46:05.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 5:47:12.514 AM",/orgs/1/events/8c0efb85-039b-4149-9cd3-38fc92bc0a39,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""fd107823-be34-4bc1-8184-3996b9ae147a"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 5:55:54.001 AM",/orgs/1/events/2bc723d6-8cdd-411f-aa8f-ece494860ec3,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""2e738758-55d2-441a-a9e1-aba190ac6511"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 5:56:29.488 AM",/orgs/1/events/d6b74210-592b-4d9e-aa3c-85a3395edaec,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""911e5c34-270f-43bb-8ddd-5e13adf1f3a4"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T12:56:29.0000000Z"",""ending_timestamp"":""2024-10-08T12:56:29.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 5:56:29.488 AM",/orgs/1/events/d6b74210-592b-4d9e-aa3c-85a3395edaec,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""9d4ebf0e-df25-489a-9d44-c231062c7c57"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""911e5c34-270f-43bb-8ddd-5e13adf1f3a4"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T12:56:29.0000000Z"",""ending_timestamp"":""2024-10-08T12:56:29.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 6:02:30.088 AM",/orgs/1/events/ca3c000e-19c9-414a-8809-fb71ccc30396,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""83b37908-8102-4508-b7ca-01244d8689be"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 6:07:03.403 AM",/orgs/1/events/d07c1e60-37a6-422c-b7f6-d02a834160f0,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""4ef2a9cd-a737-4247-b419-d82917161f3c"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T13:07:02.0000000Z"",""ending_timestamp"":""2024-10-08T13:07:02.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 6:07:03.403 AM",/orgs/1/events/d07c1e60-37a6-422c-b7f6-d02a834160f0,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""6e7aa745-6e3d-406c-bf3d-cd88ea6224fb"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""4ef2a9cd-a737-4247-b419-d82917161f3c"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T13:07:02.0000000Z"",""ending_timestamp"":""2024-10-08T13:07:02.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 6:11:09.852 AM",/orgs/1/events/a4208a08-9ae6-4842-a9f7-31114b5639f0,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""ea1b4579-85f3-4369-97bc-73e3c360b4e5"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 6:16:49.394 AM",/orgs/1/events/6354c5c2-d5f3-425e-a1d0-2479a3154045,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""7b3893bb-78de-4bab-9f38-cde233e616bb"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T13:16:48.0000000Z"",""ending_timestamp"":""2024-10-08T13:16:48.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 6:16:49.394 AM",/orgs/1/events/6354c5c2-d5f3-425e-a1d0-2479a3154045,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""2665c0bf-9206-402d-a719-d9c778f6e081"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""7b3893bb-78de-4bab-9f38-cde233e616bb"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T13:16:48.0000000Z"",""ending_timestamp"":""2024-10-08T13:16:48.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 6:17:46.226 AM",/orgs/1/events/07fb0b38-3f28-4664-950c-390117defdc4,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""c40a5af3-a899-4cb4-896a-5f3f27fcd2b3"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 9:11:02.351 AM",/orgs/1/events/b8ad40dd-da7b-42a8-941a-a5f7d6e51b65,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""6937d712-3de7-4fc2-a8cc-9a284c72c4a9"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T16:11:01.0000000Z"",""ending_timestamp"":""2024-10-08T16:11:01.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 9:11:02.351 AM",/orgs/1/events/b8ad40dd-da7b-42a8-941a-a5f7d6e51b65,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""bd41f3b8-4454-4e90-8cda-a77963d8c3a5"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""6937d712-3de7-4fc2-a8cc-9a284c72c4a9"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T16:11:01.0000000Z"",""ending_timestamp"":""2024-10-08T16:11:01.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 9:12:26.979 AM",/orgs/1/events/5e13d6e3-8007-4462-b04d-9f05ee90626c,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""f635b5f2-387c-42c8-bdc3-10ec46e60ad4"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 9:20:29.622 AM",/orgs/1/events/85c2d40d-3b0b-4075-9822-7cc4a2b23ff7,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""bbcefd68-2821-4776-b7ba-373a3f6bd5c0"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T16:20:29.0000000Z"",""ending_timestamp"":""2024-10-08T16:20:29.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 9:20:29.622 AM",/orgs/1/events/85c2d40d-3b0b-4075-9822-7cc4a2b23ff7,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""b7f1f311-8ff7-4a52-8678-b9e50c1ff7a2"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""bbcefd68-2821-4776-b7ba-373a3f6bd5c0"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T16:20:29.0000000Z"",""ending_timestamp"":""2024-10-08T16:20:29.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 9:20:48.413 AM",/orgs/1/events/6ebf6d54-4cfb-40bb-89c8-62b7986242b5,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""baeed4e0-5ccd-4fdd-b2b2-3b7e9775f75d"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 9:50:49.976 AM",/orgs/1/events/cc643aba-2677-4302-b181-19b168d39698,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""dec1ab0c-2ec4-4401-aaf0-428c594bc0bf"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 9:51:33.423 AM",/orgs/1/events/d9ebd14f-cfd0-4967-8f59-bdf0b89bc544,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""35734173-5fe6-4af2-9614-79a1905cc1a7"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T16:51:32.0000000Z"",""ending_timestamp"":""2024-10-08T16:51:32.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 9:51:33.423 AM",/orgs/1/events/d9ebd14f-cfd0-4967-8f59-bdf0b89bc544,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""c5064d62-fb9e-4fe7-9ecc-d1e4215fedf0"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""35734173-5fe6-4af2-9614-79a1905cc1a7"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T16:51:32.0000000Z"",""ending_timestamp"":""2024-10-08T16:51:32.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 9:57:29.900 AM",/orgs/1/events/a8f071c2-62d0-4b01-b3d7-761bbcb7dc3d,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""a672403d-2989-4f67-b19c-533c843cf21d"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 10:00:43.894 AM",/orgs/1/events/8ee79d3e-f465-4d51-909d-32cf3d816f0c,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""482cfe06-6a0d-40f8-8517-70d5ac183d04"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T17:00:43.0000000Z"",""ending_timestamp"":""2024-10-08T17:00:43.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 10:00:43.894 AM",/orgs/1/events/8ee79d3e-f465-4d51-909d-32cf3d816f0c,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""e0a6f65c-c01c-4859-a3c5-8eed034da202"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""482cfe06-6a0d-40f8-8517-70d5ac183d04"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T17:00:43.0000000Z"",""ending_timestamp"":""2024-10-08T17:00:43.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 10:05:50.724 AM",/orgs/1/events/9501a682-f7c2-49ad-ab3b-68c9784b775d,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""d38e4743-d723-47fc-a19b-87c1e0300b16"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 10:10:48.451 AM",/orgs/1/events/79cf5a1a-207d-4c5b-be66-86553a3aba59,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""a4826f10-3998-4d7f-8eb8-75a5a350d93b"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T17:10:47.0000000Z"",""ending_timestamp"":""2024-10-08T17:10:47.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 10:10:48.451 AM",/orgs/1/events/79cf5a1a-207d-4c5b-be66-86553a3aba59,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""9285d362-af70-4dac-b54d-bd8bcde69680"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""a4826f10-3998-4d7f-8eb8-75a5a350d93b"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T17:10:47.0000000Z"",""ending_timestamp"":""2024-10-08T17:10:47.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 10:12:30.681 AM",/orgs/1/events/bf5430dd-e1d3-446c-b3b6-7951aabe8e30,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""688a88b2-b6d1-467a-944f-b31302c68121"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 10:27:31.381 AM",/orgs/1/events/b0f84559-2ab0-45b2-bf84-d46db7f90d1c,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""96753bdb-6e2e-4ed2-80d4-7f8c525b1eb5"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 10:31:26.419 AM",/orgs/1/events/e98b1a96-5492-4fc2-af23-37ea67c214ed,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""a7263efc-02b2-40d5-8f21-c9213afd630e"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T17:31:25.0000000Z"",""ending_timestamp"":""2024-10-08T17:31:25.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 10:31:26.419 AM",/orgs/1/events/e98b1a96-5492-4fc2-af23-37ea67c214ed,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""bdd7ace1-6fac-406c-8f16-9db911890217"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""a7263efc-02b2-40d5-8f21-c9213afd630e"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T17:31:25.0000000Z"",""ending_timestamp"":""2024-10-08T17:31:25.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:37:59.429 PM",/orgs/1/events/e66660ed-4e36-4654-9faa-731881eaff17,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,,[],"[{""uuid"":""2048ec5b-9afc-4ced-b64e-ed8472aa58e3"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T01:37:58.0000000Z"",""ending_timestamp"":""2024-10-08T01:37:58.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:37:59.429 PM",/orgs/1/events/e66660ed-4e36-4654-9faa-731881eaff17,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/25"",""hostname"":""self-serve-mnc-1-vm03""},""ven"":{""href"":""/orgs/1/vens/89a37812-660c-440a-9744-ea4fe18670af"",""hostname"":""self-serve-mnc-1-vm03""}}",agent.tampering,success,err,"{""uuid"":""d43b3210-5fd2-4155-830c-5f8b4c2e8cc3"",""api_endpoint"":""FILTERED"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""10.2.20.243""}",[],"[{""uuid"":""2048ec5b-9afc-4ced-b64e-ed8472aa58e3"",""notification_type"":""workload.oob_policy_changes"",""info"":{""tampering_revert_succeeded"":true,""beginning_timestamp"":""2024-10-08T01:37:58.0000000Z"",""ending_timestamp"":""2024-10-08T01:37:58.0000000Z"",""num_events"":1}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:20.714 PM",/orgs/1/events/3570cc8e-2e5d-438e-9a10-c6eb1bec65c2,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",label.create,success,info,"{""uuid"":""46588c33-0b85-4594-ba2f-b57d0d268ea0"",""api_endpoint"":""/api/v2/orgs/1/labels"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""f935c8b8-ddbf-40f2-b27a-9e2d4889790b"",""resource"":{""label"":{""href"":""/orgs/1/labels/243"",""key"":""role"",""value"":""Role47604""}},""changes"":{""key"":{""before"":null,""after"":""role""},""value"":{""before"":null,""after"":""Role47604""},""label_dimension"":{""before"":null,""after"":{""href"":""/orgs/1/label_dimensions/315bcb12-3c71-4fad-8047-65917af0aedc""}},""deleted"":{""before"":null,""after"":false},""visible"":{""before"":null,""after"":true}},""change_type"":""create""}]",[],2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:20.972 PM",/orgs/1/events/d1cccec4-2d62-4ed8-990f-33979ad606bd,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",label.create,success,info,"{""uuid"":""a21d7501-8377-48f1-b861-ba38b76a97d7"",""api_endpoint"":""/api/v2/orgs/1/labels"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""6c5c624d-3a92-4770-b653-552468c6c3fc"",""resource"":{""label"":{""href"":""/orgs/1/labels/244"",""key"":""app"",""value"":""App47604""}},""changes"":{""key"":{""before"":null,""after"":""app""},""value"":{""before"":null,""after"":""App47604""},""label_dimension"":{""before"":null,""after"":{""href"":""/orgs/1/label_dimensions/e48631e0-8e3f-46aa-b83d-3527186342ea""}},""deleted"":{""before"":null,""after"":false},""visible"":{""before"":null,""after"":true}},""change_type"":""create""}]",[],2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:21.108 PM",/orgs/1/events/ca02ef48-f075-4750-9984-66cdc8c0f2b7,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",label.create,success,info,"{""uuid"":""04f0f62e-3584-4ce1-b6f1-916f626b3ff3"",""api_endpoint"":""/api/v2/orgs/1/labels"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""e724bc4a-226b-412a-9ed3-f0d8a541dc3d"",""resource"":{""label"":{""href"":""/orgs/1/labels/245"",""key"":""env"",""value"":""Env47604""}},""changes"":{""key"":{""before"":null,""after"":""env""},""value"":{""before"":null,""after"":""Env47604""},""label_dimension"":{""before"":null,""after"":{""href"":""/orgs/1/label_dimensions/9d4231de-1de4-4abe-a2ee-f43dddd2cb08""}},""deleted"":{""before"":null,""after"":false},""visible"":{""before"":null,""after"":true}},""change_type"":""create""}]",[],2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:21.280 PM",/orgs/1/events/d2baa1f4-1a84-4607-8c84-5c789d27ebfc,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",label.create,success,info,"{""uuid"":""3ab8a5ad-0c89-48d4-94c3-e7a1aecaba40"",""api_endpoint"":""/api/v2/orgs/1/labels"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""d82648b0-ad00-4de9-873f-98af2a1f9631"",""resource"":{""label"":{""href"":""/orgs/1/labels/246"",""key"":""loc"",""value"":""Loc47604""}},""changes"":{""key"":{""before"":null,""after"":""loc""},""value"":{""before"":null,""after"":""Loc47604""},""label_dimension"":{""before"":null,""after"":{""href"":""/orgs/1/label_dimensions/c38b96e2-f630-41ea-8d17-a4935295f7c8""}},""deleted"":{""before"":null,""after"":false},""visible"":{""before"":null,""after"":true}},""change_type"":""create""}]",[],2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:22.062 PM",/orgs/1/events/bb3ad5e5-e79b-4bed-a060-0c76873eb8f8,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",pairing_profile.create,success,info,"{""uuid"":""66588bb7-c7b7-4db7-bb02-5547b94d3f1a"",""api_endpoint"":""/api/v2/orgs/1/pairing_profiles"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""d14ce81a-50f5-4ce5-ba75-28240c71c8dc"",""resource"":{""pairing_profile"":{""href"":""/orgs/1/pairing_profiles/104"",""name"":""Gatling-Utils-Created-Pairing-Profile47604""}},""changes"":{""name"":{""before"":null,""after"":""Gatling-Utils-Created-Pairing-Profile47604""},""description"":{""before"":null,""after"":""""},""enabled"":{""before"":null,""after"":true},""enforcement_mode"":{""before"":null,""after"":""visibility_only""},""is_default"":{""before"":null,""after"":false},""env_label_lock"":{""before"":null,""after"":true},""loc_label_lock"":{""before"":null,""after"":true},""role_label_lock"":{""before"":null,""after"":true},""app_label_lock"":{""before"":null,""after"":true},""mode_lock"":{""before"":null,""after"":true},""log_traffic"":{""before"":null,""after"":false},""log_traffic_lock"":{""before"":null,""after"":true},""visibility_level"":{""before"":null,""after"":""flow_summary""},""visibility_level_lock"":{""before"":null,""after"":true},""label_ids_array"":{""before"":null,""after"":[]},""ven_type"":{""before"":null,""after"":""specified_during_activation""},""labels"":{""created"":[{""href"":""/orgs/1/labels/244"",""key"":""app"",""value"":""App47604""},{""href"":""/orgs/1/labels/246"",""key"":""loc"",""value"":""Loc47604""},{""href"":""/orgs/1/labels/243"",""key"":""role"",""value"":""Role47604""},{""href"":""/orgs/1/labels/245"",""key"":""env"",""value"":""Env47604""}]}},""change_type"":""create""}]",[],2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:22.720 PM",/orgs/1/events/4ab6319b-08e4-4669-bbe6-1545369efb06,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",ip_list.create,success,info,"{""uuid"":""0bac20e1-bea7-4d76-9205-5859219acdf6"",""api_endpoint"":""/api/v2/orgs/1/sec_policy/draft/ip_lists"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""68ca8ab0-5ed1-4f41-8bc3-715673596309"",""resource"":{""ip_list"":{""href"":""/orgs/1/sec_policy/draft/ip_lists/83"",""name"":""Gatling-IPList-23369""}},""changes"":{""name"":{""before"":null,""after"":""Gatling-IPList-23369""},""description"":{""before"":null,""after"":""Gatling Test Data""},""ip_ranges"":{""created"":[{""name"":null,""from_ip"":""169.197.234.115"",""exclusion"":false},{""name"":null,""from_ip"":""20.182.61.73"",""exclusion"":false}]}},""change_type"":""create""}]",[],2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:23.102 PM",/orgs/1/events/73f9e31e-240a-4ba0-8cb6-29543f31b739,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",sec_policy.create,success,info,"{""uuid"":""f43a21e9-1d0f-4c1b-ad10-0ca0f7741ea0"",""api_endpoint"":""/api/v2/orgs/1/sec_policy"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""2411a7c6-34c7-41a1-8131-8a5431d0db1c"",""resource"":{""sec_policy"":{""href"":""/orgs/1/sec_policy/222"",""commit_message"":""ProvisionNewIpList"",""version"":222,""modified_objects"":{""rulesets"":{},""services"":{},""ip_lists"":{""/orgs/1/sec_policy/draft/ip_lists/83"":{""action"":""created"",""name"":""Gatling-IPList-23369"",""description"":""Gatling Test Data""}},""firewall_settings"":{},""label_groups"":{},""secure_connect_gateways"":{},""bound_services"":{},""virtual_servers"":{},""selective_enforcement_rules"":{},""essential_service_rules"":{}}}},""changes"":{""commit_message"":{""before"":null,""after"":""ProvisionNewIpList""},""version"":{""before"":null,""after"":222},""workloads_affected"":{""before"":null,""after"":0},""object_counts"":{""before"":null,""after"":{""rule_sets"":10,""services"":106,""ip_lists"":8,""firewall_settings"":1,""label_groups"":5,""secure_connect_gateways"":0,""virtual_servers"":0,""enforcement_boundaries"":4,""virtual_services"":8,""essential_service_rules"":1}}},""change_type"":""create""}]",[],2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:28.877 PM",/orgs/1/events/fc9b02b6-12c8-4e45-9886-c1c33732bf4c,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/91"",""hostname"":""Gatling-Agent""},""ven"":{""href"":""/orgs/1/vens/8e54421f-35ec-4c34-ab8d-8a1b6a79a007"",""hostname"":""Gatling-Agent""}}",agent.activate,success,info,"{""uuid"":""bb22cb84-0fef-4776-a425-38f8acbb424e"",""api_endpoint"":""FILTERED"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.96""}","[{""uuid"":""80b12eb7-8544-4b3e-9042-c12f5b48201d"",""resource"":{""workload"":{""href"":""/orgs/1/workloads/8e54421f-35ec-4c34-ab8d-8a1b6a79a007"",""name"":null,""hostname"":""Gatling-Agent"",""labels"":[{""href"":""/orgs/1/labels/243"",""key"":""role"",""value"":""Role47604""},{""href"":""/orgs/1/labels/244"",""key"":""app"",""value"":""App47604""},{""href"":""/orgs/1/labels/245"",""key"":""env"",""value"":""Env47604""},{""href"":""/orgs/1/labels/246"",""key"":""loc"",""value"":""Loc47604""}]}},""changes"":{""online"":{""before"":null,""after"":true},""os_id"":{""before"":null,""after"":""ubuntu-x86_64-xenial""},""hostname"":{""before"":null,""after"":""Gatling-Agent""},""public_ip"":{""before"":null,""after"":""10.6.16.96""},""os_detail"":{""before"":null,""after"":""4.4.0-97-generic #120-Ubuntu SMP Tue Sep 19 17:28:18 UTC 2017 (Ubuntu 16.04.1 LTS)""},""secure_connect_settings"":{""before"":null,""after"":{""ike_version"":0,""support_nat"":true}},""deleted"":{""before"":null,""after"":false},""label_ids_array"":{""before"":null,""after"":[]},""enforcement_mode"":{""before"":null,""after"":""visibility_only""},""log_traffic"":{""before"":null,""after"":false},""visibility_level"":{""before"":null,""after"":""flow_summary""},""server_roles"":{""before"":null,""after"":[]},""row_modified_at"":{""before"":null,""after"":""2024-10-08T01:40:28.5000000Z""},""workload_interfaces"":{""created"":[{""href"":""/orgs/1/workloads/8e54421f-35ec-4c34-ab8d-8a1b6a79a007/interfaces/eth0"",""name"":""eth0"",""address"":null,""network"":null}]},""labels"":{""created"":[{""href"":""/orgs/1/labels/243"",""key"":""role"",""value"":""Role47604""},{""href"":""/orgs/1/labels/244"",""key"":""app"",""value"":""App47604""},{""href"":""/orgs/1/labels/245"",""key"":""env"",""value"":""Env47604""},{""href"":""/orgs/1/labels/246"",""key"":""loc"",""value"":""Loc47604""}]}},""change_type"":""create""},{""uuid"":""c4811f76-ba81-4697-957e-9567ca7e88e9"",""resource"":{""ven"":{""href"":""/orgs/1/vens/8e54421f-35ec-4c34-ab8d-8a1b6a79a007"",""hostname"":""Gatling-Agent""},""agent"":{""href"":""/orgs/1/agents/91"",""name"":null,""hostname"":""Gatling-Agent""}},""changes"":{""status"":{""before"":null,""after"":""active""},""agent_version"":{""before"":null,""after"":""23.3.0""},""managed_since"":{""before"":null,""after"":""2024-10-08T01:40:28.5230000Z""},""pairing_profile"":{""before"":null,""after"":{""href"":""/orgs/1/pairing_profiles/104""}},""activation_type"":{""before"":null,""after"":""pairing_key""},""hostname"":{""before"":null,""after"":""Gatling-Agent""},""machine_id"":{""before"":null,""after"":""61e989dfbc21074bab332a78353d9b92""},""os_platform"":{""before"":null,""after"":""linux""},""tampered"":{""before"":null,""after"":false},""secure_connect_error"":{""before"":null,""after"":false},""api_version"":{""before"":null,""after"":1},""token_ttl_grace_count"":{""before"":null,""after"":0},""token_in_use"":{""before"":null,""after"":false},""pce_apply_policy_seq"":{""before"":null,""after"":0},""agent_apply_policy_seq"":{""before"":null,""after"":0},""synchronized"":{""before"":null,""after"":false},""type"":{""before"":null,""after"":""AgentInfo""},""label_ids_array"":{""before"":null,""after"":[]},""ven_type"":{""before"":null,""after"":""server""},""network_detect_state"":{""before"":null,""after"":0}},""change_type"":""create""}]",[],2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:29.026 PM",/orgs/1/events/85aa8908-1d27-47b7-afdb-8a625704cfef,2x2testvc308.ilabs.io,"{""agent"":{""href"":""/orgs/1/agents/90"",""hostname"":""Gatling-Agent""},""ven"":{""href"":""/orgs/1/vens/da879f91-db8b-451e-b150-96aa909377c1"",""hostname"":""Gatling-Agent""}}",agent.activate,success,info,"{""uuid"":""7fb3190e-8976-42f0-acbd-48e8899f4341"",""api_endpoint"":""FILTERED"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.96""}","[{""uuid"":""3848c9df-da58-4923-9e22-2fb9586567e6"",""resource"":{""workload"":{""href"":""/orgs/1/workloads/da879f91-db8b-451e-b150-96aa909377c1"",""name"":null,""hostname"":""Gatling-Agent"",""labels"":[{""href"":""/orgs/1/labels/243"",""key"":""role"",""value"":""Role47604""},{""href"":""/orgs/1/labels/244"",""key"":""app"",""value"":""App47604""},{""href"":""/orgs/1/labels/245"",""key"":""env"",""value"":""Env47604""},{""href"":""/orgs/1/labels/246"",""key"":""loc"",""value"":""Loc47604""}]}},""changes"":{""online"":{""before"":null,""after"":true},""os_id"":{""before"":null,""after"":""ubuntu-x86_64-xenial""},""hostname"":{""before"":null,""after"":""Gatling-Agent""},""public_ip"":{""before"":null,""after"":""10.6.16.96""},""os_detail"":{""before"":null,""after"":""4.4.0-97-generic #120-Ubuntu SMP Tue Sep 19 17:28:18 UTC 2017 (Ubuntu 16.04.1 LTS)""},""secure_connect_settings"":{""before"":null,""after"":{""ike_version"":0,""support_nat"":true}},""deleted"":{""before"":null,""after"":false},""label_ids_array"":{""before"":null,""after"":[]},""enforcement_mode"":{""before"":null,""after"":""visibility_only""},""log_traffic"":{""before"":null,""after"":false},""visibility_level"":{""before"":null,""after"":""flow_summary""},""server_roles"":{""before"":null,""after"":[]},""row_modified_at"":{""before"":null,""after"":""2024-10-08T01:40:28.4650000Z""},""workload_interfaces"":{""created"":[{""href"":""/orgs/1/workloads/da879f91-db8b-451e-b150-96aa909377c1/interfaces/eth0"",""name"":""eth0"",""address"":null,""network"":null}]},""labels"":{""created"":[{""href"":""/orgs/1/labels/243"",""key"":""role"",""value"":""Role47604""},{""href"":""/orgs/1/labels/244"",""key"":""app"",""value"":""App47604""},{""href"":""/orgs/1/labels/245"",""key"":""env"",""value"":""Env47604""},{""href"":""/orgs/1/labels/246"",""key"":""loc"",""value"":""Loc47604""}]}},""change_type"":""create""},{""uuid"":""c038f1aa-8d2a-4a4c-89b9-99b42fd6584c"",""resource"":{""ven"":{""href"":""/orgs/1/vens/da879f91-db8b-451e-b150-96aa909377c1"",""hostname"":""Gatling-Agent""},""agent"":{""href"":""/orgs/1/agents/90"",""name"":null,""hostname"":""Gatling-Agent""}},""changes"":{""status"":{""before"":null,""after"":""active""},""agent_version"":{""before"":null,""after"":""23.3.0""},""managed_since"":{""before"":null,""after"":""2024-10-08T01:40:28.4880000Z""},""pairing_profile"":{""before"":null,""after"":{""href"":""/orgs/1/pairing_profiles/104""}},""activation_type"":{""before"":null,""after"":""pairing_key""},""hostname"":{""before"":null,""after"":""Gatling-Agent""},""machine_id"":{""before"":null,""after"":""9e91c86bfd21e78b2076b44c9474ef3e""},""os_platform"":{""before"":null,""after"":""linux""},""tampered"":{""before"":null,""after"":false},""secure_connect_error"":{""before"":null,""after"":false},""api_version"":{""before"":null,""after"":1},""token_ttl_grace_count"":{""before"":null,""after"":0},""token_in_use"":{""before"":null,""after"":false},""pce_apply_policy_seq"":{""before"":null,""after"":0},""agent_apply_policy_seq"":{""before"":null,""after"":0},""synchronized"":{""before"":null,""after"":false},""type"":{""before"":null,""after"":""AgentInfo""},""label_ids_array"":{""before"":null,""after"":[]},""ven_type"":{""before"":null,""after"":""server""},""network_detect_state"":{""before"":null,""after"":0}},""change_type"":""create""}]",[],2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:35.305 PM",/orgs/1/events/3d5b3f54-a67b-4eba-8dfb-1e9fe63ec440,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",workload.create,success,info,"{""uuid"":""3eb91286-4d2f-4b7e-948a-d18d663b26d2"",""api_endpoint"":""/api/v2/orgs/1/workloads"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""eb2f6773-87e6-4046-a5eb-776f506ef62f"",""resource"":{""workload"":{""href"":""/orgs/1/workloads/f8383bb9-ea47-4ae2-bd52-344312ceec6d"",""name"":""GatlingToolUMWL147604"",""hostname"":""GatlingToolUMWL147604"",""labels"":[{""href"":""/orgs/1/labels/243"",""key"":""role"",""value"":""Role47604""},{""href"":""/orgs/1/labels/244"",""key"":""app"",""value"":""App47604""},{""href"":""/orgs/1/labels/245"",""key"":""env"",""value"":""Env47604""},{""href"":""/orgs/1/labels/246"",""key"":""loc"",""value"":""Loc47604""}]}},""changes"":{""name"":{""before"":null,""after"":""GatlingToolUMWL147604""},""description"":{""before"":null,""after"":""UnManaged WorkLoad Created via Gatling UtilsGatlingToolUMWL147604""},""hostname"":{""before"":null,""after"":""GatlingToolUMWL147604""},""public_ip"":{""before"":null,""after"":""75.246.184.89""},""online"":{""before"":null,""after"":true},""deleted"":{""before"":null,""after"":false},""label_ids_array"":{""before"":null,""after"":[]},""enforcement_mode"":{""before"":null,""after"":""visibility_only""},""log_traffic"":{""before"":null,""after"":false},""visibility_level"":{""before"":null,""after"":""flow_summary""},""server_roles"":{""before"":null,""after"":[]},""workload_interfaces"":{""created"":[{""href"":""/orgs/1/workloads/f8383bb9-ea47-4ae2-bd52-344312ceec6d/interfaces/eth0"",""name"":""eth0"",""address"":""75.246.184.89"",""network"":{""href"":""/orgs/1/networks/a11a0318-14c3-4453-a6e3-0856bd66910b"",""name"":""Corporate""}}]},""labels"":{""created"":[{""href"":""/orgs/1/labels/243"",""key"":""role"",""value"":""Role47604""},{""href"":""/orgs/1/labels/244"",""key"":""app"",""value"":""App47604""},{""href"":""/orgs/1/labels/245"",""key"":""env"",""value"":""Env47604""},{""href"":""/orgs/1/labels/246"",""key"":""loc"",""value"":""Loc47604""}]}},""change_type"":""create""}]",[],2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:36.230 PM",/orgs/1/events/5757e296-5a96-4af3-a2bb-1b0d5ecae007,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",workload.create,success,info,"{""uuid"":""1486dbaf-2058-4a5f-b5cf-8bc7912efbeb"",""api_endpoint"":""/api/v2/orgs/1/workloads"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""35093ab0-da6d-4090-809d-c149f5167aaf"",""resource"":{""workload"":{""href"":""/orgs/1/workloads/6a29b8cf-3954-46eb-bf1f-9e08d7ce8bec"",""name"":""GatlingToolUMWL247604"",""hostname"":""GatlingToolUMWL247604"",""labels"":[{""href"":""/orgs/1/labels/243"",""key"":""role"",""value"":""Role47604""},{""href"":""/orgs/1/labels/244"",""key"":""app"",""value"":""App47604""},{""href"":""/orgs/1/labels/245"",""key"":""env"",""value"":""Env47604""},{""href"":""/orgs/1/labels/246"",""key"":""loc"",""value"":""Loc47604""}]}},""changes"":{""name"":{""before"":null,""after"":""GatlingToolUMWL247604""},""description"":{""before"":null,""after"":""UnManaged WorkLoad Created via Gatling UtilsGatlingToolUMWL247604""},""hostname"":{""before"":null,""after"":""GatlingToolUMWL247604""},""public_ip"":{""before"":null,""after"":""191.225.159.2""},""online"":{""before"":null,""after"":true},""deleted"":{""before"":null,""after"":false},""label_ids_array"":{""before"":null,""after"":[]},""enforcement_mode"":{""before"":null,""after"":""visibility_only""},""log_traffic"":{""before"":null,""after"":false},""visibility_level"":{""before"":null,""after"":""flow_summary""},""server_roles"":{""before"":null,""after"":[]},""workload_interfaces"":{""created"":[{""href"":""/orgs/1/workloads/6a29b8cf-3954-46eb-bf1f-9e08d7ce8bec/interfaces/eth0"",""name"":""eth0"",""address"":""191.225.159.2"",""network"":{""href"":""/orgs/1/networks/a11a0318-14c3-4453-a6e3-0856bd66910b"",""name"":""Corporate""}}]},""labels"":{""created"":[{""href"":""/orgs/1/labels/243"",""key"":""role"",""value"":""Role47604""},{""href"":""/orgs/1/labels/244"",""key"":""app"",""value"":""App47604""},{""href"":""/orgs/1/labels/245"",""key"":""env"",""value"":""Env47604""},{""href"":""/orgs/1/labels/246"",""key"":""loc"",""value"":""Loc47604""}]}},""change_type"":""create""}]",[],2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:00.854 PM",/orgs/1/events/b5b61f99-7217-45ba-bfc5-9d1f27b359b9,2x2testvc308.ilabs.io,"{""system"":{}}",request.authentication_failed,failure,err,,[],"[{""uuid"":""62bb9147-79bf-470c-9e0c-a82e20b035b2"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, diff --git a/Sample Data/ASIM/Illumio_Core_Authentication_IngestedLogs.csv b/Sample Data/ASIM/Illumio_Core_Authentication_IngestedLogs.csv new file mode 100644 index 00000000000..e7026b45e16 --- /dev/null +++ b/Sample Data/ASIM/Illumio_Core_Authentication_IngestedLogs.csv @@ -0,0 +1,143 @@ +TimeGenerated [Local Time],href,pce_fqdn,created_by,event_type,status,severity,action,resource_changes,notifications,version,TenantId,Type,_ResourceId +"10/7/2024, 6:40:09.965 PM",/orgs/1/events/56c08656-619d-4355-a81c-ca75419c3d65,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""9c0d2aa0-dec0-4f42-9401-b767a2a51d0c"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":235,""after"":236}},""change_type"":""update""}]","[{""uuid"":""55666bf0-e088-4613-8ac6-580610ae0d77"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:09.965 PM",/orgs/1/events/56c08656-619d-4355-a81c-ca75419c3d65,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""9c0d2aa0-dec0-4f42-9401-b767a2a51d0c"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":235,""after"":236}},""change_type"":""update""},{""uuid"":""4d886019-f2e8-4d05-a8c0-caef0132315a"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":235,""after"":236}},""change_type"":""update""}]","[{""uuid"":""55666bf0-e088-4613-8ac6-580610ae0d77"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""f292fd9d-876d-492c-930c-0870acc0133e"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:09.965 PM",/orgs/1/events/56c08656-619d-4355-a81c-ca75419c3d65,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""31e95625-8dca-4bf4-9514-6d27d05743a9"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""9c0d2aa0-dec0-4f42-9401-b767a2a51d0c"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":235,""after"":236}},""change_type"":""update""},{""uuid"":""4d886019-f2e8-4d05-a8c0-caef0132315a"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":235,""after"":236}},""change_type"":""update""}]","[{""uuid"":""55666bf0-e088-4613-8ac6-580610ae0d77"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""f292fd9d-876d-492c-930c-0870acc0133e"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:11.319 PM",/orgs/1/events/629cbd5d-b23d-4e1e-9117-a61dd1d096fe,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""59842369-b34c-4c6f-81bf-d21a1a342967"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:11.319 PM",/orgs/1/events/629cbd5d-b23d-4e1e-9117-a61dd1d096fe,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""45622adc-d77b-4652-96e6-e1fe41ca3dd8"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""59842369-b34c-4c6f-81bf-d21a1a342967"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:19.242 PM",/orgs/1/events/a8f91353-5dc1-4dec-8f17-8d3f44777c64,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""5b7053f9-061d-44ff-9aee-4ea38d2aee97"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":236,""after"":237}},""change_type"":""update""}]","[{""uuid"":""9fcd132a-7a9b-4671-92b8-2eb29c24ae26"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:19.242 PM",/orgs/1/events/a8f91353-5dc1-4dec-8f17-8d3f44777c64,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""5b7053f9-061d-44ff-9aee-4ea38d2aee97"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":236,""after"":237}},""change_type"":""update""},{""uuid"":""289e870a-115e-42fc-9dcd-3d8d554c6990"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":236,""after"":237}},""change_type"":""update""}]","[{""uuid"":""9fcd132a-7a9b-4671-92b8-2eb29c24ae26"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""4ca2dd07-6598-4b1a-a5fb-4a96e7732122"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:19.242 PM",/orgs/1/events/a8f91353-5dc1-4dec-8f17-8d3f44777c64,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""69c2fa20-44eb-49aa-89b0-bcdad47bbc50"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""5b7053f9-061d-44ff-9aee-4ea38d2aee97"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":236,""after"":237}},""change_type"":""update""},{""uuid"":""289e870a-115e-42fc-9dcd-3d8d554c6990"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":236,""after"":237}},""change_type"":""update""}]","[{""uuid"":""9fcd132a-7a9b-4671-92b8-2eb29c24ae26"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""4ca2dd07-6598-4b1a-a5fb-4a96e7732122"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:19.933 PM",/orgs/1/events/4b914f89-3db9-4955-b1f8-4387181994d2,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""8a90853c-e9a1-42e6-a943-680b18b6e085"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:19.933 PM",/orgs/1/events/4b914f89-3db9-4955-b1f8-4387181994d2,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""97dd97fc-eaae-4163-9fec-90a9c2e6bc3b"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""8a90853c-e9a1-42e6-a943-680b18b6e085"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:34.020 PM",/orgs/1/events/26e96d2d-7c95-4f17-9672-b8f2704d10a6,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""751334e4-8928-47b1-a54a-589d44b07bbc"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":237,""after"":238}},""change_type"":""update""}]","[{""uuid"":""30573381-2f81-4ffd-a832-6f4aa04cef2e"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:34.020 PM",/orgs/1/events/26e96d2d-7c95-4f17-9672-b8f2704d10a6,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""751334e4-8928-47b1-a54a-589d44b07bbc"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":237,""after"":238}},""change_type"":""update""},{""uuid"":""6d2e1d22-2609-4070-abe5-2beef41add74"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":237,""after"":238}},""change_type"":""update""}]","[{""uuid"":""30573381-2f81-4ffd-a832-6f4aa04cef2e"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""23903817-418b-412f-8c96-fdfaadffe42e"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:34.020 PM",/orgs/1/events/26e96d2d-7c95-4f17-9672-b8f2704d10a6,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""44526ff7-d9f1-4010-8db1-606c58e72c01"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""751334e4-8928-47b1-a54a-589d44b07bbc"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":237,""after"":238}},""change_type"":""update""},{""uuid"":""6d2e1d22-2609-4070-abe5-2beef41add74"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":237,""after"":238}},""change_type"":""update""}]","[{""uuid"":""30573381-2f81-4ffd-a832-6f4aa04cef2e"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""23903817-418b-412f-8c96-fdfaadffe42e"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:34.408 PM",/orgs/1/events/77e8d1d2-6eef-43a5-b2cb-7c4f6c9ba08a,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""589bb949-a6ec-42a4-860b-44b254f63802"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:40:34.408 PM",/orgs/1/events/77e8d1d2-6eef-43a5-b2cb-7c4f6c9ba08a,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""bc996394-818b-49bc-ab2c-51c5fd817a2d"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""589bb949-a6ec-42a4-860b-44b254f63802"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:06.719 PM",/orgs/1/events/bdfa8409-dac9-4be4-9c10-8dfeddb922ea,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""f9b2ab82-b07b-4613-8749-3153eae823a2"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":238,""after"":239}},""change_type"":""update""}]","[{""uuid"":""393dc68a-d78b-4843-9f30-d0beee49cdb1"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:06.719 PM",/orgs/1/events/bdfa8409-dac9-4be4-9c10-8dfeddb922ea,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""f9b2ab82-b07b-4613-8749-3153eae823a2"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":238,""after"":239}},""change_type"":""update""},{""uuid"":""35a727f3-6a2d-4bf0-a44e-d444cac4a6bb"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":238,""after"":239}},""change_type"":""update""}]","[{""uuid"":""393dc68a-d78b-4843-9f30-d0beee49cdb1"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""da168457-b6a3-4c8f-a9eb-700d83074781"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:06.719 PM",/orgs/1/events/bdfa8409-dac9-4be4-9c10-8dfeddb922ea,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""fc3de40a-8dfa-4f47-9f73-af477a8b3eaf"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""f9b2ab82-b07b-4613-8749-3153eae823a2"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":238,""after"":239}},""change_type"":""update""},{""uuid"":""35a727f3-6a2d-4bf0-a44e-d444cac4a6bb"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":238,""after"":239}},""change_type"":""update""}]","[{""uuid"":""393dc68a-d78b-4843-9f30-d0beee49cdb1"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""da168457-b6a3-4c8f-a9eb-700d83074781"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:07.056 PM",/orgs/1/events/b6a7154a-d71d-42c5-85be-358e0a52302e,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""910c97e8-5908-46ef-a074-002e56da2fc1"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:07.056 PM",/orgs/1/events/b6a7154a-d71d-42c5-85be-358e0a52302e,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""4821c738-442d-4c28-be99-b3f8ab1a4cd1"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""910c97e8-5908-46ef-a074-002e56da2fc1"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:07.486 PM",/orgs/1/events/39e0f1f2-617c-4980-8a3c-883cb7286b89,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""9e9bbbcd-f39e-4dd2-a227-3ab59888fb81"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":239,""after"":240}},""change_type"":""update""}]","[{""uuid"":""d900a8c6-586b-404c-b385-a96115c6212c"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:07.486 PM",/orgs/1/events/39e0f1f2-617c-4980-8a3c-883cb7286b89,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""9e9bbbcd-f39e-4dd2-a227-3ab59888fb81"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":239,""after"":240}},""change_type"":""update""},{""uuid"":""2d0f7b5c-e587-47ed-85ef-31e91a1deabd"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":239,""after"":240}},""change_type"":""update""}]","[{""uuid"":""d900a8c6-586b-404c-b385-a96115c6212c"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""61d4ca59-64c7-4827-8bd7-d087d9fbe961"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:07.486 PM",/orgs/1/events/39e0f1f2-617c-4980-8a3c-883cb7286b89,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""212d47be-52d1-4c01-935f-2998a4a73ef3"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""9e9bbbcd-f39e-4dd2-a227-3ab59888fb81"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":239,""after"":240}},""change_type"":""update""},{""uuid"":""2d0f7b5c-e587-47ed-85ef-31e91a1deabd"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":239,""after"":240}},""change_type"":""update""}]","[{""uuid"":""d900a8c6-586b-404c-b385-a96115c6212c"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""61d4ca59-64c7-4827-8bd7-d087d9fbe961"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:07.805 PM",/orgs/1/events/bf11b1e9-1079-4b2e-bebc-9198e37ad556,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""1e89dfe8-9c7b-40fd-a4b2-5bd673b0d209"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:07.805 PM",/orgs/1/events/bf11b1e9-1079-4b2e-bebc-9198e37ad556,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""07577ca5-66b7-4791-bc34-b53e2643396c"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""1e89dfe8-9c7b-40fd-a4b2-5bd673b0d209"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:09.325 PM",/orgs/1/events/43d5145d-7209-4d45-a02b-3b7fabcb3632,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""45c57370-bbf4-4d98-8561-e71d27b61a3f"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":240,""after"":241}},""change_type"":""update""}]","[{""uuid"":""71c059f2-a927-45b7-81f8-f6c47f2a90f8"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:09.325 PM",/orgs/1/events/43d5145d-7209-4d45-a02b-3b7fabcb3632,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""45c57370-bbf4-4d98-8561-e71d27b61a3f"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":240,""after"":241}},""change_type"":""update""},{""uuid"":""0c032b7f-d2a4-4f74-8d18-ad275069d115"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":240,""after"":241}},""change_type"":""update""}]","[{""uuid"":""71c059f2-a927-45b7-81f8-f6c47f2a90f8"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""3824b1b8-26a0-477a-8b05-618372e6c6bc"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:09.325 PM",/orgs/1/events/43d5145d-7209-4d45-a02b-3b7fabcb3632,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""d1059538-ce8f-4bfa-915a-6569f9a1e3b6"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""45c57370-bbf4-4d98-8561-e71d27b61a3f"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":240,""after"":241}},""change_type"":""update""},{""uuid"":""0c032b7f-d2a4-4f74-8d18-ad275069d115"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":240,""after"":241}},""change_type"":""update""}]","[{""uuid"":""71c059f2-a927-45b7-81f8-f6c47f2a90f8"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""3824b1b8-26a0-477a-8b05-618372e6c6bc"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:09.741 PM",/orgs/1/events/dab37573-4875-4bf0-8f66-ec693330ad57,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""b87600a5-29db-4b74-9601-9561effb5521"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:09.741 PM",/orgs/1/events/dab37573-4875-4bf0-8f66-ec693330ad57,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""dc4e4445-5ee0-4818-895e-0ea2a75a20b7"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""b87600a5-29db-4b74-9601-9561effb5521"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:11.540 PM",/orgs/1/events/8eac8507-a624-46d4-996a-a23d85334dc7,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""480c719e-2c88-436c-b04f-b3b3e59ce3dc"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":241,""after"":242}},""change_type"":""update""}]","[{""uuid"":""319d3594-907b-4500-bc59-0b02f22cd374"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:11.540 PM",/orgs/1/events/8eac8507-a624-46d4-996a-a23d85334dc7,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""480c719e-2c88-436c-b04f-b3b3e59ce3dc"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":241,""after"":242}},""change_type"":""update""},{""uuid"":""f84d2207-8643-434a-95b9-6d398f39337d"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":241,""after"":242}},""change_type"":""update""}]","[{""uuid"":""319d3594-907b-4500-bc59-0b02f22cd374"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""9738f792-a51e-4ba8-8c99-f08c086e92a8"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:11.540 PM",/orgs/1/events/8eac8507-a624-46d4-996a-a23d85334dc7,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""e4f3483b-685e-4f0a-aee2-e13fdaf6dc19"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""480c719e-2c88-436c-b04f-b3b3e59ce3dc"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":241,""after"":242}},""change_type"":""update""},{""uuid"":""f84d2207-8643-434a-95b9-6d398f39337d"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":241,""after"":242}},""change_type"":""update""}]","[{""uuid"":""319d3594-907b-4500-bc59-0b02f22cd374"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""9738f792-a51e-4ba8-8c99-f08c086e92a8"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:11.823 PM",/orgs/1/events/dc89a633-35c5-4c06-a3b9-7e313338d015,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""f3b1c5a8-aa23-48d3-8e1d-39c66e7c08b5"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:11.823 PM",/orgs/1/events/dc89a633-35c5-4c06-a3b9-7e313338d015,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""88674f12-021e-4d06-8ca8-919c16856211"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""f3b1c5a8-aa23-48d3-8e1d-39c66e7c08b5"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:13.011 PM",/orgs/1/events/99c788d6-a5ec-4b78-a67e-72ad30244e5c,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""4d0484f4-f57c-4930-a8be-9ee432cf2765"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":242,""after"":243}},""change_type"":""update""}]","[{""uuid"":""a644f2d0-1bc4-44ef-95db-048fad8b05a0"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:13.011 PM",/orgs/1/events/99c788d6-a5ec-4b78-a67e-72ad30244e5c,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""4d0484f4-f57c-4930-a8be-9ee432cf2765"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":242,""after"":243}},""change_type"":""update""},{""uuid"":""f0e5bfb1-cb25-44ec-bf39-6ff1250f77ff"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":242,""after"":243}},""change_type"":""update""}]","[{""uuid"":""a644f2d0-1bc4-44ef-95db-048fad8b05a0"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""a8e88bed-4569-4c16-a24a-c7e114fa583a"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:13.011 PM",/orgs/1/events/99c788d6-a5ec-4b78-a67e-72ad30244e5c,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""74b95267-e2ca-446c-9b5b-dbeda3b1c81e"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""4d0484f4-f57c-4930-a8be-9ee432cf2765"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":242,""after"":243}},""change_type"":""update""},{""uuid"":""f0e5bfb1-cb25-44ec-bf39-6ff1250f77ff"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":242,""after"":243}},""change_type"":""update""}]","[{""uuid"":""a644f2d0-1bc4-44ef-95db-048fad8b05a0"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""a8e88bed-4569-4c16-a24a-c7e114fa583a"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:13.306 PM",/orgs/1/events/80c2ec83-437c-4efb-a5c2-1d40745a1c8a,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""daae9a38-4373-4ef9-9311-8599e46723c3"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:13.306 PM",/orgs/1/events/80c2ec83-437c-4efb-a5c2-1d40745a1c8a,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""ea174722-6e64-43a3-837f-c611188deec9"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""daae9a38-4373-4ef9-9311-8599e46723c3"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:13.720 PM",/orgs/1/events/cf2ca672-f9cf-44d7-b389-38c3329ff8d4,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""6b701683-385b-492a-8bae-5025b6d12a4c"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":243,""after"":244}},""change_type"":""update""}]","[{""uuid"":""55523879-c2e6-4044-9035-0d02a84f3665"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:13.720 PM",/orgs/1/events/cf2ca672-f9cf-44d7-b389-38c3329ff8d4,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""6b701683-385b-492a-8bae-5025b6d12a4c"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":243,""after"":244}},""change_type"":""update""},{""uuid"":""4b5e5dda-a962-468a-a59e-d1ba55ea92e8"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":243,""after"":244}},""change_type"":""update""}]","[{""uuid"":""55523879-c2e6-4044-9035-0d02a84f3665"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""951f0339-f0f1-4eab-9dc1-f94fbf6bae79"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:13.720 PM",/orgs/1/events/cf2ca672-f9cf-44d7-b389-38c3329ff8d4,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""2af303dd-9191-49ed-bd37-2af7e0589fb3"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""6b701683-385b-492a-8bae-5025b6d12a4c"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":243,""after"":244}},""change_type"":""update""},{""uuid"":""4b5e5dda-a962-468a-a59e-d1ba55ea92e8"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":243,""after"":244}},""change_type"":""update""}]","[{""uuid"":""55523879-c2e6-4044-9035-0d02a84f3665"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""951f0339-f0f1-4eab-9dc1-f94fbf6bae79"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:14.047 PM",/orgs/1/events/cf926a6c-006d-4265-b03d-fd2b8cc13696,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""648a77e7-70f3-464d-ab18-f5716b787489"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:14.047 PM",/orgs/1/events/cf926a6c-006d-4265-b03d-fd2b8cc13696,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""8e40a26c-5be9-4900-858b-00ada55b4dc9"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""648a77e7-70f3-464d-ab18-f5716b787489"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:36.033 PM",/orgs/1/events/aaa47557-b741-4dc9-b6e7-f26c0996c519,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""b076ab70-ca2d-474c-9ecc-e5e6458ff638"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":244,""after"":245}},""change_type"":""update""}]","[{""uuid"":""7a6699ae-40e5-4b54-a821-c6126d0bca4e"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:36.033 PM",/orgs/1/events/aaa47557-b741-4dc9-b6e7-f26c0996c519,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""b076ab70-ca2d-474c-9ecc-e5e6458ff638"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":244,""after"":245}},""change_type"":""update""},{""uuid"":""b232ef0b-f2cf-4447-85b9-9c359da4888b"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":244,""after"":245}},""change_type"":""update""}]","[{""uuid"":""7a6699ae-40e5-4b54-a821-c6126d0bca4e"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""1c11721d-0696-48bb-8a05-7713c8182e9b"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:36.033 PM",/orgs/1/events/aaa47557-b741-4dc9-b6e7-f26c0996c519,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""12b3ebf7-4875-4c6d-bffc-ae8cb7b7306f"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""b076ab70-ca2d-474c-9ecc-e5e6458ff638"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":244,""after"":245}},""change_type"":""update""},{""uuid"":""b232ef0b-f2cf-4447-85b9-9c359da4888b"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":244,""after"":245}},""change_type"":""update""}]","[{""uuid"":""7a6699ae-40e5-4b54-a821-c6126d0bca4e"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""1c11721d-0696-48bb-8a05-7713c8182e9b"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:36.389 PM",/orgs/1/events/38e33e68-17e9-4bba-ab63-a54e5394a9d3,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""17665886-c859-4079-b3c8-995599685697"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:36.389 PM",/orgs/1/events/38e33e68-17e9-4bba-ab63-a54e5394a9d3,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""253d758e-46b9-4305-8a0a-bfe95041b38e"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""17665886-c859-4079-b3c8-995599685697"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:40.432 PM",/orgs/1/events/a0fceefd-2962-40ce-ac07-0d9ee6b3b94d,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""13b55609-7b9d-404a-9280-887844cced7b"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":245,""after"":246}},""change_type"":""update""}]","[{""uuid"":""727f444a-8f71-4f6a-ba62-4fc51c5996d4"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:40.432 PM",/orgs/1/events/a0fceefd-2962-40ce-ac07-0d9ee6b3b94d,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""13b55609-7b9d-404a-9280-887844cced7b"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":245,""after"":246}},""change_type"":""update""},{""uuid"":""3bdb2f82-c040-4cbb-89bf-f38323e7ca04"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":245,""after"":246}},""change_type"":""update""}]","[{""uuid"":""727f444a-8f71-4f6a-ba62-4fc51c5996d4"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""85facdcb-ab1b-43ef-8222-49e9b68020b5"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:40.432 PM",/orgs/1/events/a0fceefd-2962-40ce-ac07-0d9ee6b3b94d,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""7a8f653d-01bb-425d-8cc2-98f5d2a8009c"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""13b55609-7b9d-404a-9280-887844cced7b"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":245,""after"":246}},""change_type"":""update""},{""uuid"":""3bdb2f82-c040-4cbb-89bf-f38323e7ca04"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":245,""after"":246}},""change_type"":""update""}]","[{""uuid"":""727f444a-8f71-4f6a-ba62-4fc51c5996d4"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""85facdcb-ab1b-43ef-8222-49e9b68020b5"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:40.755 PM",/orgs/1/events/e922df59-29be-45aa-8796-52eff3aa7f10,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""66c02699-c162-4e05-9f18-fecd6c445982"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:41:40.755 PM",/orgs/1/events/e922df59-29be-45aa-8796-52eff3aa7f10,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""3ed162cb-81e8-4f48-ad7a-f495339b480f"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""66c02699-c162-4e05-9f18-fecd6c445982"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/2/2024, 6:20:24.508 AM",/orgs/1/events/e9f3587c-955e-4692-9dec-750a389bc19e,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.sign_in,success,info,,"[{""uuid"":""e576641f-c6a4-4442-b83d-61d320f0f32a"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":201,""after"":202},""last_sign_in_ip"":{""before"":""192.168.125.111"",""after"":""192.168.125.170""}},""change_type"":""update""}]","[{""uuid"":""7ff569e7-81d0-4bd1-bd3b-d9cecaa0d7ea"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/2/2024, 6:20:24.508 AM",/orgs/1/events/e9f3587c-955e-4692-9dec-750a389bc19e,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.sign_in,success,info,"{""uuid"":""567950ce-e409-48f5-a8b8-5e59bb9fec06"",""api_endpoint"":""/login/users/sign_in"",""api_method"":""POST"",""http_status_code"":302,""src_ip"":""192.168.125.187""}","[{""uuid"":""e576641f-c6a4-4442-b83d-61d320f0f32a"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":201,""after"":202},""last_sign_in_ip"":{""before"":""192.168.125.111"",""after"":""192.168.125.170""}},""change_type"":""update""}]","[{""uuid"":""7ff569e7-81d0-4bd1-bd3b-d9cecaa0d7ea"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/2/2024, 6:20:26.283 AM",/orgs/1/events/c179cf6d-28d6-470e-92d9-18d115d8d0d2,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""2b79cee8-7481-4aa9-be56-aeabdac5bd40"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/2/2024, 6:20:26.283 AM",/orgs/1/events/c179cf6d-28d6-470e-92d9-18d115d8d0d2,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""74a425c5-3c87-418c-88b9-a01ea58c1145"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""192.168.125.187""}",[],"[{""uuid"":""2b79cee8-7481-4aa9-be56-aeabdac5bd40"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/2/2024, 6:33:41.058 AM",/orgs/1/events/d3a2e16d-5b85-4159-8502-cd0e0083e0d9,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.logout,success,info,"{""uuid"":""c62d5fc8-5c16-4a19-96dc-fd9f758c61e3"",""api_endpoint"":""/api/v2/users/1/logout"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""FILTERED""}",[],"[{""uuid"":""67c64f02-c3d4-4381-b39f-dd4234ff8037"",""notification_type"":""user.pce_session_terminated"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""},""reason"":""user_logout""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/2/2024, 6:33:41.577 AM",/orgs/1/events/80a1703e-8d02-47b1-b975-470b92fa491b,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.sign_out,success,info,"{""uuid"":""6aad3182-44ff-48f4-ac8b-90bf94cacf1d"",""api_endpoint"":""/login/logout"",""api_method"":""GET"",""http_status_code"":302,""src_ip"":""192.168.125.187""}",[],[],2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/2/2024, 6:40:24.142 AM",/orgs/1/events/13dbe9f6-d0ff-44eb-8136-f4551d03380b,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.sign_in,success,info,,"[{""uuid"":""5d9d889f-1f41-40cb-826b-d7c803b76206"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":202,""after"":203},""last_sign_in_ip"":{""before"":""192.168.125.170"",""after"":""192.168.125.187""}},""change_type"":""update""}]","[{""uuid"":""a006d7ab-bb9b-453c-a765-3eb537c8682b"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/2/2024, 6:40:24.142 AM",/orgs/1/events/13dbe9f6-d0ff-44eb-8136-f4551d03380b,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.sign_in,success,info,"{""uuid"":""3ac59997-0d1e-4c44-8203-195b0842d613"",""api_endpoint"":""/login/users/sign_in"",""api_method"":""POST"",""http_status_code"":302,""src_ip"":""192.168.125.187""}","[{""uuid"":""5d9d889f-1f41-40cb-826b-d7c803b76206"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":202,""after"":203},""last_sign_in_ip"":{""before"":""192.168.125.170"",""after"":""192.168.125.187""}},""change_type"":""update""}]","[{""uuid"":""a006d7ab-bb9b-453c-a765-3eb537c8682b"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/2/2024, 6:40:24.960 AM",/orgs/1/events/7c3c2615-95da-4563-8398-bcf7f85712be,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""eae341be-6030-47ba-8208-2b1b7d0fff87"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/2/2024, 6:40:24.960 AM",/orgs/1/events/7c3c2615-95da-4563-8398-bcf7f85712be,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""1758496e-f6af-4495-b720-52f9bb491c0a"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""192.168.125.187""}",[],"[{""uuid"":""eae341be-6030-47ba-8208-2b1b7d0fff87"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/2/2024, 6:48:46.123 AM",/orgs/1/events/799dfd85-01c7-4d07-992c-7f6e64275da3,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.logout,success,info,"{""uuid"":""5ada24fe-83e5-4dc4-aca0-17438198c5dd"",""api_endpoint"":""/api/v2/users/1/logout"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""FILTERED""}",[],"[{""uuid"":""e7f0506c-c1fe-4521-a745-3ab60dc8fd18"",""notification_type"":""user.pce_session_terminated"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""},""reason"":""user_logout""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/2/2024, 6:48:46.256 AM",/orgs/1/events/241d8474-7fa7-4558-8c1a-d490caa273be,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.sign_out,success,info,"{""uuid"":""b16d9d18-527c-4df3-933a-d85ecd62fa82"",""api_endpoint"":""/login/logout"",""api_method"":""GET"",""http_status_code"":302,""src_ip"":""192.168.125.187""}",[],"[{""uuid"":""79502c09-ee2a-46ed-a263-50753d0c25ba"",""notification_type"":""user.login_session_terminated"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""},""reason"":""user_logout""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/2/2024, 6:51:22.783 AM",/orgs/1/events/c431041d-774c-4c47-a0fc-f7ed20715dec,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/36"",""username"":""admin@illumio.com""}}",user.sign_out,success,info,"{""uuid"":""6437f299-4170-4a60-8d59-c515765cddf2"",""api_endpoint"":""/login/users/sign_out"",""api_method"":""DELETE"",""http_status_code"":302,""src_ip"":""192.168.125.187""}",[],"[{""uuid"":""69abcf79-e797-4881-a269-16e8cdf87040"",""notification_type"":""user.login_session_terminated"",""info"":{""user"":{""href"":""/users/36"",""username"":""admin@illumio.com""},""reason"":""user_logout""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/2/2024, 6:51:41.585 AM",/orgs/1/events/8744dc81-ca89-4397-85bc-275e3499b957,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""524a5118-e666-4668-b784-90010bc2d5af"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/2/2024, 6:51:41.585 AM",/orgs/1/events/8744dc81-ca89-4397-85bc-275e3499b957,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""c9a9a84f-2554-4f97-8c69-9e716a2150cf"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""192.168.125.187""}",[],"[{""uuid"":""524a5118-e666-4668-b784-90010bc2d5af"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/2/2024, 7:02:45.528 AM",/orgs/1/events/9d1f2adf-9cbe-40d6-952c-a2c5e4af1a2f,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.logout,success,info,"{""uuid"":""c6ba9738-82a9-47ed-829d-feee30d3ee25"",""api_endpoint"":""/api/v2/users/1/logout"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""FILTERED""}",[],"[{""uuid"":""ba4cb3a0-6e8e-4f6f-8b4c-6c1133358b08"",""notification_type"":""user.pce_session_terminated"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""},""reason"":""user_logout""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/2/2024, 7:02:45.914 AM",/orgs/1/events/e66ff481-5c45-4d84-bc83-c969becd62da,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.sign_out,success,info,"{""uuid"":""9f9f56dd-bb0e-44af-91b5-5fcbe16bd4c4"",""api_endpoint"":""/login/logout"",""api_method"":""GET"",""http_status_code"":302,""src_ip"":""192.168.125.187""}",[],[],2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 10:14:14.110 AM",/orgs/1/events/63ac3d88-27f9-456a-a6de-31f6507d899f,2x2testvc308.ilabs.io,"{""system"":{}}",user.sign_out,success,info,"{""uuid"":""3350d5fa-2126-4552-b61b-b1558e295cad"",""api_endpoint"":""/login/logout"",""api_method"":""GET"",""http_status_code"":302,""src_ip"":""192.168.125.89""}",[],[],2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 10:27:50.522 AM",/orgs/1/events/5b5e1155-894d-4926-88ad-7aa3f2b1e920,2x2testvc308.ilabs.io,"{""system"":{}}",user.sign_in,failure,info,"{""uuid"":""6c70c5e3-dcc9-4f9e-994f-b525f340635c"",""api_endpoint"":""/login/users/sign_in"",""api_method"":""POST"",""http_status_code"":200,""src_ip"":""192.168.125.89""}","[{""uuid"":""86b9ac9d-a0da-4be5-b9d6-75b006e2d5c0"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""last_failed_at"":{""before"":null,""after"":""2024-10-08T17:27:50.5010000Z""}},""change_type"":""update""}]","[{""uuid"":""69ceb18b-10d4-4b0f-b14a-64a57d27a0f2"",""notification_type"":""user.login_failed"",""info"":{""associated_user"":{""supplied_username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 10:27:55.358 AM",/orgs/1/events/68dc0796-cb55-49e3-9bed-8c646c4dfe1b,2x2testvc308.ilabs.io,"{""system"":{}}",user.sign_in,success,info,"{""uuid"":""cdd28e46-d8d9-434c-89b0-b46bdc9046e9"",""api_endpoint"":""/login/users/sign_in"",""api_method"":""POST"",""http_status_code"":302,""src_ip"":""192.168.125.89""}","[{""uuid"":""063f431a-070e-4f83-b9f2-9c6807d95821"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""last_failed_at"":{""before"":""2024-10-08T17:27:50.5010000Z"",""after"":null}},""change_type"":""update""},{""uuid"":""ab0052e7-3464-4625-8cf3-f447b294a14d"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":246,""after"":247}},""change_type"":""update""}]","[{""uuid"":""8ba6337d-52e0-43e7-959d-51af2bc7840b"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 10:27:56.711 AM",/orgs/1/events/60a29c33-e378-42e9-9fcb-5d2870bd53e1,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""2ed9bf1b-ae03-47ed-9d3f-a86a777e7309"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/8/2024, 10:27:56.711 AM",/orgs/1/events/60a29c33-e378-42e9-9fcb-5d2870bd53e1,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""88fd0e21-819c-4acf-b482-92734d6bddbd"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""192.168.125.89""}",[],"[{""uuid"":""2ed9bf1b-ae03-47ed-9d3f-a86a777e7309"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:06:22.741 PM",/orgs/1/events/127581bc-772f-436d-894d-59e008081ee0,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.sign_in,success,info,,"[{""uuid"":""aeec60f3-8727-4f1d-983d-71490fdc3ea8"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":214,""after"":215}},""change_type"":""update""}]","[{""uuid"":""618cb938-7ea8-471e-916f-6ac0467c3f0f"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:06:22.741 PM",/orgs/1/events/127581bc-772f-436d-894d-59e008081ee0,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.sign_in,success,info,"{""uuid"":""0662866d-3096-4a15-a722-2ecf0b9c2bf5"",""api_endpoint"":""/login/users/sign_in"",""api_method"":""POST"",""http_status_code"":302,""src_ip"":""192.168.125.199""}","[{""uuid"":""aeec60f3-8727-4f1d-983d-71490fdc3ea8"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":214,""after"":215}},""change_type"":""update""}]","[{""uuid"":""618cb938-7ea8-471e-916f-6ac0467c3f0f"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:06:23.828 PM",/orgs/1/events/663d7d44-63cc-410f-abdb-84ee46e01401,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""0ce687f5-127c-42c9-8540-56c009f34c6d"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:06:23.828 PM",/orgs/1/events/663d7d44-63cc-410f-abdb-84ee46e01401,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""b7e68d3b-0f8e-4e95-a957-9728b45355e9"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""192.168.125.199""}",[],"[{""uuid"":""0ce687f5-127c-42c9-8540-56c009f34c6d"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:21:59.889 PM",/orgs/1/events/62f586f2-90dc-4fa8-b299-1295c3df7d84,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""ed1f68c4-b451-42ae-9cb1-2952525867fa"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":215,""after"":216}},""change_type"":""update""}]","[{""uuid"":""de4151c0-be25-4eb9-aaf4-f7dc08ef3c04"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:21:59.889 PM",/orgs/1/events/62f586f2-90dc-4fa8-b299-1295c3df7d84,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""ed1f68c4-b451-42ae-9cb1-2952525867fa"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":215,""after"":216}},""change_type"":""update""},{""uuid"":""98c22619-69f5-4e28-a503-a30bcd4b6212"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":215,""after"":216}},""change_type"":""update""}]","[{""uuid"":""de4151c0-be25-4eb9-aaf4-f7dc08ef3c04"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""7365ce00-16ed-49de-97e1-45c57b3f4149"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:21:59.889 PM",/orgs/1/events/62f586f2-90dc-4fa8-b299-1295c3df7d84,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""3b41728e-4eda-422c-b72d-601e844fee35"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""ed1f68c4-b451-42ae-9cb1-2952525867fa"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":215,""after"":216}},""change_type"":""update""},{""uuid"":""98c22619-69f5-4e28-a503-a30bcd4b6212"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":215,""after"":216}},""change_type"":""update""}]","[{""uuid"":""de4151c0-be25-4eb9-aaf4-f7dc08ef3c04"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""7365ce00-16ed-49de-97e1-45c57b3f4149"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:00.582 PM",/orgs/1/events/52230404-f74f-45dd-b032-47d8d63fa47b,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""603b3802-8ce5-4ac9-8e3e-a70e1f228e50"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:00.582 PM",/orgs/1/events/52230404-f74f-45dd-b032-47d8d63fa47b,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""c4bdbfe8-0b27-47e9-970d-c1d6329bb364"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""603b3802-8ce5-4ac9-8e3e-a70e1f228e50"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:01.299 PM",/orgs/1/events/9f065d5c-6744-4626-b521-27e7357a358b,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""1b437e19-1e82-48e8-91b4-a4a30d65784d"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":216,""after"":217},""last_sign_in_ip"":{""before"":""192.168.125.199"",""after"":""10.6.16.64""}},""change_type"":""update""}]","[{""uuid"":""105fa3be-1a11-4031-8589-2b343f88236c"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:01.299 PM",/orgs/1/events/9f065d5c-6744-4626-b521-27e7357a358b,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""1b437e19-1e82-48e8-91b4-a4a30d65784d"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":216,""after"":217},""last_sign_in_ip"":{""before"":""192.168.125.199"",""after"":""10.6.16.64""}},""change_type"":""update""},{""uuid"":""6178a7eb-5cb6-4623-95eb-61db5b3fa3a9"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":216,""after"":217},""last_sign_in_ip"":{""before"":""192.168.125.199"",""after"":""10.6.16.64""}},""change_type"":""update""}]","[{""uuid"":""105fa3be-1a11-4031-8589-2b343f88236c"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""1b70083c-9e5c-41c7-9591-d4ba62c10561"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:01.299 PM",/orgs/1/events/9f065d5c-6744-4626-b521-27e7357a358b,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""c07b25cc-38ab-42c5-92f0-af42b13b680b"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""1b437e19-1e82-48e8-91b4-a4a30d65784d"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":216,""after"":217},""last_sign_in_ip"":{""before"":""192.168.125.199"",""after"":""10.6.16.64""}},""change_type"":""update""},{""uuid"":""6178a7eb-5cb6-4623-95eb-61db5b3fa3a9"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":216,""after"":217},""last_sign_in_ip"":{""before"":""192.168.125.199"",""after"":""10.6.16.64""}},""change_type"":""update""}]","[{""uuid"":""105fa3be-1a11-4031-8589-2b343f88236c"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""1b70083c-9e5c-41c7-9591-d4ba62c10561"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:02.323 PM",/orgs/1/events/561ec539-93d4-4fc7-a492-b015a8c19819,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""cdb9a203-eea4-4c63-85b0-2bc4ce022c8d"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:02.323 PM",/orgs/1/events/561ec539-93d4-4fc7-a492-b015a8c19819,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""8226892f-ffe8-4520-a628-c6a6929bd6de"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""cdb9a203-eea4-4c63-85b0-2bc4ce022c8d"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:16.559 PM",/orgs/1/events/415ad143-1f25-4629-88ab-cbc57d3e9c29,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""9c6ab093-6918-499e-8442-37da411c36b4"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":217,""after"":218}},""change_type"":""update""}]","[{""uuid"":""1a22baa3-9332-4d61-93c9-ef310f3fcd71"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:16.559 PM",/orgs/1/events/415ad143-1f25-4629-88ab-cbc57d3e9c29,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""9c6ab093-6918-499e-8442-37da411c36b4"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":217,""after"":218}},""change_type"":""update""},{""uuid"":""cca1c7a4-cbd3-4f0f-9d9d-a21abb9ca25e"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":217,""after"":218}},""change_type"":""update""}]","[{""uuid"":""1a22baa3-9332-4d61-93c9-ef310f3fcd71"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""de5e51ac-e6b3-4b52-82e5-bf4b9d63df3c"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:16.559 PM",/orgs/1/events/415ad143-1f25-4629-88ab-cbc57d3e9c29,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""4416ddfe-3e82-48dc-976f-e2b50ba3dd81"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""9c6ab093-6918-499e-8442-37da411c36b4"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":217,""after"":218}},""change_type"":""update""},{""uuid"":""cca1c7a4-cbd3-4f0f-9d9d-a21abb9ca25e"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":217,""after"":218}},""change_type"":""update""}]","[{""uuid"":""1a22baa3-9332-4d61-93c9-ef310f3fcd71"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""de5e51ac-e6b3-4b52-82e5-bf4b9d63df3c"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:16.917 PM",/orgs/1/events/7d88b0bd-33ea-4ee1-a0b7-cbf661c9b421,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""cbeffff7-ccee-40e9-8380-af9e2d3d18a5"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:16.917 PM",/orgs/1/events/7d88b0bd-33ea-4ee1-a0b7-cbf661c9b421,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""298cc820-631e-4ede-84a8-c34a243192df"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""cbeffff7-ccee-40e9-8380-af9e2d3d18a5"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:49.560 PM",/orgs/1/events/90b3603e-dabe-4790-a616-4387cef969b1,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""b6e76391-8e1d-41da-ba59-7811ff593d5b"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":218,""after"":219}},""change_type"":""update""}]","[{""uuid"":""c0e5053b-dbce-45a7-a26e-6786026f579b"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:49.560 PM",/orgs/1/events/90b3603e-dabe-4790-a616-4387cef969b1,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""b6e76391-8e1d-41da-ba59-7811ff593d5b"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":218,""after"":219}},""change_type"":""update""},{""uuid"":""a1238bc8-ede5-4716-8b15-294b3894932d"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":218,""after"":219}},""change_type"":""update""}]","[{""uuid"":""c0e5053b-dbce-45a7-a26e-6786026f579b"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""937b656b-f95a-497b-8a8e-832891469c40"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:49.560 PM",/orgs/1/events/90b3603e-dabe-4790-a616-4387cef969b1,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""c29b1764-853d-422e-a014-eac680199c7a"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""b6e76391-8e1d-41da-ba59-7811ff593d5b"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":218,""after"":219}},""change_type"":""update""},{""uuid"":""a1238bc8-ede5-4716-8b15-294b3894932d"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":218,""after"":219}},""change_type"":""update""}]","[{""uuid"":""c0e5053b-dbce-45a7-a26e-6786026f579b"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""937b656b-f95a-497b-8a8e-832891469c40"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:50.021 PM",/orgs/1/events/492021f1-39ef-453b-9a7b-d384c55564be,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""4e2d0064-0105-4d76-a1f5-8c0bf9a2680d"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:50.021 PM",/orgs/1/events/492021f1-39ef-453b-9a7b-d384c55564be,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""123687e6-f823-48eb-94d9-6591f4e16b56"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""4e2d0064-0105-4d76-a1f5-8c0bf9a2680d"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:50.474 PM",/orgs/1/events/3def861a-3c86-4f0d-bf1a-a0746f8b19f7,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""7f654ff4-c6cc-4ce5-9fc2-28ac029c562f"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":219,""after"":220}},""change_type"":""update""}]","[{""uuid"":""335c5812-2835-435a-b6cb-144714032634"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:50.474 PM",/orgs/1/events/3def861a-3c86-4f0d-bf1a-a0746f8b19f7,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""7f654ff4-c6cc-4ce5-9fc2-28ac029c562f"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":219,""after"":220}},""change_type"":""update""},{""uuid"":""5b638b0d-8786-499f-8f6b-5f7a209645f5"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":219,""after"":220}},""change_type"":""update""}]","[{""uuid"":""335c5812-2835-435a-b6cb-144714032634"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""5a95711d-0c45-418d-b213-5d2dd079aeeb"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:50.474 PM",/orgs/1/events/3def861a-3c86-4f0d-bf1a-a0746f8b19f7,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""ce175854-94a6-4068-a6d0-e99294a4b7ac"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""7f654ff4-c6cc-4ce5-9fc2-28ac029c562f"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":219,""after"":220}},""change_type"":""update""},{""uuid"":""5b638b0d-8786-499f-8f6b-5f7a209645f5"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":219,""after"":220}},""change_type"":""update""}]","[{""uuid"":""335c5812-2835-435a-b6cb-144714032634"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""5a95711d-0c45-418d-b213-5d2dd079aeeb"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:50.983 PM",/orgs/1/events/5fd322f0-18fa-469e-82bc-6c0f9c9d3f9d,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""ae486301-65a8-4b68-8d17-8ea185e7274d"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:50.983 PM",/orgs/1/events/5fd322f0-18fa-469e-82bc-6c0f9c9d3f9d,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""d00fa3d0-7af9-4f26-a384-0b06132525ee"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""ae486301-65a8-4b68-8d17-8ea185e7274d"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:52.235 PM",/orgs/1/events/364cc321-8d31-43d1-a84e-8e071df54945,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""e644417a-30ba-41f4-826e-61ab666feea1"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":220,""after"":221}},""change_type"":""update""}]","[{""uuid"":""b80215bc-9151-4b95-b382-f028c6a455a4"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:52.235 PM",/orgs/1/events/364cc321-8d31-43d1-a84e-8e071df54945,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""e644417a-30ba-41f4-826e-61ab666feea1"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":220,""after"":221}},""change_type"":""update""},{""uuid"":""e79b232f-6d3f-48fc-9ca7-60e2ca816461"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":220,""after"":221}},""change_type"":""update""}]","[{""uuid"":""b80215bc-9151-4b95-b382-f028c6a455a4"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""fcfeedd8-8a98-4f7f-b755-724858fea457"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:52.235 PM",/orgs/1/events/364cc321-8d31-43d1-a84e-8e071df54945,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""7484b43d-920b-4804-b083-5c49536c155b"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""e644417a-30ba-41f4-826e-61ab666feea1"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":220,""after"":221}},""change_type"":""update""},{""uuid"":""e79b232f-6d3f-48fc-9ca7-60e2ca816461"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":220,""after"":221}},""change_type"":""update""}]","[{""uuid"":""b80215bc-9151-4b95-b382-f028c6a455a4"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""fcfeedd8-8a98-4f7f-b755-724858fea457"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:52.756 PM",/orgs/1/events/97346a1b-8448-4e13-9487-e9602b7d71c8,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""f97de1a7-2203-44fd-9018-ad1d5a0ef2d9"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:52.756 PM",/orgs/1/events/97346a1b-8448-4e13-9487-e9602b7d71c8,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""84e50dd7-2006-421e-b7fc-99ea37e67d21"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""f97de1a7-2203-44fd-9018-ad1d5a0ef2d9"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:54.684 PM",/orgs/1/events/9f6dd434-6cf5-4e5d-9b13-c2ec2ff586dd,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""de5cb6c6-1f43-4651-b94d-f37e04d33725"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":221,""after"":222}},""change_type"":""update""}]","[{""uuid"":""ef96f740-a8c4-4679-b874-cb6076ce66d5"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:54.684 PM",/orgs/1/events/9f6dd434-6cf5-4e5d-9b13-c2ec2ff586dd,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""de5cb6c6-1f43-4651-b94d-f37e04d33725"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":221,""after"":222}},""change_type"":""update""},{""uuid"":""646cda63-98bc-4653-82a1-a410a1ee1bbe"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":221,""after"":222}},""change_type"":""update""}]","[{""uuid"":""ef96f740-a8c4-4679-b874-cb6076ce66d5"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""a32dce36-8733-43e8-b632-96aa94fbc5a0"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:54.684 PM",/orgs/1/events/9f6dd434-6cf5-4e5d-9b13-c2ec2ff586dd,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""172eab5d-86a4-45d8-9a3e-217a2bffbcd4"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""de5cb6c6-1f43-4651-b94d-f37e04d33725"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":221,""after"":222}},""change_type"":""update""},{""uuid"":""646cda63-98bc-4653-82a1-a410a1ee1bbe"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":221,""after"":222}},""change_type"":""update""}]","[{""uuid"":""ef96f740-a8c4-4679-b874-cb6076ce66d5"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""a32dce36-8733-43e8-b632-96aa94fbc5a0"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:54.973 PM",/orgs/1/events/cc37047c-2972-4b53-a4a2-74c312b56422,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""e316677a-e289-486c-b571-7f1dfd939661"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:54.973 PM",/orgs/1/events/cc37047c-2972-4b53-a4a2-74c312b56422,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""d8fae4c1-58a2-495b-b184-834dfde1ea3e"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""e316677a-e289-486c-b571-7f1dfd939661"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:56.154 PM",/orgs/1/events/8de2a207-6650-4e94-a2d5-5f269f8b24dc,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""52a82a1d-ab59-4df4-8695-e555892340c2"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":222,""after"":223}},""change_type"":""update""}]","[{""uuid"":""cd5598c3-f64e-4c1f-98d6-6fd45afac64b"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:56.154 PM",/orgs/1/events/8de2a207-6650-4e94-a2d5-5f269f8b24dc,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""52a82a1d-ab59-4df4-8695-e555892340c2"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":222,""after"":223}},""change_type"":""update""},{""uuid"":""d77ffaf8-0234-4791-9bc5-ec13ee741522"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":222,""after"":223}},""change_type"":""update""}]","[{""uuid"":""cd5598c3-f64e-4c1f-98d6-6fd45afac64b"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""41132f0e-bd46-4f46-b49f-34c48f1ad58b"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:56.154 PM",/orgs/1/events/8de2a207-6650-4e94-a2d5-5f269f8b24dc,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""fc783ba0-5842-4a44-9e1e-371e6a50822c"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""52a82a1d-ab59-4df4-8695-e555892340c2"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":222,""after"":223}},""change_type"":""update""},{""uuid"":""d77ffaf8-0234-4791-9bc5-ec13ee741522"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":222,""after"":223}},""change_type"":""update""}]","[{""uuid"":""cd5598c3-f64e-4c1f-98d6-6fd45afac64b"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""41132f0e-bd46-4f46-b49f-34c48f1ad58b"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:56.449 PM",/orgs/1/events/17e0dc48-5284-42d9-98c0-e01273a21437,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""1f5bb22a-4480-4cb6-b919-08ae45089b90"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:56.449 PM",/orgs/1/events/17e0dc48-5284-42d9-98c0-e01273a21437,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""9bbf91c3-f959-46c4-90c9-53866eaae17c"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""1f5bb22a-4480-4cb6-b919-08ae45089b90"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:56.838 PM",/orgs/1/events/849bc88c-e851-439e-99cb-ea05f39046c0,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""791baa13-9277-4162-b1e1-55d810bb593d"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":223,""after"":224}},""change_type"":""update""}]","[{""uuid"":""c28257b0-f9fe-4ef6-92f0-ec74284563ff"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:56.838 PM",/orgs/1/events/849bc88c-e851-439e-99cb-ea05f39046c0,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""791baa13-9277-4162-b1e1-55d810bb593d"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":223,""after"":224}},""change_type"":""update""},{""uuid"":""435eabd7-03e7-4f24-9cee-6b5452de029a"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":223,""after"":224}},""change_type"":""update""}]","[{""uuid"":""c28257b0-f9fe-4ef6-92f0-ec74284563ff"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""d35004ed-2c14-41c0-9fc5-075481a53a7d"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:56.838 PM",/orgs/1/events/849bc88c-e851-439e-99cb-ea05f39046c0,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""7a197351-28b1-4165-bdca-ce85137af610"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""791baa13-9277-4162-b1e1-55d810bb593d"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":223,""after"":224}},""change_type"":""update""},{""uuid"":""435eabd7-03e7-4f24-9cee-6b5452de029a"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":223,""after"":224}},""change_type"":""update""}]","[{""uuid"":""c28257b0-f9fe-4ef6-92f0-ec74284563ff"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""d35004ed-2c14-41c0-9fc5-075481a53a7d"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:57.096 PM",/orgs/1/events/f23fabae-c2cc-4109-b41d-c50872abe296,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""d1e32893-3b24-4aff-bca5-923d47a3ae86"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:22:57.096 PM",/orgs/1/events/f23fabae-c2cc-4109-b41d-c50872abe296,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""ae21f5b2-78c0-4dfa-b5b9-b37c61153c67"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""d1e32893-3b24-4aff-bca5-923d47a3ae86"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:23:18.848 PM",/orgs/1/events/fe778d67-38be-4dcf-8826-3c24bd656b4c,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""0ad5903d-c168-4c85-9a35-83b3f77a06b8"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":224,""after"":225}},""change_type"":""update""}]","[{""uuid"":""7b20a431-338c-4307-9f97-5ba821ac4b0f"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:23:18.848 PM",/orgs/1/events/fe778d67-38be-4dcf-8826-3c24bd656b4c,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""0ad5903d-c168-4c85-9a35-83b3f77a06b8"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":224,""after"":225}},""change_type"":""update""},{""uuid"":""02a13608-1625-40b9-a25d-ce51f6a70c69"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":224,""after"":225}},""change_type"":""update""}]","[{""uuid"":""7b20a431-338c-4307-9f97-5ba821ac4b0f"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""0d6b8bd6-22fb-4ee1-8ee3-0db5f87a11fd"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:23:18.848 PM",/orgs/1/events/fe778d67-38be-4dcf-8826-3c24bd656b4c,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""a7cf36fe-de47-45a4-ac2c-b8dc27381bf1"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""0ad5903d-c168-4c85-9a35-83b3f77a06b8"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":224,""after"":225}},""change_type"":""update""},{""uuid"":""02a13608-1625-40b9-a25d-ce51f6a70c69"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":224,""after"":225}},""change_type"":""update""}]","[{""uuid"":""7b20a431-338c-4307-9f97-5ba821ac4b0f"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""0d6b8bd6-22fb-4ee1-8ee3-0db5f87a11fd"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:23:19.200 PM",/orgs/1/events/7d6fb035-7c5b-4827-96d9-ea2e8e52238f,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""0225c18f-a026-4dde-bcb4-6eac197cfe87"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:23:19.200 PM",/orgs/1/events/7d6fb035-7c5b-4827-96d9-ea2e8e52238f,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""408060f2-6df1-4d83-98ee-964603b547ac"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""0225c18f-a026-4dde-bcb4-6eac197cfe87"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:23:23.833 PM",/orgs/1/events/602c8302-e194-44a8-b873-150845c09079,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""0c3e864c-edc0-43d1-823c-caa419e78660"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":225,""after"":226}},""change_type"":""update""}]","[{""uuid"":""5d15bed1-9619-484b-8ed4-cd2d7d97b58c"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:23:23.833 PM",/orgs/1/events/602c8302-e194-44a8-b873-150845c09079,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,,"[{""uuid"":""0c3e864c-edc0-43d1-823c-caa419e78660"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":225,""after"":226}},""change_type"":""update""},{""uuid"":""3b9a7675-73c6-406d-a300-b59991ceb727"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":225,""after"":226}},""change_type"":""update""}]","[{""uuid"":""5d15bed1-9619-484b-8ed4-cd2d7d97b58c"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""76937de5-6360-4578-9451-cdfba94b7ad4"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:23:23.833 PM",/orgs/1/events/602c8302-e194-44a8-b873-150845c09079,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.authenticate,success,info,"{""uuid"":""b5a30e1f-31cf-4d88-a07f-5d3b8e47ea88"",""api_endpoint"":""/api/v2/login_users/authenticate"",""api_method"":""POST"",""http_status_code"":201,""src_ip"":""10.6.16.64""}","[{""uuid"":""0c3e864c-edc0-43d1-823c-caa419e78660"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":225,""after"":226}},""change_type"":""update""},{""uuid"":""3b9a7675-73c6-406d-a300-b59991ceb727"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":225,""after"":226}},""change_type"":""update""}]","[{""uuid"":""5d15bed1-9619-484b-8ed4-cd2d7d97b58c"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}},{""uuid"":""76937de5-6360-4578-9451-cdfba94b7ad4"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:23:24.196 PM",/orgs/1/events/b42313b5-45c0-46fb-8359-0ac1cf36bca1,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""ae69c5eb-148b-4122-acf6-1b08446deff8"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/7/2024, 6:23:24.196 PM",/orgs/1/events/b42313b5-45c0-46fb-8359-0ac1cf36bca1,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""6acf0946-45dd-4890-9a54-f65fb9bd73bc"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""10.6.16.64""}",[],"[{""uuid"":""ae69c5eb-148b-4122-acf6-1b08446deff8"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/1/2024, 8:41:32.813 PM",/orgs/1/events/189a73fa-a298-4d0e-b898-391be694bcc3,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.sign_in,success,info,,"[{""uuid"":""0048e444-38c3-4183-86a0-19b55e8b492d"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":200,""after"":201},""last_sign_in_ip"":{""before"":""192.168.125.180"",""after"":""192.168.125.111""}},""change_type"":""update""}]","[{""uuid"":""85f1c89b-8a67-4ba5-b6d1-32ab988f70a9"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/1/2024, 8:41:32.813 PM",/orgs/1/events/189a73fa-a298-4d0e-b898-391be694bcc3,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.sign_in,success,info,"{""uuid"":""162f2af3-0d27-480a-be42-6fd0e1c0c70e"",""api_endpoint"":""/login/users/sign_in"",""api_method"":""POST"",""http_status_code"":302,""src_ip"":""192.168.125.170""}","[{""uuid"":""0048e444-38c3-4183-86a0-19b55e8b492d"",""resource"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}},""changes"":{""sign_in_attempts_count"":{""before"":200,""after"":201},""last_sign_in_ip"":{""before"":""192.168.125.180"",""after"":""192.168.125.111""}},""change_type"":""update""}]","[{""uuid"":""85f1c89b-8a67-4ba5-b6d1-32ab988f70a9"",""notification_type"":""user.login_session_created"",""info"":{""user"":{""href"":""/users/1"",""type"":""local"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/1/2024, 8:41:35.640 PM",/orgs/1/events/7da24ea7-ce63-42e5-bfb7-f8a98fb0f6a4,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,,[],"[{""uuid"":""84c01c84-ebe7-46cd-8259-8bf0388c1b00"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/1/2024, 8:41:35.640 PM",/orgs/1/events/7da24ea7-ce63-42e5-bfb7-f8a98fb0f6a4,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.login,success,info,"{""uuid"":""b63d7065-b512-46f5-b211-83723c3f6df4"",""api_endpoint"":""/api/v2/users/login"",""api_method"":""GET"",""http_status_code"":200,""src_ip"":""192.168.125.170""}",[],"[{""uuid"":""84c01c84-ebe7-46cd-8259-8bf0388c1b00"",""notification_type"":""user.pce_session_created"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/1/2024, 8:54:30.533 PM",/orgs/1/events/794fc1e6-d58d-4e63-a179-b754689628dc,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.logout,success,info,"{""uuid"":""0b111959-11c4-493a-81a4-f502ebd5006c"",""api_endpoint"":""/api/v2/users/1/logout"",""api_method"":""PUT"",""http_status_code"":204,""src_ip"":""FILTERED""}",[],"[{""uuid"":""18ee40d9-02e9-4430-8be2-d8778d6fe6cc"",""notification_type"":""user.pce_session_terminated"",""info"":{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""},""reason"":""user_logout""}}]",2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, +"10/1/2024, 8:54:30.924 PM",/orgs/1/events/5925a0fc-1b52-4d67-ad62-31e4ddb7f5ba,2x2testvc308.ilabs.io,"{""user"":{""href"":""/users/1"",""username"":""selfserve@illumio.com""}}",user.sign_out,success,info,"{""uuid"":""c27fd8ab-9322-4bf2-920c-9adcaf098487"",""api_endpoint"":""/login/logout"",""api_method"":""GET"",""http_status_code"":302,""src_ip"":""192.168.125.170""}",[],[],2,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Auditable_Events_CL, diff --git a/Sample Data/ASIM/Illumio_Core_NetworkSession_IngestedLogs.csv b/Sample Data/ASIM/Illumio_Core_NetworkSession_IngestedLogs.csv new file mode 100644 index 00000000000..a4ebd346ac0 --- /dev/null +++ b/Sample Data/ASIM/Illumio_Core_NetworkSession_IngestedLogs.csv @@ -0,0 +1,76 @@ +TimeGenerated [Local Time],icmp_type,code,dst_dbi,dst_dbo,dst_tbi,dst_tbo,ddms,tdms,pn,un,src_ip,dst_ip,class,proto,dst_port,flow_count,dir,org_id,state,pd_qualifier,pd,src_hostname,src_href,dst_hostname,dst_href,network,src_labels,dst_labels,interval_sec,pce_fqdn,version,TenantId,Type,_ResourceId +"10/7/2024, 5:35:42.000 PM",,,,,,,275380,529201,avahi-daemon,avahi,10.2.56.2,224.0.0.251,M,17,5353,1,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:35:42.000 PM",,,,,,,275724,529455,avahi-daemon,avahi,10.2.64.199,224.0.0.251,M,17,5353,1,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:35:43.000 PM",,,,,,,276596,531166,avahi-daemon,avahi,10.2.1.177,224.0.0.251,M,17,5353,1,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:35:43.000 PM",,,,,,,276383,531053,avahi-daemon,avahi,10.2.7.232,224.0.0.251,M,17,5353,1,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:35:43.000 PM",,,,,,,276383,531052,avahi-daemon,avahi,10.2.17.234,224.0.0.251,M,17,5353,1,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:35:43.000 PM",,,,,,,276293,530995,avahi-daemon,avahi,10.2.18.24,224.0.0.251,M,17,5353,1,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:35:43.000 PM",,,,,,,276400,530997,avahi-daemon,avahi,10.2.19.108,224.0.0.251,M,17,5353,1,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:35:43.000 PM",,,,,,,276280,530991,avahi-daemon,avahi,10.2.21.64,224.0.0.251,M,17,5353,1,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:35:43.000 PM",,,,,,,276676,551313,avahi-daemon,avahi,10.2.24.114,224.0.0.251,M,17,5353,1,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:35:43.000 PM",,,,,,,276383,531054,avahi-daemon,avahi,10.2.50.90,224.0.0.251,M,17,5353,1,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:35:43.000 PM",,,,,,,276596,555637,avahi-daemon,avahi,10.2.50.99,224.0.0.251,M,17,5353,1,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:35:43.000 PM",,,,,,,276126,529702,avahi-daemon,avahi,10.2.126.204,224.0.0.251,M,17,5353,1,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:35:50.000 PM",,,,,,,283826,555817,avahi-daemon,avahi,10.2.87.55,224.0.0.251,M,17,5353,1,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:35:52.000 PM",,,,,,,294679,294679,,,10.2.1.211,255.255.255.255,B,17,67,2,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:35:52.000 PM",,,,,,,294677,294677,,,10.6.1.200,255.255.255.255,B,17,67,2,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:35:59.000 PM",,,,,,,233693,233693,,,10.2.33.140,255.255.255.255,B,17,67,2,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:36:05.000 PM",,,,,,,163870,163870,,,10.2.48.9,255.255.255.255,B,17,67,1,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:36:05.000 PM",,,,,,,163867,163867,,,10.6.133.25,255.255.255.255,B,17,67,1,I,1,T,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:36:06.000 PM",,,,,,,198065,198065,,,10.2.47.233,255.255.255.255,B,17,67,1,I,1,A,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:36:06.000 PM",,,,,,,154,154,,,10.2.8.74,255.255.255.255,B,17,67,1,I,1,A,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:36:06.000 PM",,,,,,,28607,28607,,,10.2.80.32,255.255.255.255,B,17,67,1,I,1,A,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:36:06.000 PM",,,,,,,180,180,,,10.6.8.64,255.255.255.255,B,17,67,1,I,1,A,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:36:06.000 PM",,,,,,,271153,271153,avahi-daemon,avahi,10.2.3.62,224.0.0.251,M,17,5353,1,I,1,A,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:36:06.000 PM",,,,,,,269411,269411,avahi-daemon,avahi,10.2.5.39,224.0.0.251,M,17,5353,1,I,1,A,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/7/2024, 5:36:06.000 PM",,,,,,,269949,269949,avahi-daemon,avahi,10.2.5.150,224.0.0.251,M,17,5353,1,I,1,A,0,1,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:59:32.000 PM",,,,,,,10187,31606,,,10.2.140.103,10.2.255.255,B,17,137,1,I,1,T,0,0,,,self-serve-mnc-1-vm02,/orgs/1/workloads/fe152838-59e8-481e-bae3-f0beb60cfabb,Corporate,,"{""role"":""role11"",""app"":""app1"",""env"":""env1"",""loc"":""loc1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:59:32.000 PM",,,,,,,10186,31603,,,10.6.83.47,10.6.255.255,B,17,137,1,I,1,T,0,0,,,self-serve-mnc-1-vm02,/orgs/1/workloads/fe152838-59e8-481e-bae3-f0beb60cfabb,Corporate,,"{""role"":""role11"",""app"":""app1"",""env"":""env1"",""loc"":""loc1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:59:40.000 PM",,,,,,,17921,32276,,,10.2.140.102,10.2.255.255,B,17,137,1,I,1,T,0,0,,,self-serve-mnc-1-vm02,/orgs/1/workloads/fe152838-59e8-481e-bae3-f0beb60cfabb,Corporate,,"{""role"":""role11"",""app"":""app1"",""env"":""env1"",""loc"":""loc1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:59:41.000 PM",,,,,,,18822,30000,,,10.2.78.135,10.2.255.255,B,17,138,1,I,1,T,0,0,,,self-serve-mnc-1-vm02,/orgs/1/workloads/fe152838-59e8-481e-bae3-f0beb60cfabb,Corporate,,"{""role"":""role11"",""app"":""app1"",""env"":""env1"",""loc"":""loc1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:59:43.000 PM",,,,,,,21379,30000,,,10.6.89.91,10.6.255.255,B,17,138,1,I,1,T,0,0,,,self-serve-mnc-1-vm02,/orgs/1/workloads/fe152838-59e8-481e-bae3-f0beb60cfabb,Corporate,,"{""role"":""role11"",""app"":""app1"",""env"":""env1"",""loc"":""loc1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:59:44.000 PM",,,,,,,21841,31573,,,10.6.140.93,10.6.255.255,B,17,137,1,I,1,T,0,0,,,self-serve-mnc-1-vm02,/orgs/1/workloads/fe152838-59e8-481e-bae3-f0beb60cfabb,Corporate,,"{""role"":""role11"",""app"":""app1"",""env"":""env1"",""loc"":""loc1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:59:54.000 PM",,,,,,,31580,31580,,,10.2.135.107,10.2.255.255,B,17,137,1,I,1,T,0,0,,,self-serve-mnc-1-vm02,/orgs/1/workloads/fe152838-59e8-481e-bae3-f0beb60cfabb,Corporate,,"{""role"":""role11"",""app"":""app1"",""env"":""env1"",""loc"":""loc1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:59:55.000 PM",,,,,,,30000,30000,,,10.6.157.145,10.6.255.255,B,17,138,1,I,1,T,0,0,,,self-serve-mnc-1-vm02,/orgs/1/workloads/fe152838-59e8-481e-bae3-f0beb60cfabb,Corporate,,"{""role"":""role11"",""app"":""app1"",""env"":""env1"",""loc"":""loc1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:54:31.000 PM",,,,,,,5199,30000,,,10.2.175.3,10.2.255.255,B,17,138,1,I,1,T,0,0,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:54:32.000 PM",,,,,,,6491,30000,,,10.2.1.213,10.2.255.255,B,17,137,1,I,1,T,0,0,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:54:32.000 PM",,,,,,,6493,159641,,,10.2.1.213,10.2.255.255,B,17,138,1,I,1,T,0,0,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:54:37.000 PM",,,,,,,11074,31562,,,10.2.135.105,10.2.255.255,B,17,137,1,I,1,T,0,0,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:54:42.000 PM",,,,,,,15750,30000,,,10.2.9.236,10.2.255.255,B,17,138,1,I,1,T,0,0,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:54:47.000 PM",,,,,,,21174,30000,,,10.2.119.175,10.2.255.255,B,17,138,1,I,1,T,0,0,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:54:48.000 PM",,,,,,,21602,30000,,,10.2.82.84,10.2.255.255,B,17,138,1,I,1,T,0,0,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:54:49.000 PM",,,,,,,23401,31626,,,10.2.128.40,10.2.255.255,B,17,137,1,I,1,T,0,0,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:54:52.000 PM",,,,,,,25714,30000,,,10.2.133.91,10.2.255.255,B,17,138,1,I,1,T,0,0,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:54:54.000 PM",,,,,,,27991,31614,,,10.2.49.11,10.2.255.255,B,17,137,1,I,1,T,0,0,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:54:59.000 PM",,,,,,,30000,30000,,,10.2.159.117,10.2.255.255,B,17,138,1,I,1,T,0,0,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:55:04.000 PM",,,,,,,30000,30000,,,10.2.7.63,10.2.255.255,B,17,138,1,I,1,T,0,0,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:55:11.000 PM",,,,,,,30000,30000,,,10.2.8.105,10.2.255.255,B,17,138,1,I,1,T,0,0,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:55:11.000 PM",,,,,,,30000,30000,,,10.2.139.33,10.2.255.255,B,17,138,1,I,1,T,0,0,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:55:23.000 PM",,,,,,,30000,30000,,,10.2.150.35,10.2.255.255,B,17,138,1,I,1,T,0,0,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:55:38.000 PM",,,,,,,30000,30000,,,10.2.47.140,10.2.255.255,B,17,138,1,I,1,T,0,0,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"10/1/2024, 9:55:47.000 PM",,,,,,,30000,30000,,,10.2.133.40,10.2.255.255,B,17,138,1,I,1,T,0,0,,,self-serve-mnc-1-vm03,/orgs/1/workloads/89a37812-660c-440a-9744-ea4fe18670af,Corporate,,"{""role"":""role2"",""app"":""app2"",""env"":""env2"",""loc"":""loc2"",""MT4L_A"":""MT4L_A_1""}",600,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 7:04:32.000 PM",,,,,,,,,,,10.0.0.61,10.0.0.59,U,6,63564,2,I,1,I,0,2,perf-workload-61,/orgs/1/workloads/b0e87610-488d-47c0-8b7b-dbd590ba82f0,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 7:23:46.000 PM",,,,,,,,,,,fd00::200:a:0:3c,fd00::200:a:0:3b,U,17,10076,8,I,1,,0,2,perf-workload-60,/orgs/1/workloads/4316d5e8-4f7f-45c2-9b4a-aeaee49759b0,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 7:25:10.000 PM",,,,,,,,,,,fd00::200:a:0:3c,fd00::200:a:0:3b,U,17,54308,3,I,1,,0,2,perf-workload-60,/orgs/1/workloads/4316d5e8-4f7f-45c2-9b4a-aeaee49759b0,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 7:35:46.000 PM",,,,,,,,,,,10.0.0.59,10.0.0.60,U,6,35678,2,O,1,N,0,2,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,perf-workload-60,/orgs/1/workloads/4316d5e8-4f7f-45c2-9b4a-aeaee49759b0,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 3:05:36.000 AM",,,,,,,,,,,fd00::200:a:0:3b,fd00::200:a:0:3c,U,6,55608,9,O,1,N,0,2,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,perf-workload-60,/orgs/1/workloads/4316d5e8-4f7f-45c2-9b4a-aeaee49759b0,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 3:11:35.000 AM",,,,,,,,,,,10.0.0.59,10.0.0.61,U,17,31053,5,O,1,,0,2,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,perf-workload-61,/orgs/1/workloads/b0e87610-488d-47c0-8b7b-dbd590ba82f0,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 3:12:46.000 AM",,,,,,,,,,,fd00::200:a:0:3d,fd00::200:a:0:3b,U,6,31443,2,I,1,N,0,2,perf-workload-61,/orgs/1/workloads/b0e87610-488d-47c0-8b7b-dbd590ba82f0,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 3:13:03.000 AM",,,,,,,,,,,fd00::200:a:0:3b,fd00::200:a:0:3c,U,6,30112,8,O,1,N,0,2,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,perf-workload-60,/orgs/1/workloads/4316d5e8-4f7f-45c2-9b4a-aeaee49759b0,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 3:21:30.000 AM",,,,,,,,,,,10.0.0.61,10.0.0.59,U,6,40988,5,I,1,I,0,2,perf-workload-61,/orgs/1/workloads/b0e87610-488d-47c0-8b7b-dbd590ba82f0,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 3:29:21.000 AM",,,,,,,,,,,fd00::200:a:0:3c,fd00::200:a:0:3b,U,17,10623,9,I,1,,0,2,perf-workload-60,/orgs/1/workloads/4316d5e8-4f7f-45c2-9b4a-aeaee49759b0,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 3:47:49.000 AM",,,,,,,,,,,10.0.0.59,10.0.0.61,U,6,64474,3,O,1,N,0,2,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,perf-workload-61,/orgs/1/workloads/b0e87610-488d-47c0-8b7b-dbd590ba82f0,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 3:50:10.000 AM",,,,,,,,,,,fd00::200:a:0:3b,fd00::200:a:0:3c,U,17,4902,8,O,1,,0,2,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,perf-workload-60,/orgs/1/workloads/4316d5e8-4f7f-45c2-9b4a-aeaee49759b0,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 11:00:25.000 AM",,,,,,,,,,,10.0.0.61,10.0.0.59,U,6,34010,2,I,1,I,0,2,perf-workload-61,/orgs/1/workloads/b0e87610-488d-47c0-8b7b-dbd590ba82f0,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 11:01:25.000 AM",,,,,,,,,,,fd00::200:a:0:3b,fd00::200:a:0:3d,U,6,9750,6,O,1,I,0,2,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,perf-workload-61,/orgs/1/workloads/b0e87610-488d-47c0-8b7b-dbd590ba82f0,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 11:26:59.000 AM",,,,,,,,,,,fd00::200:a:0:3b,fd00::200:a:0:3d,U,6,18018,8,O,1,I,0,2,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,perf-workload-61,/orgs/1/workloads/b0e87610-488d-47c0-8b7b-dbd590ba82f0,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 11:40:13.000 AM",,,,,,,,,,,fd00::200:a:0:3b,fd00::200:a:0:3d,U,17,19918,1,O,1,,0,2,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,perf-workload-61,/orgs/1/workloads/b0e87610-488d-47c0-8b7b-dbd590ba82f0,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 11:53:56.000 AM",,,,,,,,,,,fd00::200:a:0:3b,fd00::200:a:0:3c,U,17,65195,7,O,1,,0,2,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,perf-workload-60,/orgs/1/workloads/4316d5e8-4f7f-45c2-9b4a-aeaee49759b0,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 9:14:00.000 AM",,,,,,,,,,,fd00::200:a:0:3d,fd00::200:a:0:3b,U,6,57774,6,I,1,I,0,2,perf-workload-61,/orgs/1/workloads/b0e87610-488d-47c0-8b7b-dbd590ba82f0,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 9:15:22.000 AM",,,,,,,,,,,fd00::200:a:0:3b,fd00::200:a:0:3c,U,17,6466,4,O,1,,0,2,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,perf-workload-60,/orgs/1/workloads/4316d5e8-4f7f-45c2-9b4a-aeaee49759b0,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 9:28:44.000 AM",,,,,,,,,,,10.0.0.59,10.0.0.61,U,17,22241,3,O,1,,0,2,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,perf-workload-61,/orgs/1/workloads/b0e87610-488d-47c0-8b7b-dbd590ba82f0,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 9:38:57.000 AM",,,,,,,,,,,fd00::200:a:0:3b,fd00::200:a:0:3d,U,17,61052,3,O,1,,0,2,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,perf-workload-61,/orgs/1/workloads/b0e87610-488d-47c0-8b7b-dbd590ba82f0,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 9:42:45.000 AM",,,,,,,,,,,fd00::200:a:0:3d,fd00::200:a:0:3b,U,17,57320,7,I,1,,0,2,perf-workload-61,/orgs/1/workloads/b0e87610-488d-47c0-8b7b-dbd590ba82f0,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 9:44:17.000 AM",,,,,,,,,,,10.0.0.60,10.0.0.59,U,17,17983,2,I,1,,0,2,perf-workload-60,/orgs/1/workloads/4316d5e8-4f7f-45c2-9b4a-aeaee49759b0,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 9:51:06.000 AM",,,,,,,,,,,10.0.0.61,10.0.0.59,U,17,47229,3,I,1,,0,2,perf-workload-61,/orgs/1/workloads/b0e87610-488d-47c0-8b7b-dbd590ba82f0,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, +"9/24/2024, 3:06:56.000 PM",,,,,,,,,,,fd00::200:a:0:3b,fd00::200:a:0:3c,U,17,59054,10,O,1,,0,2,perf-workload-59,/orgs/1/workloads/5852011d-7a0c-44f6-81e3-6acd33341748,perf-workload-60,/orgs/1/workloads/4316d5e8-4f7f-45c2-9b4a-aeaee49759b0,Corporate,"{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}","{""role"":""Role39176"",""app"":""App39176"",""env"":""Env39176"",""loc"":""Loc39176""}",84515,2x2testvc308.ilabs.io,4,d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19,Illumio_Flow_Events_CL, diff --git a/Sample Data/ASIM/Illumio_Flow_Events_CL_Schema.csv b/Sample Data/ASIM/Illumio_Flow_Events_CL_Schema.csv new file mode 100644 index 00000000000..642c6a49d13 --- /dev/null +++ b/Sample Data/ASIM/Illumio_Flow_Events_CL_Schema.csv @@ -0,0 +1,36 @@ +ColumnName,ColumnOrdinal,DataType,ColumnType +TimeGenerated,0,"System.DateTime",datetime +"icmp_type",1,"System.Int32",int +code,2,"System.Int32",int +"dst_dbi",3,"System.Int32",int +"dst_dbo",4,"System.Int32",int +"dst_tbi",5,"System.Int32",int +"dst_tbo",6,"System.Int32",int +ddms,7,"System.Int32",int +tdms,8,"System.Int32",int +pn,9,"System.String",string +un,10,"System.String",string +"src_ip",11,"System.String",string +"dst_ip",12,"System.String",string +class,13,"System.String",string +proto,14,"System.Int32",int +"dst_port",15,"System.Int32",int +"flow_count",16,"System.Int32",int +dir,17,"System.String",string +"org_id",18,"System.Int32",int +state,19,"System.String",string +"pd_qualifier",20,"System.Int32",int +pd,21,"System.Int32",int +"src_hostname",22,"System.String",string +"src_href",23,"System.String",string +"dst_hostname",24,"System.String",string +"dst_href",25,"System.String",string +network,26,"System.String",string +"src_labels",27,"System.Object",dynamic +"dst_labels",28,"System.Object",dynamic +"interval_sec",29,"System.Int32",int +"pce_fqdn",30,"System.String",string +version,31,"System.Int32",int +TenantId,32,"System.String",string +Type,33,"System.String",string +"_ResourceId",34,"System.String",string diff --git a/Sample Data/Custom/Illumio/Illumio_FlowEventsIngestedLogs.csv b/Sample Data/Custom/Illumio/Illumio_FlowEventsIngestedLogs.csv index 763bad890a7..0aa50c43f21 100644 --- a/Sample Data/Custom/Illumio/Illumio_FlowEventsIngestedLogs.csv +++ b/Sample Data/Custom/Illumio/Illumio_FlowEventsIngestedLogs.csv @@ -1,2 +1,2 @@ -"TimeGenerated [Local Time]","type","code","dst_dbi","dst_dbo","dst_tbi","dst_tbo",ddms,tdms,pn,un,"src_ip","dst_ip",class,proto,"dst_port","flow_count",dir,"org_id",state,"pd_qualifier",pd,"src_hostname","src_href","dst_hostname","dst_href",network,"src_labels","dst_labels","interval_sec","pce_fqdn",version,TenantId,Type,"_ResourceId" -"5/4/2024, 7:24:37.000 PM",,,1,1,1,1,1,1,,,"10.2.20.242","10.14.0.201",U,17,53,1,O,1,S,0,3,"self-serve-mnc-1-vm02","/orgs/1/workloads/6c425617-a7af-4ec8-9222-5f80bf71874a",,,Corporate,"{""app"":""App18393"",""env"":""Env33081"",""loc"":""Loc1663""}",,0,"2x2testvc308.ilabs.io",4,"d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19","Illumio_Flow_Events_CL", \ No newline at end of file +"TimeGenerated [Local Time]","type","code","dst_dbi","dst_dbo","dst_tbi","dst_tbo",ddms,tdms,pn,un,sn,"src_ip","dst_ip",class,proto,"dst_port","flow_count",dir,"org_id",state,"pd_qualifier",pd,"src_hostname","src_href","dst_hostname","dst_href",network,"src_labels","dst_labels","interval_sec","pce_fqdn",version,TenantId,Type,"_ResourceId" +"5/4/2024, 7:24:37.000 PM",,,1,1,1,1,1,1,,,,"10.2.20.242","10.14.0.201",U,17,53,1,O,1,S,0,3,"self-serve-mnc-1-vm02","/orgs/1/workloads/6c425617-a7af-4ec8-9222-5f80bf71874a",,,Corporate,"{""app"":""App18393"",""env"":""Env33081"",""loc"":""Loc1663""}",,0,"2x2testvc308.ilabs.io",4,"d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19","Illumio_Flow_Events_CL", \ No newline at end of file diff --git a/Sample Data/Custom/Illumio/Illumio_FlowEventsRawLogs.json b/Sample Data/Custom/Illumio/Illumio_FlowEventsRawLogs.json index 393a6e26d62..55d34d45352 100644 --- a/Sample Data/Custom/Illumio/Illumio_FlowEventsRawLogs.json +++ b/Sample Data/Custom/Illumio/Illumio_FlowEventsRawLogs.json @@ -104,5 +104,39 @@ "interval_sec": 649, "pce_fqdn": "2x2testvc308.ilabs.io", "version": 4 - } + }, + { + "src_ip": "10.2.20.240", + "dst_ip": "10.2.20.242", + "class": "U", + "proto": 1, + "dst_port": 0, + "count": 3, + "dir": "O", + "pn": "dhclient", + "un": "root", + "sn": "service1", + "org_id": 1, + "timestamp": "2024-07-01T16:55:20Z", + "pd_qualifier": 0, + "pd": 2, + "src_hostname": "self-serve-mnc-1-vm01", + "src_href": "/orgs/1/workloads/565c43bc-7148-4d7a-9de3-caf5521c8a99", + "dst_hostname": "self-serve-mnc-1-vm02", + "dst_href": "/orgs/1/workloads/7fa41595-431e-4bae-b6b1-0e73b11a840a", + "network": "Corporate", + "src_labels": { + "role": "Role18393", + "loc": "Loc56545", + "app": "App64635" + }, + "dst_labels": { + "role": "Role18393", + "loc": "Loc56545", + "app": "App64635" + }, + "interval_sec": 649, + "pce_fqdn": "2x2testvc308.ilabs.io", + "version": 4 + } ] \ No newline at end of file diff --git a/Sample Data/Custom/Illumio/Illumio_FlowEventsSchema.csv b/Sample Data/Custom/Illumio/Illumio_FlowEventsSchema.csv index 4a2eb83501b..b93cc075b25 100644 --- a/Sample Data/Custom/Illumio/Illumio_FlowEventsSchema.csv +++ b/Sample Data/Custom/Illumio/Illumio_FlowEventsSchema.csv @@ -1 +1 @@ -"TimeGenerated [Local Time]","dst_dbi","dst_dbo","dst_tbi","dst_tbo",ddms,tdms,pn,un,"src_ip","dst_ip",class,proto,"dst_port","flow_count",dir,"org_id",state,"pd_qualifier",pd,"src_hostname","src_href","dst_hostname","dst_href",network,"src_labels","dst_labels","interval_sec","pce_fqdn",version,TenantId,Type,"_ResourceId" \ No newline at end of file +"TimeGenerated [Local Time]","dst_dbi","dst_dbo","dst_tbi","dst_tbo",ddms,tdms,pn,un,sn,"src_ip","dst_ip",class,proto,"dst_port","flow_count",dir,"org_id",state,"pd_qualifier",pd,"src_hostname","src_href","dst_hostname","dst_href",network,"src_labels","dst_labels","interval_sec","pce_fqdn",version,TenantId,Type,"_ResourceId" \ No newline at end of file diff --git a/Solutions/IllumioSaaS/Data Connectors/CommonCode/__init__.py b/Solutions/IllumioSaaS/Data Connectors/CommonCode/__init__.py new file mode 100644 index 00000000000..a003443e9bc --- /dev/null +++ b/Solutions/IllumioSaaS/Data Connectors/CommonCode/__init__.py @@ -0,0 +1 @@ +### This is to treat this as a package ### diff --git a/Solutions/IllumioSaaS/Data Connectors/azure_storage_queue.py b/Solutions/IllumioSaaS/Data Connectors/CommonCode/azure_storage_queue.py similarity index 100% rename from Solutions/IllumioSaaS/Data Connectors/azure_storage_queue.py rename to Solutions/IllumioSaaS/Data Connectors/CommonCode/azure_storage_queue.py diff --git a/Solutions/IllumioSaaS/Data Connectors/CommonCode/constants.py b/Solutions/IllumioSaaS/Data Connectors/CommonCode/constants.py new file mode 100644 index 00000000000..1e3fb141fb8 --- /dev/null +++ b/Solutions/IllumioSaaS/Data Connectors/CommonCode/constants.py @@ -0,0 +1,48 @@ +import os + +# AWS config +AWS_KEY = os.environ["AWS_KEY"] +AWS_SECRET = os.environ["AWS_SECRET"] +AWS_REGION_NAME = os.environ["AWS_REGION_NAME"] +SQS_QUEUE_URL = os.environ["SQS_QUEUE_URL"] +VISIBILITY_TIMEOUT = 1800 +LINE_SEPARATOR = os.environ.get( + "lineSeparator", "[\n\r\x0b\v\x0c\f\x1c\x1d\x85\x1e\u2028\u2029]+" +) # used in aws_queue and queue trigger.py +MAX_SCRIPT_EXEC_TIME_MINUTES = int(os.environ.get("MAX_SCRIPT_EXEC_TIME_MINUTES", 10)) +SQS_FILES_READ_LIMIT = int(os.environ.get("SQS_FILES_READ_LIMIT", 200)) + +# PCE config +API_KEY = os.environ["API_KEY"] +API_SECRET = os.environ["API_SECRET"] +PCE_FQDN = os.environ["PCE_FQDN"] +PORT = int(os.environ.get("PCE_PORT", 443)) +ORG_ID = os.environ["ORG_ID"] +MAX_WORKLOADS = os.environ.get("MAX_WORKLOADS", 100000) +LOGS_TO_CONSUME = os.environ.get("logTypes", "all").lower() +NETWORK_TRAFFIC_TO_CONSUME = os.environ.get("networkTrafficLogTypes", "All").lower() +FLOW_EVENTS = "Flow Summaries" +AUDIT_EVENTS = "Auditable Events" +ALLOWED_TRAFFIC = "allowed" +POTENTIALLY_BLOCKED_TRAFFIC = "potentially_blocked" +BLOCKED_TRAFFIC = "blocked" +UNKNOWN_TRAFFIC = "unknown" +ALL_TRAFFIC = "all" + +# Azure config +AZURE_TENANT_ID = os.environ["AZURE_TENANT_ID"] +AZURE_CLIENT_ID = os.environ["AZURE_CLIENT_ID"] +AZURE_CLIENT_SECRET = os.environ["AZURE_CLIENT_SECRET"] +DCE_ENDPOINT = os.environ["DCE_ENDPOINT"] +DCR_ID = os.environ["DCR_ID"] +LOG_ANALYTICS_URI = os.environ["LOG_ANALYTICS_URI"] +WORKLOADS_API_LOGS_CUSTOM_TABLE = os.environ["WORKLOADS_API_LOGS_CUSTOM_TABLE"] +FLOW_LOGS_CUSTOM_TABLE = os.environ["FLOW_LOGS_CUSTOM_TABLE"] +AUDIT_LOGS_CUSTOM_TABLE = os.environ["AUDIT_LOGS_CUSTOM_TABLE"] +WORKSPACE_ID = os.environ["WORKSPACE_ID"] +AZURE_STORAGE_CONNECTION_STRING = os.environ["AzureWebJobsStorage"] +MAX_QUEUE_MESSAGES_MAIN_QUEUE = int(os.environ.get("MAX_QUEUE_MESSAGES_MAIN_QUEUE", 80)) + +# Azure Storage Queue +AZURE_STORAGE_PRIMARY_QUEUE = "python-queue-items" +AZURE_STORAGE_BACKLOG_QUEUE = "python-queue-items-backlog" \ No newline at end of file diff --git a/Solutions/IllumioSaaS/Data Connectors/CommonCode/helper.py b/Solutions/IllumioSaaS/Data Connectors/CommonCode/helper.py new file mode 100644 index 00000000000..16c19b7511b --- /dev/null +++ b/Solutions/IllumioSaaS/Data Connectors/CommonCode/helper.py @@ -0,0 +1,49 @@ +from .constants import ( + LOGS_TO_CONSUME, + FLOW_EVENTS, + AUDIT_EVENTS, + MAX_SCRIPT_EXEC_TIME_MINUTES, + ALL_TRAFFIC, +) +import time + + +def skip_processing_file(file_path): + """ + Customer can choose to ingest either audit or traffic or both + When SQS messages are processed, this method helps filter which file paths should be filtered away + + Return whether a file indicated by file_path is filtered or not, and this is dependent on LOGS_TO_CONSUME + + So if LOGS_TO_CONSUME is set to All by customer, then all logs are consumed by default and the method returns False + Else, either audit or traffic events are consumed + """ + if LOGS_TO_CONSUME == ALL_TRAFFIC: + return False + + if "auditable" in file_path: + return FLOW_EVENTS in LOGS_TO_CONSUME + else: + return AUDIT_EVENTS in LOGS_TO_CONSUME + + +def check_if_script_runs_too_long(percentage, script_start_time): + """ + This method checks if the script has ran "percentage" amount of time from starting of the script + percentage: double + script_start_time : datetime + + Args: + percentage (_type_): _description_ + script_start_time (_type_): _description_ + + Returns: + _type_: _description_ + """ + now = int(time.time()) + duration = now - script_start_time + max_duration = int(MAX_SCRIPT_EXEC_TIME_MINUTES * 60 * percentage) + return duration > max_duration + + +__all__ = ["skip_processing_file", "check_if_script_runs_too_long"] diff --git a/Solutions/IllumioSaaS/Data Connectors/sentinel_connector.py b/Solutions/IllumioSaaS/Data Connectors/CommonCode/sentinel_connector.py similarity index 100% rename from Solutions/IllumioSaaS/Data Connectors/sentinel_connector.py rename to Solutions/IllumioSaaS/Data Connectors/CommonCode/sentinel_connector.py diff --git a/Solutions/IllumioSaaS/Data Connectors/IllumioEventsConn.zip b/Solutions/IllumioSaaS/Data Connectors/IllumioEventsConn.zip index cd4aab361d6..861322cf4d5 100644 Binary files a/Solutions/IllumioSaaS/Data Connectors/IllumioEventsConn.zip and b/Solutions/IllumioSaaS/Data Connectors/IllumioEventsConn.zip differ diff --git a/Solutions/IllumioSaaS/Data Connectors/IllumioQueueTrigger.zip b/Solutions/IllumioSaaS/Data Connectors/IllumioQueueTrigger.zip index b523446a893..b188b93ca2e 100644 Binary files a/Solutions/IllumioSaaS/Data Connectors/IllumioQueueTrigger.zip and b/Solutions/IllumioSaaS/Data Connectors/IllumioQueueTrigger.zip differ diff --git a/Solutions/IllumioSaaS/Data Connectors/QueueManagerFunctionApp/queue_manager.py b/Solutions/IllumioSaaS/Data Connectors/QueueManagerFunctionApp/queue_manager.py index 8c3fc3f7e85..34d732483d9 100644 --- a/Solutions/IllumioSaaS/Data Connectors/QueueManagerFunctionApp/queue_manager.py +++ b/Solutions/IllumioSaaS/Data Connectors/QueueManagerFunctionApp/queue_manager.py @@ -2,12 +2,14 @@ import time import logging import azure.functions as func -from ..azure_storage_queue import AzureStorageQueueHelper -from .. import constants - -MAX_SCRIPT_EXEC_TIME_MINUTES = constants.MAX_SCRIPT_EXEC_TIME_MINUTES -AZURE_STORAGE_CONNECTION_STRING = constants.AZURE_STORAGE_CONNECTION_STRING -MAX_QUEUE_MESSAGES_MAIN_QUEUE = constants.MAX_QUEUE_MESSAGES_MAIN_QUEUE +from ..CommonCode.azure_storage_queue import AzureStorageQueueHelper +from ..CommonCode.constants import ( + MAX_SCRIPT_EXEC_TIME_MINUTES, + AZURE_STORAGE_CONNECTION_STRING, + MAX_QUEUE_MESSAGES_MAIN_QUEUE, + AZURE_STORAGE_PRIMARY_QUEUE, + AZURE_STORAGE_BACKLOG_QUEUE, +) def check_if_script_runs_too_long(percentage, script_start_time): @@ -16,32 +18,44 @@ def check_if_script_runs_too_long(percentage, script_start_time): max_duration = int(MAX_SCRIPT_EXEC_TIME_MINUTES * 60 * percentage) return duration > max_duration + async def main(mytimer: func.TimerRequest): script_start_time = int(time.time()) - mainQueueHelper = AzureStorageQueueHelper(connectionString=AZURE_STORAGE_CONNECTION_STRING, queueName="python-queue-items") - backlogQueueHelper = AzureStorageQueueHelper(connectionString=AZURE_STORAGE_CONNECTION_STRING, queueName="python-queue-items-backlog") + mainQueueHelper = AzureStorageQueueHelper( + connectionString=AZURE_STORAGE_CONNECTION_STRING, + queueName=AZURE_STORAGE_PRIMARY_QUEUE, + ) + backlogQueueHelper = AzureStorageQueueHelper( + connectionString=AZURE_STORAGE_CONNECTION_STRING, + queueName=AZURE_STORAGE_BACKLOG_QUEUE, + ) backlogQueueCount = backlogQueueHelper.get_queue_current_count() logging.info("File count in backlog queue is {}".format(backlogQueueCount)) - + mainQueueCount = mainQueueHelper.get_queue_current_count() - logging.info("File count in main queue is {}".format(mainQueueCount)) - + logging.info("File count in main queue is {}".format(mainQueueCount)) + while True: # attempt to exhaust backlog queue and feed enough to mainQueue if backlogQueueCount > 0: if mainQueueCount >= MAX_QUEUE_MESSAGES_MAIN_QUEUE: - logging.info('Backlog queue and main queue are at limits, do not process any new messages from sqs') + logging.info( + "Backlog queue and main queue are at limits, do not process any new messages from sqs" + ) return else: messageFromBacklog = backlogQueueHelper.deque_from_queue() if messageFromBacklog != None: - mainQueueHelper.send_to_queue(messageFromBacklog.content,False) - backlogQueueHelper.delete_queue_message(messageFromBacklog.id, messageFromBacklog.pop_receipt) + mainQueueHelper.send_to_queue(messageFromBacklog.content, False) + backlogQueueHelper.delete_queue_message( + messageFromBacklog.id, messageFromBacklog.pop_receipt + ) else: return - if check_if_script_runs_too_long(0.90, script_start_time): - logging.warn("Azure Queue manager has run close to 90 percentage of max time. Exiting") - return - \ No newline at end of file + if check_if_script_runs_too_long(0.90, script_start_time): + logging.warn( + "Azure Queue manager has run close to 90 percentage of max time. Exiting" + ) + return diff --git a/Solutions/IllumioSaaS/Data Connectors/QueueTriggerFuncApp/DeployFunctionApp/azuredeploy_QueueTrigger_FunctionApp.json b/Solutions/IllumioSaaS/Data Connectors/QueueTriggerFuncApp/DeployFunctionApp/azuredeploy_QueueTrigger_FunctionApp.json index db7748cb817..d076d10527b 100644 --- a/Solutions/IllumioSaaS/Data Connectors/QueueTriggerFuncApp/DeployFunctionApp/azuredeploy_QueueTrigger_FunctionApp.json +++ b/Solutions/IllumioSaaS/Data Connectors/QueueTriggerFuncApp/DeployFunctionApp/azuredeploy_QueueTrigger_FunctionApp.json @@ -237,6 +237,10 @@ "name": "un", "type": "string" }, + { + "name": "sn", + "type": "string" + }, { "name": "src_ip", "type": "string" @@ -497,6 +501,10 @@ "name": "un", "type": "string" }, + { + "name": "sn", + "type": "string" + }, { "name": "src_ip", "type": "string" diff --git a/Solutions/IllumioSaaS/Data Connectors/QueueTriggerFuncApp/azure_queue_trigger.py b/Solutions/IllumioSaaS/Data Connectors/QueueTriggerFuncApp/azure_queue_trigger.py index 7a49885ad2c..5f236e22cd6 100644 --- a/Solutions/IllumioSaaS/Data Connectors/QueueTriggerFuncApp/azure_queue_trigger.py +++ b/Solutions/IllumioSaaS/Data Connectors/QueueTriggerFuncApp/azure_queue_trigger.py @@ -7,70 +7,82 @@ import logging import azure.functions as func import urllib.parse -from .. import constants -from ..sentinel_connector import AzureSentinelConnectorAsync - -# Azure config -AZURE_TENANT_ID = constants.AZURE_TENANT_ID -AZURE_CLIENT_ID = constants.AZURE_CLIENT_ID -AZURE_CLIENT_SECRET = constants.AZURE_CLIENT_SECRET -DCE_ENDPOINT = constants.DCE_ENDPOINT -DCR_ID = constants.DCR_ID -LOG_ANALYTICS_URI = constants.LOG_ANALYTICS_URI -WORKSPACE_ID = constants.WORKSPACE_ID -FLOW_LOGS_CUSTOM_TABLE = constants.FLOW_LOGS_CUSTOM_TABLE -AUDIT_LOGS_CUSTOM_TABLE = constants.AUDIT_LOGS_CUSTOM_TABLE -LOGS_TO_CONSUME = constants.LOGS_TO_CONSUME - -# AWS config -AWS_KEY = constants.AWS_KEY -AWS_SECRET = constants.AWS_SECRET -AWS_REGION_NAME = constants.AWS_REGION_NAME -VISIBILITY_TIMEOUT = 1800 -LINE_SEPARATOR = constants.LINE_SEPARATOR -MAX_SCRIPT_EXEC_TIME_MINUTES = constants.MAX_SCRIPT_EXEC_TIME_MINUTES +from ..CommonCode.sentinel_connector import AzureSentinelConnectorAsync +from ..CommonCode.constants import ( + AZURE_TENANT_ID, + AZURE_CLIENT_ID, + AZURE_CLIENT_SECRET, + DCE_ENDPOINT, + DCR_ID, + FLOW_LOGS_CUSTOM_TABLE, + AUDIT_LOGS_CUSTOM_TABLE, + LOGS_TO_CONSUME, + AWS_KEY, + AWS_SECRET, + AWS_REGION_NAME, + LINE_SEPARATOR, + ALL_TRAFFIC, + FLOW_EVENTS, + AUDIT_EVENTS, +) + # Defining the S3 Client object based on AWS Credentials def _create_s3_client(): s3_session = get_session() - boto_config = BotoCoreConfig(region_name=AWS_REGION_NAME, retries = {'max_attempts': 10, 'mode': 'standard'}, read_timeout = 0, tcp_keepalive = True) + boto_config = BotoCoreConfig( + region_name=AWS_REGION_NAME, + retries={"max_attempts": 10, "mode": "standard"}, + read_timeout=0, + tcp_keepalive=True, + ) return s3_session.create_client( - 's3', - region_name=AWS_REGION_NAME, - aws_access_key_id=AWS_KEY, - aws_secret_access_key=AWS_SECRET, - config=boto_config - ) + "s3", + region_name=AWS_REGION_NAME, + aws_access_key_id=AWS_KEY, + aws_secret_access_key=AWS_SECRET, + config=boto_config, + ) + def fileToBeFiltered(file_path): - if LOGS_TO_CONSUME == 'All': - return False - - if 'auditable' in file_path: - return 'Flow Summaries' in LOGS_TO_CONSUME + if LOGS_TO_CONSUME == ALL_TRAFFIC: + return False + + if "auditable" in file_path: + return FLOW_EVENTS in LOGS_TO_CONSUME else: - return 'Auditable Events' in LOGS_TO_CONSUME - + return AUDIT_EVENTS in LOGS_TO_CONSUME + + async def _generate_sentinel_connectors(session): stream_names = [] sentinel_connectors = {} - if LOGS_TO_CONSUME == 'All': + if LOGS_TO_CONSUME == ALL_TRAFFIC: stream_names.append(FLOW_LOGS_CUSTOM_TABLE) stream_names.append(AUDIT_LOGS_CUSTOM_TABLE) - elif LOGS_TO_CONSUME == 'Auditable Events': + elif LOGS_TO_CONSUME == AUDIT_EVENTS: stream_names.append(AUDIT_LOGS_CUSTOM_TABLE) else: stream_names.append(FLOW_LOGS_CUSTOM_TABLE) for stream in stream_names: - sentinel_connectors[stream] = AzureSentinelConnectorAsync(session, DCE_ENDPOINT, DCR_ID, stream, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID) - + sentinel_connectors[stream] = AzureSentinelConnectorAsync( + session, + DCE_ENDPOINT, + DCR_ID, + stream, + AZURE_CLIENT_ID, + AZURE_CLIENT_SECRET, + AZURE_TENANT_ID, + ) + return sentinel_connectors -async def main(msg: func.QueueMessage ): - try: +async def main(msg: func.QueueMessage): + try: total_events = 0 accumulated_file_size = 0 sqs_ids_seen_so_far = 0 @@ -78,62 +90,80 @@ async def main(msg: func.QueueMessage ): sentinel_connectors = {} # initialize sentinel_connectors async with aiohttp.ClientSession() as session: - sentinel_connectors = await _generate_sentinel_connectors(session) + sentinel_connectors = await _generate_sentinel_connectors(session) # msg should contain a list of links to s3 - result = { - 'id': msg.id, - 'body': msg.get_body() - } - # body should be a list of dicts, where each dict has link, bucket_name, sqs_message_id - body = json.loads(result['body'].decode('ascii').replace("'", '"')) - - + result = {"id": msg.id, "body": msg.get_body()} + # body should be a list of dicts, where each dict has link, bucket_name, sqs_message_id + body = json.loads(result["body"].decode("ascii").replace("'", '"')) + except ValueError: pass else: for obj in body: - link = obj.get('link') - bucket = obj.get('bucket_name') - messageId = obj.get('sqs_message_id') - file_size = obj.get('file_size', 0) - accumulated_file_size += file_size - + link = obj.get("link") + bucket = obj.get("bucket_name") + messageId = obj.get("sqs_message_id") + file_size = obj.get("file_size", 0) + accumulated_file_size += file_size + if fileToBeFiltered(link): continue - + sqs_ids_seen_so_far += 1 - stream_name = AUDIT_LOGS_CUSTOM_TABLE if 'auditable' in link else FLOW_LOGS_CUSTOM_TABLE + stream_name = ( + AUDIT_LOGS_CUSTOM_TABLE + if "auditable" in link + else FLOW_LOGS_CUSTOM_TABLE + ) - file_stats = {"Trigger":"Queue", "stream_name":stream_name, "Type":"file_stats", "link": link, "bucket": bucket, "sqs_message_id": messageId, "file_size_bytes": file_size} + file_stats = { + "Trigger": "Queue", + "stream_name": stream_name, + "Type": "file_stats", + "link": link, + "bucket": bucket, + "sqs_message_id": messageId, + "file_size_bytes": file_size, + } logging.info(json.dumps(file_stats)) - + async with _create_s3_client() as client: async with aiohttp.ClientSession() as session: - - if link: + + if link: sentinel_connector = sentinel_connectors[stream_name] - if sentinel_connector is not None: # in case, user selected auditable only but flow event is being processed from sqs - total_events += await process_file(bucket, link, client, sentinel_connector) - + if ( + sentinel_connector is not None + ): # in case, user selected auditable only but flow event is being processed from sqs + total_events += await process_file( + bucket, link, client, sentinel_connector + ) + # ensure data is flushed at the end in case queue limit of 4000 is not reached for connector in sentinel_connectors.keys(): await sentinel_connectors[connector].flush() - event_stats = {"Trigger":"Queue", "Type":"event_stats", "total_events": total_events, "sqs_ids_seen_so_far": sqs_ids_seen_so_far, "aggregated_file_size": accumulated_file_size} + event_stats = { + "Trigger": "Queue", + "Type": "event_stats", + "total_events": total_events, + "sqs_ids_seen_so_far": sqs_ids_seen_so_far, + "aggregated_file_size": accumulated_file_size, + } logging.info(json.dumps(event_stats)) async def process_file(bucket, s3_path, client, sentinel_connector): - + event_count = 0 s3_path = urllib.parse.unquote(s3_path) response = await client.get_object(Bucket=bucket, Key=s3_path) - s = '' - - async for decompressed_chunk in AsyncGZIPDecompressedStream(response['Body']): - s += decompressed_chunk.decode(errors='ignore') - lines = re.split(r'{0}'.format(LINE_SEPARATOR), s) + s = "" + + async for decompressed_chunk in AsyncGZIPDecompressedStream(response["Body"]): + s += decompressed_chunk.decode(errors="ignore") + lines = re.split(r"{0}".format(LINE_SEPARATOR), s) for n, line in enumerate(lines): if n < len(lines) - 1: if line: @@ -141,16 +171,24 @@ async def process_file(bucket, s3_path, client, sentinel_connector): event = json.loads(line) event_count += 1 except ValueError as e: - logging.error('[QueueTrigger] Error while loading json Event at s value {}. Error: {}'.format(line, str(e))) + logging.error( + "[QueueTrigger] Error while loading json Event at s value {}. Error: {}".format( + line, str(e) + ) + ) continue - await sentinel_connector.send(event) + await sentinel_connector.send(event) s = line if s: try: - event = json.loads(line) + event = json.loads(line) except ValueError as e: - logging.error('[QueueTrigger] Error while loading json Event at s value {}. Error: {}'.format(line, str(e))) - await sentinel_connector.send(event) + logging.error( + "[QueueTrigger] Error while loading json Event at s value {}. Error: {}".format( + line, str(e) + ) + ) + await sentinel_connector.send(event) - return event_count \ No newline at end of file + return event_count diff --git a/Solutions/IllumioSaaS/Data Connectors/TimedApiFunctionApp/api_response.py b/Solutions/IllumioSaaS/Data Connectors/TimedApiFunctionApp/api_response.py index 9b4c873dc21..dedbf9d296e 100644 --- a/Solutions/IllumioSaaS/Data Connectors/TimedApiFunctionApp/api_response.py +++ b/Solutions/IllumioSaaS/Data Connectors/TimedApiFunctionApp/api_response.py @@ -5,96 +5,116 @@ import polars as pl import json import aiohttp -from .. import constants -from ..sentinel_connector import AzureSentinelConnectorAsync - -API_KEY = constants.API_KEY -API_SECRET = constants.API_SECRET -PCE_FQDN = constants.PCE_FQDN -PORT = constants.PORT -ORG_ID = constants.ORG_ID - -AZURE_TENANT_ID = constants.AZURE_TENANT_ID -AZURE_CLIENT_ID = constants.AZURE_CLIENT_ID -AZURE_CLIENT_SECRET = constants.AZURE_CLIENT_SECRET -DCE_ENDPOINT = constants.DCE_ENDPOINT -DCR_ID = constants.DCR_ID -LOG_ANALYTICS_URI = constants.LOG_ANALYTICS_URI -WORKLOADS_API_LOGS_CUSTOM_TABLE = constants.WORKLOADS_API_LOGS_CUSTOM_TABLE -WORKSPACE_ID = constants.WORKSPACE_ID -MAX_WORKLOADS = constants.MAX_WORKLOADS - -URL = 'https://{}:{}/api/v2/orgs/{}/workloads/?max_results={}'.format(PCE_FQDN, PORT, ORG_ID, MAX_WORKLOADS) - -credentials = b64encode(f"{API_KEY}:{API_SECRET}".encode()).decode('utf-8') -headers = { - "Authorization": f"Basic {credentials}", - "Content-type": "application/json" -} +from ..CommonCode.sentinel_connector import AzureSentinelConnectorAsync +from ..CommonCode.constants import ( + API_KEY, + API_SECRET, + PCE_FQDN, + PORT, + ORG_ID, + AZURE_CLIENT_ID, + AZURE_CLIENT_SECRET, + AZURE_TENANT_ID, + DCE_ENDPOINT, + DCR_ID, + WORKLOADS_API_LOGS_CUSTOM_TABLE, + MAX_WORKLOADS, +) + +URL = "https://{}:{}/api/v2/orgs/{}/workloads/?max_results={}".format( + PCE_FQDN, PORT, ORG_ID, MAX_WORKLOADS +) + +credentials = b64encode(f"{API_KEY}:{API_SECRET}".encode()).decode("utf-8") +headers = {"Authorization": f"Basic {credentials}", "Content-type": "application/json"} + def getVensByVersion(data): try: - filtered_data = data.filter(pl.col('managed') == True) - grouped_data = filtered_data.group_by('ven.version').agg(pl.len()).rename({'len': 'size'}) - return dict(zip(grouped_data['ven.version'], grouped_data['size'])) + filtered_data = data.filter(pl.col("managed") == True) + grouped_data = ( + filtered_data.group_by("ven.version").agg(pl.len()).rename({"len": "size"}) + ) + return dict(zip(grouped_data["ven.version"], grouped_data["size"])) except Exception as e: # You can log the exception here if needed logging.error("getVensByVersion error: {e}") - return {} - + return {} + + def getVensByManaged(data): - try: - grouped_data = data.group_by('managed').agg(pl.len()).rename({'len': 'size'}) + try: + grouped_data = data.group_by("managed").agg(pl.len()).rename({"len": "size"}) # Convert to dictionary - return dict(zip(grouped_data['managed'], grouped_data['size'])) + return dict(zip(grouped_data["managed"], grouped_data["size"])) except Exception as e: logging.error("getVensByManaged error: {e}") - return {} + return {} + def getVensByType(data): - try: - filtered_data = data.filter(pl.col('managed') == True) - results = filtered_data.group_by('ven.ven_type').agg(pl.len()).rename({'len': 'size'}) - return dict(zip(results['ven.ven_type'], results['size'])) + try: + filtered_data = data.filter(pl.col("managed") == True) + results = ( + filtered_data.group_by("ven.ven_type").agg(pl.len()).rename({"len": "size"}) + ) + return dict(zip(results["ven.ven_type"], results["size"])) except Exception as e: logging.error("getVensByType error: {e}") - return {} + return {} + def getVensByOS(data): - try: - filtered_data = data.filter(pl.col('managed') == True) - results = filtered_data.group_by('os_id').agg(pl.len()).rename({'len': 'size'}) - return dict(zip(results['os_id'], results['size'])) + try: + filtered_data = data.filter(pl.col("managed") == True) + results = filtered_data.group_by("os_id").agg(pl.len()).rename({"len": "size"}) + return dict(zip(results["os_id"], results["size"])) except Exception as e: logging.error("getVensByOS error: {e}") - return {} + return {} + def getVensByEnforcementMode(data): try: - filtered_data = data.filter(pl.col('managed') == True) - results = filtered_data.group_by('enforcement_mode').agg(pl.len()).rename({'len': 'size'}) - return dict(zip(results['enforcement_mode'], results['size'])) + filtered_data = data.filter(pl.col("managed") == True) + results = ( + filtered_data.group_by("enforcement_mode") + .agg(pl.len()) + .rename({"len": "size"}) + ) + return dict(zip(results["enforcement_mode"], results["size"])) except Exception as e: logging.error("getVensByEnforcementMode error: {e}") - return {} + return {} + def getVensByStatus(data): - try: - filtered_data = data.filter(pl.col('managed') == True) - results = filtered_data.group_by('ven.status').agg(pl.len()).rename({'len': 'size'}) - return dict(zip(results['ven.status'], results['size'])) + try: + filtered_data = data.filter(pl.col("managed") == True) + results = ( + filtered_data.group_by("ven.status").agg(pl.len()).rename({"len": "size"}) + ) + return dict(zip(results["ven.status"], results["size"])) except Exception as e: logging.error("getVensByStatus error: {e}") - return {} + return {} + def getVensBySyncState(data): - try: - filtered_data = data.filter(pl.col('managed') == True) - results = filtered_data.group_by('agent.status.security_policy_sync_state').agg(pl.len()).rename({'len': 'size'}) - return dict(zip(results['agent.status.security_policy_sync_state'], results['size'])) + try: + filtered_data = data.filter(pl.col("managed") == True) + results = ( + filtered_data.group_by("agent.status.security_policy_sync_state") + .agg(pl.len()) + .rename({"len": "size"}) + ) + return dict( + zip(results["agent.status.security_policy_sync_state"], results["size"]) + ) except Exception as e: logging.error("getVensBySyncState error: {e}") - return {} + return {} + async def main(mytimer: func.TimerRequest) -> None: logging.debug("url to be exercised is {} ".format(URL)) @@ -106,10 +126,10 @@ async def main(mytimer: func.TimerRequest) -> None: else: logging.info("[TimedApi] Error in response {}".format(response)) return - + response = json.loads(response.text) - df = pl.json_normalize(response, infer_schema_length = None) - + df = pl.json_normalize(response, infer_schema_length=None) + vens_by_version = getVensByVersion(df) vens_by_managed = getVensByManaged(df) vens_by_type = getVensByType(df) @@ -118,18 +138,34 @@ async def main(mytimer: func.TimerRequest) -> None: vens_by_status = getVensByStatus(df) vens_by_sync_state = getVensBySyncState(df) api_response = [] - api_response.append({"vens_by_version": vens_by_version, - "vens_by_managed": vens_by_managed, - "vens_by_type": vens_by_type, - "vens_by_os": vens_by_os, - "vens_by_enforcement_mode": vens_by_enf_mode, - "vens_by_status": vens_by_status, - "vens_by_sync_state": vens_by_sync_state, - "pce_fqdn": PCE_FQDN - }) - - logging.info("[TimedApi] Summary of workload api response that will be stored in log analytics table is {}".format(api_response)) - + api_response.append( + { + "vens_by_version": vens_by_version, + "vens_by_managed": vens_by_managed, + "vens_by_type": vens_by_type, + "vens_by_os": vens_by_os, + "vens_by_enforcement_mode": vens_by_enf_mode, + "vens_by_status": vens_by_status, + "vens_by_sync_state": vens_by_sync_state, + "pce_fqdn": PCE_FQDN, + } + ) + + logging.info( + "[TimedApi] Summary of workload api response that will be stored in log analytics table is {}".format( + api_response + ) + ) + async with aiohttp.ClientSession() as session: - sentinel = AzureSentinelConnectorAsync(session, DCE_ENDPOINT, DCR_ID, WORKLOADS_API_LOGS_CUSTOM_TABLE, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID, queue_size=1) - await sentinel.send(api_response) \ No newline at end of file + sentinel = AzureSentinelConnectorAsync( + session, + DCE_ENDPOINT, + DCR_ID, + WORKLOADS_API_LOGS_CUSTOM_TABLE, + AZURE_CLIENT_ID, + AZURE_CLIENT_SECRET, + AZURE_TENANT_ID, + queue_size=1, + ) + await sentinel.send(api_response) diff --git a/Solutions/IllumioSaaS/Data Connectors/TimedSQSFunctionApp/aws_queue.py b/Solutions/IllumioSaaS/Data Connectors/TimedSQSFunctionApp/aws_queue.py index a7c80b7f9b8..934b234ad76 100644 --- a/Solutions/IllumioSaaS/Data Connectors/TimedSQSFunctionApp/aws_queue.py +++ b/Solutions/IllumioSaaS/Data Connectors/TimedSQSFunctionApp/aws_queue.py @@ -5,94 +5,154 @@ import logging import azure.functions as func import urllib.parse -from ..azure_storage_queue import AzureStorageQueueHelper import traceback import base64 -from .. import constants - -AWS_KEY = constants.AWS_KEY -AWS_SECRET = constants.AWS_SECRET -AWS_REGION_NAME = constants.AWS_REGION_NAME -SQS_QUEUE_URL = constants.SQS_QUEUE_URL -VISIBILITY_TIMEOUT = 1800 -LINE_SEPARATOR = constants.LINE_SEPARATOR -MAX_SCRIPT_EXEC_TIME_MINUTES = constants.MAX_SCRIPT_EXEC_TIME_MINUTES -FLOW_LOGS_CUSTOM_TABLE = constants.FLOW_LOGS_CUSTOM_TABLE -AUDIT_LOGS_CUSTOM_TABLE = constants.AUDIT_LOGS_CUSTOM_TABLE -AZURE_STORAGE_CONNECTION_STRING = constants.AZURE_STORAGE_CONNECTION_STRING -MAX_QUEUE_MESSAGES_MAIN_QUEUE = constants.MAX_QUEUE_MESSAGES_MAIN_QUEUE -MAX_ACCUMULATED_FILE_SIZE = 500*1000 # 500kb -MAX_AZURE_QUEUE_SIZE_PER_ELEMENT_LIMIT = 64*1000 # 64KB -AZURE_QUEUE_SIZE_PER_ELEMENT_LIMIT = 0.5 * MAX_AZURE_QUEUE_SIZE_PER_ELEMENT_LIMIT #32kb -SQS_FILES_READ_LIMIT = constants.SQS_FILES_READ_LIMIT -LOGS_TO_CONSUME = constants.LOGS_TO_CONSUME +from ..CommonCode.azure_storage_queue import AzureStorageQueueHelper +from ..CommonCode.helper import skip_processing_file, check_if_script_runs_too_long +from ..CommonCode.constants import ( + AWS_KEY, + AWS_REGION_NAME, + AWS_SECRET, + SQS_QUEUE_URL, + VISIBILITY_TIMEOUT, + LINE_SEPARATOR, + MAX_SCRIPT_EXEC_TIME_MINUTES, + FLOW_LOGS_CUSTOM_TABLE, + AUDIT_LOGS_CUSTOM_TABLE, + AZURE_STORAGE_CONNECTION_STRING, + MAX_QUEUE_MESSAGES_MAIN_QUEUE, + SQS_FILES_READ_LIMIT, + LOGS_TO_CONSUME, + ALL_TRAFFIC, + FLOW_EVENTS, + AUDIT_EVENTS, + AZURE_STORAGE_BACKLOG_QUEUE, + AZURE_STORAGE_PRIMARY_QUEUE, + NETWORK_TRAFFIC_TO_CONSUME, + ALLOWED_TRAFFIC, + POTENTIALLY_BLOCKED_TRAFFIC, + BLOCKED_TRAFFIC, + UNKNOWN_TRAFFIC, +) + +MAX_ACCUMULATED_FILE_SIZE = 500 * 1000 # 500kb +MAX_AZURE_QUEUE_SIZE_PER_ELEMENT_LIMIT = 64 * 1000 # 64KB +AZURE_QUEUE_SIZE_PER_ELEMENT_LIMIT = ( + 0.5 * MAX_AZURE_QUEUE_SIZE_PER_ELEMENT_LIMIT +) # 32kb + sentinel_connectors = {} + # Defining the SQS Client object based on AWS Credentials def _create_sqs_client(): sqs_session = get_session() return sqs_session.create_client( - 'sqs', - region_name=AWS_REGION_NAME, - aws_access_key_id=AWS_KEY, - aws_secret_access_key=AWS_SECRET - ) - -# This method checks if the script has ran "percentage" amount of time from starting of the script -# percentage: double -# script_start_time : datetime -def check_if_script_runs_too_long(percentage, script_start_time): - now = int(time.time()) - duration = now - script_start_time - max_duration = int(MAX_SCRIPT_EXEC_TIME_MINUTES * 60 * percentage) - return duration > max_duration - -def process_body_obj(body): - # SQS record info can sometimes be encompassed within a SNS notification in certain deployments, hence - # its better to make this method compatible with both SNS topics and SQS + "sqs", + region_name=AWS_REGION_NAME, + aws_access_key_id=AWS_KEY, + aws_secret_access_key=AWS_SECRET, + ) + + +# SQS record info can sometimes be encompassed within a SNS notification in certain deployments, hence +# its better to make this method compatible with both SNS topics and SQS +def process_sqs_body(body): # Check if the message is from SNS try: record = None - if body.get('Type'): + if body.get("Type"): # Extract the actual SQS message from the SNS message - record = json.loads(body['Message']) - record = record['Records'][0] + record = json.loads(body["Message"]) + record = record["Records"][0] else: # Assume the message is directly from SQS - record = body['Records'][0] - file_path = record['s3']['object']['key'] # full path to s3 - file_size = record['s3']['object']['size'] # in bytes - bucket_name = record['s3']['bucket']['name'] + record = body["Records"][0] + file_path = record["s3"]["object"]["key"] # full path to s3 + file_size = record["s3"]["object"]["size"] # in bytes + bucket_name = record["s3"]["bucket"]["name"] except Exception as e: logging.error("Error {} observed when parsing queue body".format(e)) return None, None, None - + return file_path, file_size, bucket_name -def getStringSize(file_arr): - message_bytes = str(file_arr).encode('ascii') + +def get_string_size(file_arr): + message_bytes = str(file_arr).encode("ascii") base64_bytes = base64.b64encode(message_bytes) return len(base64_bytes) -def split_request_payload(file_arr): - mid = len(file_arr)//2 - return file_arr[:mid], file_arr[mid:] + +def split_request_payload(payload): + mid = len(payload) // 2 + return payload[:mid], payload[mid:] + def enqueue_message_helper(mainQueueHelper, backlogQueueHelper, file_arr): if mainQueueHelper.get_queue_current_count() >= MAX_QUEUE_MESSAGES_MAIN_QUEUE: - backlogQueueHelper.send_to_queue(file_arr,True) + backlogQueueHelper.send_to_queue(file_arr, True) else: - mainQueueHelper.send_to_queue(file_arr,True) - -def fileToBeFiltered(file_path): - if LOGS_TO_CONSUME == 'All': - return False - - if 'auditable' in file_path: - return 'Flow Summaries' in LOGS_TO_CONSUME - else: - return 'Auditable Events' in LOGS_TO_CONSUME + mainQueueHelper.send_to_queue(file_arr, True) + + +async def delete_file_from_sqs(client, msg, body_obj): + try: + await client.delete_message( + QueueUrl=SQS_QUEUE_URL, + ReceiptHandle=msg["ReceiptHandle"], + ) + logging.info( + "Deleted file whose receipt handle is {}".format(msg["ReceiptHandle"]) + ) + except Exception as e: + logging.error( + "[AWSQueue] Error during deleting message with MessageId {} from queue. Bucket: {}. Error: {}".format( + msg["MessageId"], body_obj["s3"]["bucket"], e + ) + ) + + +def skip_processing_network_traffic_file(file_path, network_traffic_logs_to_consume): + """ + Network traffic is stored in s3 in the following format + pce/pd=0/.. + pce/pd=1/.. + pce/pd=2/.. + pce/pd=3/.. + + This method will be used to filter which network traffic logs should be consumed/ingested + Args: + file_path: file path should contain the mapping info + + """ + # do not process audit event + if "auditable" in file_path: + return False + + pd_mapping = { + ALLOWED_TRAFFIC: "pd=0", + POTENTIALLY_BLOCKED_TRAFFIC: "pd=1", + BLOCKED_TRAFFIC: "pd=2", + UNKNOWN_TRAFFIC: "pd=3", + } + network_traffic_logs_to_consume = network_traffic_logs_to_consume.split(",") + file_path = urllib.parse.unquote(file_path) + + if ALL_TRAFFIC in network_traffic_logs_to_consume: + return False + + # Suppose file_pd is "pd=2", which means customer wants to ingest only blocked traffic + # and file_path contains pd=0 (allowed), then this method returns True, as in, skip the file + # else return False and process it + for pd in network_traffic_logs_to_consume: + if pd_mapping[pd] in file_path: + return False + + # skip the file if it doesnt match the conditions + return True + # Start unloading contents of file_arr onto azure queues # There is a main queue and a backlog queue to choose from @@ -100,98 +160,177 @@ def fileToBeFiltered(file_path): # async def enqueue_message_azure(mainQueueHelper, backlogQueueHelper, file_arr): if len(file_arr) > 0: - if getStringSize(file_arr) >= AZURE_QUEUE_SIZE_PER_ELEMENT_LIMIT: # greater than 32kb; each queue element can be upto 64kb in size - first_half, second_half = split_request_payload(file_arr) + if ( + get_string_size(file_arr) >= AZURE_QUEUE_SIZE_PER_ELEMENT_LIMIT + ): # greater than 32kb; each queue element can be upto 64kb in size + first_half, second_half = split_request_payload(file_arr) enqueue_message_helper(mainQueueHelper, backlogQueueHelper, first_half) enqueue_message_helper(mainQueueHelper, backlogQueueHelper, second_half) else: enqueue_message_helper(mainQueueHelper, backlogQueueHelper, file_arr) -# Ensure flushing messages happens during these times: -# 1. When script has reached 90% of execution time -# 2. When files accumulated has crossed MAX_ACCUMULATED_FILE_SIZE -# 3. When there are no more messages in SQS -# 4. Check if user chose a specific log type or wants all logs types to be processed, in this case, lesser storage + async def main(mytimer: func.TimerRequest): - #logger = logging.getLogger('azure') - #logger.setLevel(logging.INFO) + """ + Ensure flushing messages happens during these times: + 1. When script has reached 90% of execution time + 2. When files accumulated has crossed MAX_ACCUMULATED_FILE_SIZE + 3. When there are no more messages in SQS + 4. Check if user chose a specific log type or wants all logs types to be processed, in this case, lesser storage + + Args: + mytimer (func.TimerRequest): timer set in function app + """ script_start_time = int(time.time()) async with _create_sqs_client() as client: - mainQueueHelper = AzureStorageQueueHelper(connectionString=AZURE_STORAGE_CONNECTION_STRING, queueName="python-queue-items") - backlogQueueHelper = AzureStorageQueueHelper(connectionString=AZURE_STORAGE_CONNECTION_STRING, queueName="python-queue-items-backlog") + mainQueueHelper = AzureStorageQueueHelper( + connectionString=AZURE_STORAGE_CONNECTION_STRING, + queueName=AZURE_STORAGE_PRIMARY_QUEUE, + ) + backlogQueueHelper = AzureStorageQueueHelper( + connectionString=AZURE_STORAGE_CONNECTION_STRING, + queueName=AZURE_STORAGE_BACKLOG_QUEUE, + ) files_processed = 0 - accumulated_file_size = 0 # logic is to accumulate file sizes upto MAX_ACCUMULATED_FILE_SIZE + accumulated_file_size = ( + 0 # logic is to accumulate file sizes upto MAX_ACCUMULATED_FILE_SIZE + ) file_arr = [] while True: try: # This should return MaxNumberOfMessages message from SQS only - response = await client.receive_message(QueueUrl=SQS_QUEUE_URL, MaxNumberOfMessages=10, WaitTimeSeconds=2, VisibilityTimeout=VISIBILITY_TIMEOUT) + response = await client.receive_message( + QueueUrl=SQS_QUEUE_URL, + MaxNumberOfMessages=10, + WaitTimeSeconds=2, + VisibilityTimeout=VISIBILITY_TIMEOUT, + ) - if 'Messages' in response: # this is an array - for msg in response['Messages']: - body_obj = json.loads(msg['Body']) - file_path, file_size, bucket_name = process_body_obj(body_obj) + if "Messages" in response: # this is an array + for msg in response["Messages"]: + body_obj = json.loads(msg["Body"]) + file_path, file_size, bucket_name = process_sqs_body(body_obj) - if file_path is None: # case when sqs message doesnt have any records in it - return + if ( + file_path is None + ): # case when sqs message doesnt have any records in it + return - if fileToBeFiltered(file_path): - logging.warn('[AWSQueue] Skipping file since logs to be consumed is {}, but file is {}'.format(LOGS_TO_CONSUME, file_path)) - continue + # decide whether audit or network traffic or both should be consumed or not + if skip_processing_file(file_path): + logging.warn( + "[AWSQueue] Skipping file since logs to be consumed is {}, but file is {}".format( + LOGS_TO_CONSUME, file_path + ) + ) + await delete_file_from_sqs(client, msg, body_obj) + continue + + # decide which network traffic file paths to consume + if skip_processing_network_traffic_file( + file_path, NETWORK_TRAFFIC_TO_CONSUME + ): + logging.warn( + "[AWSQueue] Skipping network traffic file since logs to be consumed is {}, but file is {}".format( + NETWORK_TRAFFIC_TO_CONSUME, file_path + ) + ) + await delete_file_from_sqs(client, msg, body_obj) + continue files_processed += 1 - + accumulated_file_size += file_size - - file_arr.append({"link": urllib.parse.unquote(file_path), - "file_size": file_size, - "bucket_name": bucket_name, - "sqs_message_id": msg['MessageId'] - }) - - try: - await client.delete_message(QueueUrl=SQS_QUEUE_URL, ReceiptHandle=msg['ReceiptHandle']) - except Exception as e: - logging.error("[AWSQueue] Error during deleting message with MessageId {} from queue. Bucket: {}. Error: {}".format(msg['MessageId'], body_obj['s3']['bucket'], e)) - continue + + file_arr.append( + { + "link": urllib.parse.unquote(file_path), + "file_size": file_size, + "bucket_name": bucket_name, + "sqs_message_id": msg["MessageId"], + } + ) + + await delete_file_from_sqs(client, msg, body_obj) # ensure to return if files processed are more than the limit if files_processed >= SQS_FILES_READ_LIMIT: - logging.warn('[AWSQueue] Have processed {} files and hence exiting'.format(files_processed)) - await enqueue_message_azure(mainQueueHelper, backlogQueueHelper, file_arr) - file_stats = {"Trigger":"Timer", "Type":"FileStats", "file_count": len(file_arr), "azure_queue_size": getStringSize(file_arr), "aggregated_file_size": accumulated_file_size} - logging.info(json.dumps(file_stats)) - return - - if check_if_script_runs_too_long(0.90, script_start_time): - logging.warn('[AWSQueue]SQS Queue manager has run close to 90 percentage of max time. Flushing files to queue before termination') - await enqueue_message_azure(mainQueueHelper, backlogQueueHelper, file_arr) - file_stats = {"Trigger":"Timer", "Type":"FileStats", "file_count": len(file_arr), "azure_queue_size": getStringSize(file_arr), "aggregated_file_size": accumulated_file_size} + logging.warn( + "[AWSQueue] Have processed {} files and hence exiting".format( + files_processed + ) + ) + await enqueue_message_azure( + mainQueueHelper, backlogQueueHelper, file_arr + ) + file_stats = { + "Trigger": "Timer", + "Type": "FileStats", + "file_count": len(file_arr), + "azure_queue_size": get_string_size(file_arr), + "aggregated_file_size": accumulated_file_size, + } logging.info(json.dumps(file_stats)) - return + return + if check_if_script_runs_too_long(0.90, script_start_time): + logging.warn( + "[AWSQueue]SQS Queue manager has run close to 90 percentage of max time. Flushing files to queue before termination" + ) + await enqueue_message_azure( + mainQueueHelper, backlogQueueHelper, file_arr + ) + file_stats = { + "Trigger": "Timer", + "Type": "FileStats", + "file_count": len(file_arr), + "azure_queue_size": get_string_size(file_arr), + "aggregated_file_size": accumulated_file_size, + } + logging.info(json.dumps(file_stats)) + return # decide whether file size accumulated so far has reached limit or not # if not, wait, else if nothing else left, just add it to queue and terminate function - + if accumulated_file_size >= MAX_ACCUMULATED_FILE_SIZE: - await enqueue_message_azure(mainQueueHelper, backlogQueueHelper, file_arr) - logging.info("[AWSQueue] Crossed the max file size limit, enqueing messages in azure queue") - file_stats = {"Trigger":"Timer", "Type":"FileStats", "file_count": len(file_arr), "azure_queue_size": getStringSize(file_arr), "aggregated_file_size": accumulated_file_size} + await enqueue_message_azure( + mainQueueHelper, backlogQueueHelper, file_arr + ) + logging.info( + "[AWSQueue] Crossed the max file size limit, enqueing messages in azure queue" + ) + file_stats = { + "Trigger": "Timer", + "Type": "FileStats", + "file_count": len(file_arr), + "azure_queue_size": get_string_size(file_arr), + "aggregated_file_size": accumulated_file_size, + } logging.info(json.dumps(file_stats)) accumulated_file_size = 0 - file_arr.clear() + file_arr.clear() else: - logging.info("[AWSQueue] There are no messages in SQS, attempting to enqueue files seen so far") - await enqueue_message_azure(mainQueueHelper, backlogQueueHelper, file_arr) - file_stats = {"Trigger":"Timer", "Type":"FileStats", "file_count": len(file_arr), "azure_queue_size": getStringSize(file_arr), "aggregated_file_size": accumulated_file_size} + logging.info( + "[AWSQueue] There are no messages in SQS, attempting to enqueue files seen so far" + ) + await enqueue_message_azure( + mainQueueHelper, backlogQueueHelper, file_arr + ) + file_stats = { + "Trigger": "Timer", + "Type": "FileStats", + "file_count": len(file_arr), + "azure_queue_size": get_string_size(file_arr), + "aggregated_file_size": accumulated_file_size, + } logging.info(json.dumps(file_stats)) - return + return except Exception as e: logging.warning(traceback.format_exc()) - return \ No newline at end of file + return diff --git a/Solutions/IllumioSaaS/Data Connectors/azuredeploy_IllumioSaaS_FunctionApp.json b/Solutions/IllumioSaaS/Data Connectors/azuredeploy_IllumioSaaS_FunctionApp.json index 7680d228fee..e34c236e81f 100644 --- a/Solutions/IllumioSaaS/Data Connectors/azuredeploy_IllumioSaaS_FunctionApp.json +++ b/Solutions/IllumioSaaS/Data Connectors/azuredeploy_IllumioSaaS_FunctionApp.json @@ -252,6 +252,10 @@ "name": "un", "type": "string" }, + { + "name": "sn", + "type": "string" + }, { "name": "src_ip", "type": "string" @@ -512,6 +516,10 @@ "name": "un", "type": "string" }, + { + "name": "sn", + "type": "string" + }, { "name": "src_ip", "type": "string" @@ -839,7 +847,7 @@ }, { "name": "WEBSITE_RUN_FROM_PACKAGE", - "value": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/IllumioSaaS/Data%20Connectors/IllumioEventsConn.zip" + "value": "https://raw.githubusercontent.com/illumio-shield/Azure-Sentinel/illumio-sentinel-m2/Solutions/IllumioSaaS/Data%20Connectors/IllumioEventsConn.zip" }, { "name": "FUNCTIONS_WORKER_RUNTIME", @@ -965,6 +973,10 @@ { "name": "SQS_FILES_READ_LIMIT", "value": "200" + }, + { + "name": "networkTrafficLogTypes", + "value": "All" } ], "cors": { diff --git a/Solutions/IllumioSaaS/Data Connectors/constants.py b/Solutions/IllumioSaaS/Data Connectors/constants.py deleted file mode 100644 index 793a252b192..00000000000 --- a/Solutions/IllumioSaaS/Data Connectors/constants.py +++ /dev/null @@ -1,34 +0,0 @@ -import os - -# AWS config -AWS_KEY = os.environ['AWS_KEY'] -AWS_SECRET = os.environ['AWS_SECRET'] -AWS_REGION_NAME = os.environ['AWS_REGION_NAME'] -SQS_QUEUE_URL = os.environ['SQS_QUEUE_URL'] -VISIBILITY_TIMEOUT = 1800 -LINE_SEPARATOR = os.environ.get('lineSeparator', '[\n\r\x0b\v\x0c\f\x1c\x1d\x85\x1e\u2028\u2029]+') # used in aws_queue and queue trigger.py -MAX_SCRIPT_EXEC_TIME_MINUTES = int(os.environ.get('MAX_SCRIPT_EXEC_TIME_MINUTES', 10)) -SQS_FILES_READ_LIMIT = int(os.environ.get('SQS_FILES_READ_LIMIT', 200)) - -#PCE config -API_KEY = os.environ['API_KEY'] -API_SECRET = os.environ['API_SECRET'] -PCE_FQDN = os.environ['PCE_FQDN'] -PORT = int(os.environ.get('PCE_PORT', 443)) -ORG_ID = os.environ['ORG_ID'] -MAX_WORKLOADS = os.environ.get('MAX_WORKLOADS', 100000) -LOGS_TO_CONSUME = os.environ.get('logTypes', 'All') - -#Azure config -AZURE_TENANT_ID = os.environ['AZURE_TENANT_ID'] -AZURE_CLIENT_ID = os.environ['AZURE_CLIENT_ID'] -AZURE_CLIENT_SECRET = os.environ['AZURE_CLIENT_SECRET'] -DCE_ENDPOINT = os.environ['DCE_ENDPOINT'] -DCR_ID = os.environ['DCR_ID'] -LOG_ANALYTICS_URI = os.environ['LOG_ANALYTICS_URI'] -WORKLOADS_API_LOGS_CUSTOM_TABLE = os.environ['WORKLOADS_API_LOGS_CUSTOM_TABLE'] -FLOW_LOGS_CUSTOM_TABLE = os.environ['FLOW_LOGS_CUSTOM_TABLE'] -AUDIT_LOGS_CUSTOM_TABLE = os.environ['AUDIT_LOGS_CUSTOM_TABLE'] -WORKSPACE_ID = os.environ['WORKSPACE_ID'] -AZURE_STORAGE_CONNECTION_STRING = os.environ['AzureWebJobsStorage'] -MAX_QUEUE_MESSAGES_MAIN_QUEUE = int(os.environ.get('MAX_QUEUE_MESSAGES_MAIN_QUEUE', 80)) diff --git a/Solutions/IllumioSaaS/Data Connectors/createUiDefinition.json b/Solutions/IllumioSaaS/Data Connectors/createUiDefinition.json index 36cd721fb3c..7ad915c0dca 100644 --- a/Solutions/IllumioSaaS/Data Connectors/createUiDefinition.json +++ b/Solutions/IllumioSaaS/Data Connectors/createUiDefinition.json @@ -194,7 +194,7 @@ ], "required": true } - } + } ], "steps": [ { @@ -553,7 +553,7 @@ "logAnalyticsWorkspaceResourceGroup": "[first(map(filter(basics('getLAWorkspace').value, (filter) => equals(filter.name,basics('logAnalyticsWorkspace'))), (item) => substring(item.id, add(lastIndexOf(first(split(item.id,'/providers/')),'/'),1), sub(length(first(split(item.id,'/providers/'))), add(lastIndexOf(first(split(item.id,'/providers/')),'/'),1)) ) ))]", "dataCollectionEndpoint": "[coalesce(steps('DataIngestionConfig').DCEConfigSection.SelectExistingDCE, coalesce(steps('DataIngestionConfig').DCEConfigSection.input-dce-name,''))]", "dataCollectionRule": "[coalesce(steps('DataIngestionConfig').DCRConfigSection.SelectExistingDCR, coalesce(steps('DataIngestionConfig').DCRConfigSection.dcr-data_name_input, ''))]", - "logTypes": "[basics('LogSelector')]", + "logTypes": "[basics('LogSelector')]", "workspaceResourceID": "[basics('WorkspaceResourceID')]", "enablePrivateNetworking": "[basics('AzureFunctionsDetailsSection').enablePrivateNetworking]", "storageAccountName": "[basics('AzureFunctionsDetailsSection').storageAccountName]", diff --git a/Solutions/IllumioSaaS/Package/3.2.0.zip b/Solutions/IllumioSaaS/Package/3.2.0.zip index 2ea39e72118..d60891cde85 100644 Binary files a/Solutions/IllumioSaaS/Package/3.2.0.zip and b/Solutions/IllumioSaaS/Package/3.2.0.zip differ