Axon Data Schema Guide
Each log message produced by a source is written in its own language. The Data Schema assists in understanding these log messages by providing a common language. The processing of these messages translates the log messages written in these different languages to the common Axon Data Schema.
The Parts of the Log Message
The actors within a log message are described in the concepts of origin, target, and observer. These actors can be either accounts (such as user accounts) or hosts (such as workstations and servers). One, two, or all three of these types of actors can be present in the log message.
- The initiator of the action.
- The source of network traffic.
- The source of a security threat.
- The account targeted by an action.
- The host or account targeted by a security threat.
The destination of network traffic.
Indicating a target host or account does not indicate that the action was successful, only that the described action was attempted against that host or account.
- The recorder of network traffic. For example, a network firewall.
- The detector of a threat or vulnerability.
Each log message describes an action that has occurred or is being requested. Actions can describe activities performed by a device, application, or account, or represent the status of a device, system, or application.
When there is an action, there are usually one or more objects that the action either effects, describes, or is otherwise relevant to the action. Each log message can contain multiple objects of either the same or different types.
If there is an action being attempted, there should also be a result recorded of that attempt. These include results such as success, failure, allow, deny, block, etc.
Each of the three parts described above (actors, actions, and objects) can have multiple attributes. File objects may have path, size, or hash attributes included in the message. User and Host actors may have name, ID, or domain attributes. These and additional attributes provide context and enrichment needed to properly understand a log message.