Group

The user group or role impacted by activity reported in the log. Do not use for entity group (zone or domain).

Data Type

String

Aliases

Use	Alias
Client Console Full Name	Group
Client Console Short Name	Not applicable
Web Console Tab/Name	Group
Elasticsearch Field Name	group
Rule Builder Column Name	Group
Regex Pattern	<group>
NetMon Name	Not applicable

Field Relationships

Login
Account
Domain
Session
SessionType
Policy

Common Applications

AD group
Linux user group
Security role

Use Case

Capturing active directory organizational unit.
Capturing certificate organizational units.

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

Not Zone (internet, network, security).
Only to capture explicitly called out (user) group, organizational units, and roles.

Examples

Cylance

08 16 2016 22:42:18 1.1.1.1 <USER:NOTE> 250 <44>1 2016-08-17T04:42:20.0816805Z sysloghost CylancePROTECT - - - Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Zone: Corporate; Devices: USABLDRRECFLOW01, , User: Dave Foss (pete.store@recordflow.biz) pete.store@recordflow.biz)

Corporate Zone is parsed here.

AWS

TS=2015-07-03T07:15:21Z ACCT=22222222222 RSRC=sg-22222222222 ARN= USABLDRRECFLOW01:security-group/sg- USABLDRRECFLOW01CREATETS= STS=ResourceDiscovered REG=us-west-2 RSRCTYP=AWS::EC2::SecurityGroup DETALS=ownerid=9052222962 groupname=launch-wizard-1 groupid=gg22222 description=launch-wizard-1 created 2015-07-03T00:07:57.767-07:00 vpcid=vpc-22222226

Groupname= parses into Group. Is explicit as a group.

Salesforce

EVT_TYP=RestApi TS=2015-07-13T22:37:51Z REQ_ID=3z1tWodgfdgdH5TjAgF- ORG_ID=00D00000000001 U_N=pete.store@recordflow.biz.isvdev01 RUN_T=77 CPU_T=19 CLNT_IP=1.1.1.1 URI=/services/data/v33.0/query

Organization ID parsed (specific to LogRhythm in this example).