Breadcrumbs

Group

The user group or role impacted by activity reported in the log. Do not use for entity group (zone or domain). 

Data Type

String

Aliases

Use

Alias

Client Console Full Name

Group

Client Console Short Name

Not applicable

Web Console Tab/Name

Group

Elasticsearch Field Name

group

Rule Builder Column Name

Group

Regex Pattern

<group>

NetMon Name

Not applicable

Field Relationships

  • Login

  • Account

  • Domain

  • Session

  • SessionType

  • Policy

Common Applications

  • AD group

  • Linux user group

  • Security role

Use Case

  • Capturing active directory organizational unit.

  • Capturing certificate organizational units.

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

  • Not Zone (internet, network, security).

  • Only to capture explicitly called out (user) group, organizational units, and roles.

Examples

  • Cylance

08 16 2016 22:42:18 1.1.1.1 <USER:NOTE> 250 <44>1 2016-08-17T04:42:20.0816805Z sysloghost CylancePROTECT - - - Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Zone: Corporate; Devices: USABLDRRECFLOW01, , User: Dave Foss (pete.store@recordflow.biz) pete.store@recordflow.biz)

Corporate Zone is parsed here.

  • AWS

TS=2015-07-03T07:15:21Z ACCT=22222222222 RSRC=sg-22222222222 ARN= USABLDRRECFLOW01:security-group/sg- USABLDRRECFLOW01CREATETS= STS=ResourceDiscovered REG=us-west-2 RSRCTYP=AWS::EC2::SecurityGroup DETALS=ownerid=9052222962 groupname=launch-wizard-1 groupid=gg22222 description=launch-wizard-1 created 2015-07-03T00:07:57.767-07:00 vpcid=vpc-22222226

Groupname= parses into Group. Is explicit as a group.

  • Salesforce

EVT_TYP=RestApi TS=2015-07-13T22:37:51Z REQ_ID=3z1tWodgfdgdH5TjAgF- ORG_ID=00D00000000001 U_N=pete.store@recordflow.biz.isvdev01 RUN_T=77 CPU_T=19 CLNT_IP=1.1.1.1 URI=/services/data/v33.0/query

Organization ID parsed (specific to LogRhythm in this example).