Skip to main content
Skip table of contents


The user group or role impacted by activity reported in the log. Do not use for entity group (zone or domain). 

Data Type




Client Console Full Name


Client Console Short Name

Not applicable

Web Console Tab/Name


Elasticsearch Field Name


Rule Builder Column Name


Regex Pattern


NetMon Name

Not applicable

Field Relationships

  • Login
  • Account
  • Domain
  • Session
  • SessionType
  • Policy

Common Applications

  • AD group
  • Linux user group
  • Security role

Use Case

  • Capturing active directory organizational unit.
  • Capturing certificate organizational units.

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

  • Not Zone (internet, network, security).
  • Only to capture explicitly called out (user) group, organizational units, and roles.


  • Cylance

08 16 2016 22:42:18 <USER:NOTE> 250 <44>1 2016-08-17T04:42:20.0816805Z sysloghost CylancePROTECT - - - Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Zone: Corporate; Devices: USABLDRRECFLOW01, , User: Dave Foss (

Corporate Zone is parsed here.

  • AWS

TS=2015-07-03T07:15:21Z ACCT=22222222222 RSRC=sg-22222222222 ARN= USABLDRRECFLOW01:security-group/sg- USABLDRRECFLOW01CREATETS= STS=ResourceDiscovered REG=us-west-2 RSRCTYP=AWS::EC2::SecurityGroup DETALS=ownerid=9052222962 groupname=launch-wizard-1 groupid=gg22222 description=launch-wizard-1 created 2015-07-03T00:07:57.767-07:00 vpcid=vpc-22222226

Groupname= parses into Group. Is explicit as a group.

  • Salesforce

EVT_TYP=RestApi TS=2015-07-13T22:37:51Z REQ_ID=3z1tWodgfdgdH5TjAgF- ORG_ID=00D00000000001 RUN_T=77 CPU_T=19 CLNT_IP= URI=/services/data/v33.0/query

Organization ID parsed (specific to LogRhythm in this example).

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.