Introduction
This guide provides details on each of the Authentic8 log types: URL, DOWNLOAD, UPLOAD, SESSION, AUTH (summary details), ADMIN_AUDIT, ENC, POST DATA, COOKIES, LOCATION CHANGE, BLOCKED URL, TRANSLATION, A8SS, ISOLATION BYPASS, SMS, PRINT, & EXPLOIT.
Refer to the Log Extraction section of the Authentic8 API Reference Guide for information on how to retrieve these logs.
URL logs contain user web site navigation details.
Notes:
- To enable the "micro_category" and "macro_category" fields, ensure that the "URL Category Filtering" policy is activated within the Admin Console. There's no need to specifically designate any categories for "Allow" or "Block" settings.
Field Name | Definition | Sample Result |
client_ip | The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. | 50.247.80.185 |
create_ts | The floating point UNIX Epoch time the log entry was created | 1411481216.764143 |
domain | The domain name of the URL | "example.com" in "https://example.com:81/path?p=v" |
headers | Components of the header section of request and response messages | Host: login.example.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0 Authentic8/1.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://login.example.com/config/login_verify2?&.src=ym\r\nDNT: 1\r\nConnection: keep-alive\r\n" |
method | HTTP request method | GET, POST |
org_id | The opaque string identifier of the Authentic8 org the user is in | 64bb2da94d49648b75e3b3b82338086e |
page_title | The title of a web page, the text shownin the browser tab or search engine result | Submit a ticket: Authentic8 Support |
path | The path of the URL | "/path" in "https://example.com:81/path?p=v" |
port | The port of the URL | "81" in "https://example.com:81/path?p=v". If port would have been 80 or 443, this is null. |
response_code | The HTTP response code from the website | usually 200 |
response_headers | Components of the header section of request and response messages | Date: Tue, 23 Sep 2014 14:13:37 GMT\r\nP3P: policyref=\"http://info.example.com/w3c/p3p.xml\", CP=\"CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV\"\r\nX-Frame-Options: DENY\r\nCache-Control: private\r\nVary: Accept-Encoding\r\nContent-Encoding: gzip\r\nContent-Length: 32723\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Security-Policy-Report-Only: default-src https: 'unsafe-inline' 'unsafe-eval'; report-uri http://b.login.example.com/beacon/csp\r\nAge: 0\r\nConnection: close\r\nStrict-Transport-Security: max-age=15552000\r\nServer: ATS\r\n" |
response_size | If known, the size of the response in bytes. Otherwise, null. | 3655 |
scheme | The protocol specifier in a URL | usually "http" or "https" |
seq_id | Sequence number of log entry | 12627567 |
session_id | An opaque string that identifies the user's Authentic8 session | f1b3310c0422f847446fe7661d896c6a |
primary_session_id | Unique identifier of the Authentic8 session. If this is not null, the log entry was made in a subsession, so this identifies the primary session. This would typically be non-null in a Toolbox as an App subsession | "primary_session_id": "bd1dfccc8b4c98c79085d78b0aab96e6" Toolbox as an App session "session_id": "bd1dfccc8b4c98c79085d78b0aab96e6:1" |
type | "URL" log entries record the information about the pages the user visits | URL |
url | Web site address | https://login.example.com/ |
user_id | The opaque string identifier of the Authentic8 user | c8cd4252f8b15bdbc9c3e7c53d73f562 |
username | The login name of the user who initiated the session | siloadminuser |
query | The query of the URL | "p=v" in "https://example.com:81/path?p=v" |
micro_category | Specific filtering category reason | Social Networking |
macro_category | General filtering category name | Productivity Drains |
Log Type: DOWNLOAD
Download logs contain info of user file download activities and file info.
Field Name | Definition | Sample Result |
client_ip | The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. | 50.247.80.185 |
bytes | Downloaded file size in bytes | 92108 |
target | Destination path of downloaded file | /tmp/download-0/Extract_Log_Samples.txt |
contentType | Data type of the downloaded file | text/plain |
hash | SHA-256 hash of the file in hex | d262d17ab180800703ad2a65a29643c72c7ebfeb1a6431d34e19561c0e50cc41 |
url | Source of the downloaded file | https://mail-attachment.googleusercontent.com/attachment/u/0/? ui=2&ik=9f0c44d8c2&view= att&th=1489b4c8d5929ac4&attid=0.1 &disp=safe&realattid= f_i0d86brx0&zw&saduie=AG9B_P_EV24vE6QEP8oX6jRL1kF -&sadet=1411404392213&sads=M8j4UFPeIEoD7EnKT_iP5IFQspk |
username | The login name of the user who initiated the session | siloadminuser |
create_ts | The floating point UNIX Epoch time the log entry was created | 1411408790.093198 |
org_id | The opaque string identifier of the Authentic8 org the user is in | 64bb2da94d49648b75e3b3b82338086e |
seq_id | Sequence number of log entry | 12625480 |
session_id | An opaque string that identifies the user's Authentic8 session | 9d1d78fe0c999429fcce590358ec5ca5 |
type | "DOWNLOAD" log entries record the information about the file downloaded | DOWNLOAD |
scheme | The protocol specifier of the source site | https |
domain | The domain of the source web site | mail-attachment.googleusercontent.com |
port | Port of the source web site | 443 |
path | Source path of the web site | /attachment/u/0/ |
query | Source query of the downloaded file | ui=2&ik=9f0c44d8c2&view=att&th=1489b4c8d5929ac4&attid=0.1 &disp=safe&realattid=f_i0d86brx0&zw&saduie=AG9B_ P_EV24vE6QEP8oX6jRL1kF-&sadet=1411404392213&sads=M8j4UFPeIEoD7EnKT_iP5IFQspk |
Log Type: UPLOAD
Upload logs contain info of user file upload activities and file info.
Field Name | Definition | Sample Result |
client_ip | The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. | 50.247.80.185 |
bytes | Uploaded file size in bytes | 4403457 |
target | Path of the temporary transfer destination on Authentic8 server | /tmp/upload-0/37a9be56c22de501a6fee0d6bd70cf26-Logs.txt" |
contentType | Data type of the uploaded file | image/png |
hash | SHA-256 hash of the file in hex | c7ebfeb1a6431d34e19561c0e50cc41d262d17ab180800703ad2a65a29643c72 |
url | Destination of the uploaded file | https://mail.google.com/mail/u/0/?ui=2&ik=9f0c44d8c2&view=up&fcid=i0d86bs2dkg5&rt=j&act= fup&oauth=AG9B_P_EV24vE6QEP8oX6jRL1kF-%7Cb54078f6cd20dc2a&attid=f_i0d86brx0 |
username | The login name of the user who initiated the session | siloadminuser |
create_ts | The floating point UNIX Epoch time the log entry was created | 1411408790.093198 |
org_id | The opaque string identifier of the Authentic8 org the user is in | 64bb2da94d49648b75e3b3b82338086e |
seq_id | Sequence number of log entry | 12625195 |
session_id | An opaque string that identifies the user's Authentic8 session | f9567c931b7dc6a4e5299e8c862011fe |
type | "UPLOAD" log entries record the information about the file uploadedd | UPLOAD |
scheme | The protocol specifier of the destination site | https |
domain | The domain of the web site file uploaded to | mail.google.com |
port | Port of the source web site | 443 |
path | Source path of the web site | /attachment/u/0/ |
query | Source query of the uploaded file | ui=2&ik=9f0c44d8c2&view=up&fcid=i0d86bs2dkg5&rt=j& act=fup&oauth=AG9B_P_EV24vE6QEP8oX6jRL1kF-%7Cb54078f6cd20dc2a&attid=f_i0d86brx0 |
Log Type: SESSION
Session logs contain detail info of user sessions for all product type (Silo and Toolbox)
Field Name | Definition | Sample Result |
client_ip | The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. | 50.247.80.185 |
client_machine_name | Name of user’s logon device retrieved from machine factors (if a user has obscured machine factors, the obscured name will be shown) | MacBook Pro |
client_timezone | The timezone of either the Host session and Toolbox session | America/New_York |
create_ts | The floating point UNIX Epoch time the log entry was created | 1411568275.720287 |
egress_ip | IP address of the egress | 179.48.248.22 |
egress_location | Region identifier for egress | Costa Rica (cr) |
execution_location | Region identifier for the Toolbox as an App session | Singapore (sg) |
execution_server_ip | IP address of the server hosting the session | 119.81.23.187 |
execution_server_name | Hostname of the server hosting the Toolbox as an App session | app-sng-54.authentic8.com |
exit_reason | The reason for closing the session | User Exit |
languages | The language that is set under Browser Fingerprint | en |
org_id | The opaque string identifier of the Authentic8 org the user is in | 64bb2da94d49648b75e3b3b82338086e |
seq_id | Sequence number of log entry | 12630308 |
session_end_time | UNIX Epoch time of session end | 1411568275 |
session_id | An opaque string that identifies the user's Authentic8 session | bd1dfccc8b4c98c79085d78b0aab96e6 |
session_start_time | UNIX Epoch time of session start | 1411567938 |
session_type | Type of sessions logged | Silo; Toolbox |
type | “SESSION” loentries record the information about the session | SESSION |
toolbox_name | Name of the Toolbox | Miami Toolbox |
user_agent_label | The selected User Agent | Chrome (Windows) |
user_agent_value | The complete Browser Fingerprint information | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome /125.0.0.0 Safari/537.36 |
user_id | The opaque string identifier of the Authentic8 user | dbc9c3e7c5c8cd4252f8b15b3d73f562 |
user_type | Indicator of standard user or administrator | admin |
username | The login name of the user who initiated the session | siloadminuser |
primary_session_id | Unique identifier of the Authentic8 session. If this is not null, the log entry was made in a subsession, so this identifies the primary session. This would typically be non-null in a Toolbox as an App subsession | "primary_session_id": "bd1dfccc8b4c98c79085d78b0aab96e6" Toolbox as an App session "session_id": "bd1dfccc8b4c98c79085d78b0aab96e6:1" |
Log Type: AUTH
Authentication logs contain entries of users’ authentication attempts such as PIN Authentication, OOB (out of band), Reset user login with temporary password.
Field Name | Definition | Sample Result |
action | Type of authentication actions | PIN Auth; PIC Auth (grandfathered authentication method for users created prior since early 2013); SAML Auth |
client_ip | The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. | 50.247.80.185 |
create_ts | The floating point UNIX Epoch time the log entry was created | 1411567747.400867 |
org_id | The opaque string identifier of the Authentic8 org the user is in | 4a6ca40fc47ab8655f85b4cc6d6139e0 |
reason | Any available detail reason for authentication action results | Incorrect credentials; "Signature data missing" |
result | Result of authentication actions | success; failure |
seq_id | Sequence number of log entry | 23686753 |
session_id | An opaque string that identifies the user's Authentic8 session | ec3d9b11ff7eb00d6f55f773ba057583 |
type | “AUTH” log entries for various authentication attempts, results, reasons | AUTH |
user_id | The opaque string identifier of the Authentic8 user | a62f8860f76650380e09d366557e3751 |
username | The login name of the user who initiated the session | siloadminuser |
Summary details of authentication actions and results:
Action | Result | Reason |
PIN Auth | success | |
failure | Incorrect credentials | |
failure | Booted after three failed attempts | |
failure | Locked out after three login failures over two consecutive sessions | |
SAML Auth | success | |
failure | Signature expired | |
failure | Signature invalid | |
failure | Signature data missing | |
OOB (out of band) | success | |
failure | Incorrect OOB code | |
failure | Phone modification disabled after three failed attempts | |
failure | Unable to send code, incorrect phone number: 9999999999 | |
Reset (user login using temporary password) | success | |
failure | Invalid reset code | |
failure | Booting user after three failed attempts | |
failure | Locked out after three reset code failures over two consecutive sessions | |
New User Create PIN | success | Created new pin code |
User changed PIN | success | Changed pin code |
Log Type: ADMIN_AUDIT
Admin Audit logs record all administrators’ change activities within Silo Admin Console.
The data logged includes:
- Who made the change (username)
- When the change was made (timestamp)
- What was changed (including before and after values)
Notes:
- Credential changes will be tracked and listed but actual data will NOT be logged.
- Admin Audit logs usually contain any of the 4 audit_type “USER”, “WEB_APP”, "POLICY" “ORG” for recorded changes of Admin made.
Field Name | Definition | Sample Result |
admin_fullname | Full Name of Admin who made the changes | Silo Admin |
audit_type | Type of changes made | POLICY |
create_ts | The floating point UNIX Epoch time the log entry was created | 1411623446.621668 |
message | Any Admin executed action details | Changed org name from \"Untitled Org\" to \"test\" |
org_id | The opaque string identifier of the Authentic8 org | 4a6ca40fc47ab8655f85b4cc6d6139e0 |
org_name | Name of the Org for Admin changes made | Admin Org |
seq_id | Sequence number of log entry | 23691402 |
source | Source of Admin changes made | Admin Console |
type | “ADMIN_AUDIT” log entries record of Admin actions | ADMIN_AUDIT |
username | The login name of the Admin who made the changes | siloadminuser |
old_values | Value before change | "email": "[email protected]” |
new_values | Value after change | "email": "[email protected]” |
Log Type: ENC
Encrypted Logs policy setting and key(s) is managed within the Silo Admin Console. These will be asymmetric keys; Authentic8 holds the “public” part, while the customer retains the portion required to decrypt.
Field Name | Definition | Sample Result |
enc | Payload of encrypted logs | base64 encoded encrypted serialized JSON object |
key_name | Name of Asymmetric Key used to encrypt symmetric key | “My public key” |
create_ts | The floating point UNIX Epoch time the log entry was created | 1411623446.621668 |
org_id | The opaque string identifier of the Authentic8 org | 4a6ca40fc47ab8655f85b4cc6d6139e0 |
org_name | Name of the Org where users are in | Admin Org |
seq_id | Sequence number of log entry | 23691402 |
type | “ENC” encrypted logs which can only decrypt by customer with private key | ENC |
Log Type: COOKIES
Cookie data is part of a normal URL request, but the data is considered sensitive. URLs are always logged, but the sensitive data is only logged when Encrypted Logs policy is Enabled and, therefore, is only present in decrypted logs.
Field Name | Definition | Sample Result |
client_ip | The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. | 50.247.80.185 |
create_ts | The floating point UNIX Epoch time the log entry was created | 1411481216.764143 |
data | Cookie data log entries | actual data blog |
domain | The domain name of the URL | "example.com" in "https://example.com:81/path?p=v" |
method | HTTP request method | GET, POST |
org_id | The opaque string identifier of the Authentic8 org the user is in | 64bb2da94d49648b75e3b3b82338086e |
path | The path of the URL | "/path" in "https://example.com:81/path?p=v" |
port | The port of the URL | "81" in "https://example.com:81/path?p=v". If port would have been 80 or 443, this is null. |
response_code | The HTTP response code from the website | usually 200 |
scheme | The protocol specifier in a URL | usually "http" or "https" |
seq_id | Sequence number of log entry | 12627567 |
session_id | An opaque string that identifies the user's Authentic8 session | f1b3310c0422f847446fe7661d896c6a |
type | "COOKIES" log entries record of cookie data | COOKIES |
url | Web site address | https://login.example.com/ |
username | The login name of the user who initiated the session | siloadminuser |
Log Type: POST DATA
Post data (form posts only) is sensitive so only logged when Encrypted Logs is Enabled. It may or may not map to a URL entry. The post method specifies a destination, but the response page is usually different than the target of the post. Not all form posts result in a traditional post, and Silo does not gather all xhr posts because this would result in a large amount of useless data.
Field Name | Definition | Sample Result |
client_ip | The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. | 50.247.80.185 |
create_ts | The floating point UNIX Epoch time the log entry was created | 1411481216.764143 |
data | Post Data log entries | actual data blog |
domain | The domain name of the URL | "example.com" in "https://example.com:81/path?p=v" |
org_id | The opaque string identifier of the Authentic8 org the user is in | 64bb2da94d49648b75e3b3b82338086e |
path | The path of the URL | "/path" in "https://example.com:81/path?p=v" |
port | The port of the URL | "81" in "https://example.com:81/path?p=v". If port would have been 80 or 443, this is null. |
query | The query of the URL | "p=v" in "https://example.com:81/path?p=v" |
scheme | The protocol specifier in a URL | usually "http" or "https" |
seq_id | Sequence number of log entry | 12627567 |
session_id | An opaque string that identifies the user's Authentic8 session | f1b3310c0422f847446fe7661d896c6a |
type | "POST DATA" log entries record of form post details | POST DATA |
url | Web site address | https://login.example.com/ |
username | The login name of the user who initiated the session | siloadminuser |
Log Type: LOCATION CHANGE
Location change data tracks the changes to the address in the location bar (URL bar). Sites accessed via Google search queries are tracked as well.
Field Name | Definition | Sample Result |
client_ip | The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. | 50.247.80.185 |
create_ts | The floating point UNIX Epoch time the log entry was created | 1411481216.764143 |
user_id | The opaque string identifier of the Authentic8 user | db51b9038ddc66641381c4628bcb8ee1 |
domain | The domain name of the URL | www.google.com |
org_id | The opaque string identifier of the Authentic8 org the user is in | 64bb2da94d49648b75e3b3b82338086e |
path | The path of the URL | /maps/search/news/@34.736297,-84.007953,5z/data=!3m1!4b1 |
port | The port of the URL | 80 or 443 |
query | The query of the URL | gws_rd=ssl#q=cats |
scheme | The protocol specifier in a URL | usually "http" or "https" |
seq_id | Sequence number of log entry | 12988378 |
session_id | An opaque string that identifies the user's Authentic8 session | c516a4417c72673478dea4186ea6d35e |
type | "LOCATION CHANGE" log entries record of web address changes | LOCATION CHANGE |
url | Web site address | https://www.google.com/?gws_rd=ssl#q=cats |
username | The login name of the user who initiated the session | siloadminuser |
Log Type: BLOCKED URL
Blocked URL data tracks the access of sites/domains prevented from Category or Domain Filtering policies
Field Name | Definition | Sample Result |
client_ip | The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. | 50.247.80.185 |
create_ts | The floating point UNIX Epoch time the log entry was created | 1411481216.764143 |
user_id | The opaque string identifier of the Authentic8 user | db51b9038ddc66641381c4628bcb8ee1 |
domain | The domain name of the URL | www.google.com |
org_id | The opaque string identifier of the Authentic8 org the user is in | 64bb2da94d49648b75e3b3b82338086e |
path | The path of the URL | /maps/search/news/@34.736297,-84.007953,5z/data=!3m1!4b1 |
port | The port of the URL | 80 or 443 |
scheme | The protocol specifier in a URL | usually "http" or "https" |
seq_id | Sequence number of log entry | 12988378 |
session_id | An opaque string that identifies the user's Authentic8 session | c516a4417c72673478dea4186ea6d35e |
type | "BLOCKED URL" log entries record of access to sites/domains prevented from Category or Domain Filtering policies | BLOCKED URL |
url | Web site address | https://www.google.com/?gws_rd=ssl#q=cats |
username | The login name of the user who initiated the session | siloadminuser |
reject_type | The policy reason access was prevented | "url block list" or "category" |
micro_category | Specific filtering category reason | Social Networking |
macro_category | General filtering category name | Productivity Drains |
Log Type: TRANSLATION
Translation logs tracks information about page/content translated within Silo & Toolbox sessions.
Field Name | Definition | Sample Result |
client_ip | The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. | 69.181.241.203 |
create_ts | The floating point UNIX Epoch time the log entry was created | 1427175692.787294 |
length | Number of characters translated | 28283 |
service | Translation service/api used | "GOOGLE" |
org_id | The opaque string identifier of the Authentic8 org the user is in | 64bb2da94d49648b75e3b3b82338086e |
source | Source language translated from | null or “English” etc |
target | Destination language translated to | null or “Chinese (Traditional)” etc |
translation_type | Type of translation processed | “selection", "ad hoc" or "full_page" |
seq_id | Sequence number of log entry | 24744695 |
session_id | An opaque string that identifies the user's Authentic8 session | 20d33f188fe56351dd451d7819da2681 |
type | "TRANSLATION" log entries records of contents translated | TRANSLATION |
url | Web site address OR empty for text selection | http://www.cnbc.com/id/102528156 |
username | The login name of the user who initiated the session | siloadminuser |
Log Type: A8SS
A8SS logs contain information about activities and files in Secure Cloud Storage.
Field Name | Definition | Sample Result |
action | File Action Performed. Values can be: "create bucket", "create directory", "create file", "create file", "delete directory", "delete file", "download to client machine", "move directory", "move file", "rename file", "update file", "upload from client machine", | "rename file" |
bucket_id | The internal bucket ID where the action was performed | “5113d1da4e4d0c523b170310341b7415” |
client_ip | IP address of the Silo client which originated the request | “98.138.253.109” |
content_type | the file type | "image/tiff" |
create_ts | timestamp of the create time of the file | 1436215447.527693 |
create_user | The internal user ID who created the file | “d0dd8b47b28057322925v428d9d07a58” |
file_id | the unique internal file ID | "3b94ae0ebcdc7e926ddddcddfd8cf18c" |
file_size | Size of the file in bytes | 1002365 |
name | the regular name of the file | "TestFile.tiff" |
new_name | Name file was renamed to | "TestFile_renamed.tiff" |
org_id | The internal org ID | "4ca51853dcfef8c08a4bbbf168af7f3e" |
seq_id | log entry sequence ID | 13382766 |
session_id | An opaque string that identifies the user's Authentic8 session | “f1b3310c0422f847446fe7661d896c6a” |
type | log Type | A8SS |
uploading_until | Indication of file save status. If a file save action is complete, this field will be 'Null' if the file is currently being written or is in some incomplete state, you will see a time stamp. | "2015-07-06 21:00:26" or 'Null' |
user_id | The opaque string identifier of the Authentic8 user | “c8cd4252f8b15bdbc9c3e7c53d73f562” |
username | The login name of the user who initiated the session | siloadminuser |
Log Type: PRINT
PRINT logs contain information about printing activities.
Field Name | Definition | Sample Result |
client_ip | IP address of the Silo client which originated the request | “98.138.253.109” |
mime_type | the file mime type | "text/html" |
create_ts | timestamp of the create time of the file | 1436215447.527693 |
org_id | The internal org ID | "4ca51853dcfef8c08a4bbbf168af7f3e" |
seq_id | log entry sequence ID | 13382766 |
session_id | An opaque string that identifies the user's Authentic8 session | “f1b3310c0422f847446fe7661d896c6a” |
type | log Type | |
username | The login name of the user who initiated the session | siloadminuser |
url | Web site address | https://login.example.com/ |
domain | The domain name of the URL | "example.com" in "https://example.com:81/path?p=v" |
path | The path of the URL | "/path" in "https://example.com:81/path?p=v" |
path | The operation performed | "direct print", PDF to storage", "PDF to device" |
scheme | The protocol specifier in a URL | usually "http" or "https" |
port | The port of the URL | "81" in "https://example.com:81/path?p=v". If port would have been 80 or 443, this is null. |
Log Type: EXPLOIT
Exploit log contains information about malicious files scanned before files are downloaded to user's device.
Field Name | Definition | Sample Result |
origin | Unused at this time. | N/A |
delivered | The file delivered to user | false |
client_ip | The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. | “98.138.253.089” |
user_id | User's unique identification (alpha-numeric) | dbc9c3e7c5c8cd4252f8b15b3d73f562 |
seq_id | Sequence number of log entry | "40f33f186fe56351dd451d7819db2681" |
filetype | The type of file | "CL_TYPE_TEXT_ASCII" |
org_id | The internal org ID | "5db51853edgff8c08a4bbbf168af7f3e" |
exploit_name | The name of the malicious file | "Eicar-Test-Signature" |
session_id | An opaque string that identifies the user's Authentic8 session | 20c33d188fd56351cc451d7819cb2681 |
filename | The name of the file to download | "eicar.com test" |
username | The login name of the user who initiated the session | "siloadminuser" |
create_ts | The floating point UNIX Epoch time the log entry was created | 1427175692.787294 |
type: | Type of log | ISOLATION BYPASS |
Log Type: ISOLATION BYPASS
Isolation Bypass logs contain user web site navigation details where this policy has been configured to render websites outside of Silo
Field Name | Definition | Sample Result |
type | Unused at this time. | ISOLATE_BYPASS |
user_id | The opaque string identifier of the Authentic8 user | db51b9038ddcxyz12345c4628bcb8ee1 |
create_ts | The floating point UNIX Epoch time the log entry was created | 1411481216.764143 |
username | The login name of the user who initiated the session | siloadminuser |
scheme | The protocol specifier in a URL | usually "http" or "https" |
port | The port of the URL | "81" in "https://example.com:81/path?p=v". If port would have been 80 or 443, this is null. |
client_ip | The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. | 50.247.80.185 |
headers | Components of the header section of request and response messages | Host: login.example.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0 Authentic8/1.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://login.example.com/config/login_verify2?&.src=ym\r\nDNT: 1\r\nConnection: keep-alive\r\n" |
bypass_type | Type of bypass | Isolate list OR Bypass list |
domain | The domain of the source web site | "example.com" in "https://example.com:81/path?p=v" |
session_id | An opaque string that identifies the user's Authentic8 session | An opaque string that identifies the user's Authentic8 session |
org_id | The opaque string identifier of the Authentic8 org the user is in | db51b9038ddcxyz12345c4628bcb8ee1 |
path | The path of the URL | "/path" in "https://example.com:81/path?p=v" |
seq_id | Sequence number of log entry | Sequence number of log entry |
url | Web site address | https://login.example.com/ |
Log Type: SMS
SMS logs contains information SMS entries sent
Field Name | Definition | Sample Result |
receive_ts | Unused at this time. | "2023-02-11 16:22:27" |
action | The file delivered to user | "Message received" |
create_ts | The floating point UNIX Epoch time the log entry was created | 1427175692.787294 |
seq_id | Sequence number of log entry | 219995045627 |
org_id | The internal org ID | "db51b9038ddcxyz12345c4628bcb8ee1" |