This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Google Cloud Security
- Security Forums
- SecOps SIEM
- Re: Creating Custom Parser
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Solved
LinkedIn
Twitter
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Hieveryone ,
I am trying to create a custom parser for Mambu logs but got stuck with an error "generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: failed to convert raw output to events: failed to convert raw message 0: field \"idm\": index 0: recursive rawDataToProto failed: field \"read_only_udm\": index 0: recursive rawDataToProto failed: field \"user\": no descriptor found"
Sample Logs:
[
{
"occurred_at": "2024-11-07T05:51:11.132Z",
"response_code": 302,
"resource": "login",
"event_source": "UI",
"client_ip": "10.30.40.60",
"request_method": "POST",
"request_payload": "{}",
"resource_fragment": "/saml/login",
"request_uri": "/saml/login",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"response_payload": "",
"username": "john.doe@sampledomain.com"
},
{
"occurred_at": "2024-11-07T05:51:03.373Z",
"response_code": 302,
"resource": "login",
"event_source": "UI",
"client_ip": "10.30.40.60",
"request_method": "POST",
"request_payload": "{}",
"resource_fragment": "/saml/login",
"request_uri": "/saml/login",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"response_payload": "",
"username": "john.doe@sampledomain.com"
},
{
"occurred_at": "2024-11-07T05:50:39.913Z",
"response_code": 302,
"resource": "login",
"event_source": "UI",
"client_ip": "10.30.40.60",
"request_method": "POST",
"request_payload": "{\"RelayState\":[\"https://service.sample.com/saml/login\"]}",
"resource_fragment": "/saml/login",
"request_uri": "/saml/login",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11.6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"response_payload": "",
"username": "jane.doe@sampledomain.com"
},
{
"occurred_at": "2024-11-07T05:50:33.135Z",
"response_code": 401,
"resource": "login",
"event_source": "UI",
"client_ip": "10.30.40.60",
"request_method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"resource_fragment": "/servlet/login",
"request_uri": "/servlet/login",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"response_payload": "FAIL",
"username": ""
},
{
"occurred_at": "2024-11-07T05:50:06.470Z",
"response_code": 429,
"resource": "login",
"event_source": "UI",
"client_ip": "10.30.40.60",
"request_method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"resource_fragment": "/servlet/login",
"request_uri": "/servlet/login",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"response_payload": "CAPTCHA_REQUIRED",
"username": ""
},
{
"occurred_at": "2024-11-07T05:48:51.489Z",
"response_code": 401,
"resource": "login",
"event_source": "UI",
"client_ip": "10.30.40.60",
"request_method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"resource_fragment": "/servlet/login",
"request_uri": "/servlet/login",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"response_payload": "FAIL",
"username": ""
},
{
"occurred_at": "2024-11-07T05:48:34.643Z",
"response_code": 429,
"resource": "login",
"event_source": "UI",
"client_ip": "10.30.40.60",
"request_method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"resource_fragment": "/servlet/login",
"request_uri": "/servlet/login",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"response_payload": "CAPTCHA_REQUIRED",
"username": ""
},
{
"occurred_at": "2024-11-07T05:48:01.810Z",
"response_code": 302,
"resource": "login",
"event_source": "UI",
"client_ip": "10.30.40.60",
"request_method": "POST",
"request_payload": "{}",
"resource_fragment": "/saml/login",
"request_uri": "/saml/login",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"response_payload": "",
"username": "john.doe@sampledomain.com"
}
]
Parser Code:
filter {
# Wrap the message in JSON format
mutate {
replace => {
"message" => "{\"records\":%{message}}"
}
}
# Parse the JSON message
json {
source => "message"
array_function => "split_columns"
on_error => "not_json"
}
# Drop malformed messages
if [not_json] {
drop {
tag => "TAG_MALFORMED_MESSAGE"
}
}
# Process valid JSON messages
if ![not_json] {
for index, data in records {
# Set metadata fields
mutate {
replace => {
"event.idm.read_only_udm.metadata.vendor_name" => "Mambu"
"event.idm.read_only_udm.metadata.product_name" => "Mambu"
"event.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
}
}
# Map event source
mutate {
replace => {
"event.idm.read_only_udm.metadata.event_source" => "%{data.event_source}"
}
on_error => "invalid_event_source"
}
# Set principal IP address
mutate {
replace => {
"event.idm.read_only_udm.principal.ip" => "%{data.client_ip}"
}
on_error => "invalid_principal_ip"
}
# Map HTTP method and user agent
mutate {
replace => {
"event.idm.read_only_udm.network.http.method" => "%{data.request_method}"
"event.idm.read_only_udm.network.http.user_agent" => "%{data.user_agent}"
"event.idm.read_only_udm.network.http.request_payload" => "%{data.request_payload}"
}
on_error => "invalid_http_fields"
}
# Convert response code to string and handle errors
mutate {
convert => {
"data.response_code" => "string"
}
on_error => "invalid_response_code_conversion"
}
if ![invalid_response_code_conversion] {
mutate {
replace => {
"event.idm.read_only_udm.network.http.response_code" => "%{data.response_code}"
}
on_error => "invalid_response_code"
}
}
# Map target URL and resource
mutate {
replace => {
"event.idm.read_only_udm.target.url" => "%{data.request_uri}"
"event.idm.read_only_udm.target.resource" => "%{data.resource}"
}
on_error => "invalid_target_fields"
}
# Handle resource fragment label
mutate {
replace => {
"resource_fragment_label.key" => "resource_fragment"
"resource_fragment_label.value" => "%{data.resource_fragment}"
}
on_error => "invalid_resource_fragment_value"
}
if ![invalid_resource_fragment_value] {
mutate {
merge => {
"event.idm.read_only_udm.principal.resource.attribute.labels" => "resource_fragment_label"
}
on_error => "resource_fragment_label_merge_failed"
}
}
# Map user ID
mutate {
replace => {
"event.idm.read_only_udm.user.user_id" => "%{data.username}"
}
on_error => "invalid_user_id"
}
# Output the event
statedump {}
mutate {
merge => {
"@output" => "event"
}
on_error => "output_merge_failed"
}
}
}
}
2 REPLIES 2
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You might try replacing line 107:
"event.idm.read_only_udm.user.user_id" => "%{data.username}"With:
"event.idm.read_only_udm.principal.user.userid" => "%{username}"Relevant docs: https://cloud.google.com/chronicle/docs/event-processing/parsing-overview
Hope this helps.
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reply posted on
--/--/---- --:-- AM
Post Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ben, thanks for the quick support. However, the solution does not work because using username prevents mapping any value, even within the state.
In the state dump, I can see the data using the parser I shared.
Internal State (label=):
{
"@createTimestamp": {
"nanos": 0,
"seconds": 1731477370
},
"@enableCbnForLoop": true,
"@onErrorCount": 0,
"@output": [],
"@timezone": "",
"data": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:51:11.132Z",
"request_method": "POST",
"request_payload": "{}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": "302",
"response_payload": "",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "john.doe@sampledomain.com"
},
"event": {
"idm": {
"read_only_udm": {
"metadata": {
"event_source": "UI",
"event_type": "GENERIC_EVENT",
"product_name": "Mambu",
"vendor_name": "Mambu"
},
"network": {
"http": {
"method": "POST",
"request_payload": "{}",
"response_code": "302",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
}
},
"principal": {
"ip": "10.30.40.60",
"resource": {
"attribute": {
"labels": [
{
"key": "resource_fragment",
"value": "/saml/login"
}
]
}
}
},
"target": {
"resource": "login",
"url": "/saml/login"
},
"user": {
"user_id": "john.doe@sampledomain.com"
}
}
}
},
"index": 0,
"invalid_event_source": false,
"invalid_http_fields": false,
"invalid_principal_ip": false,
"invalid_resource_fragment_value": false,
"invalid_response_code": false,
"invalid_response_code_conversion": false,
"invalid_target_fields": false,
"invalid_user_id": false,
"iter": {
"records-25": 0
},
"message": "{\"records\":[\n {\n \"occurred_at\": \"2024-11-07T05:51:11.132Z\",\n \"response_code\": 302,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{}\",\n \"resource_fragment\": \"/saml/login\",\n \"request_uri\": \"/saml/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"\",\n \"username\": \"john.doe@sampledomain.com\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:51:03.373Z\",\n \"response_code\": 302,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{}\",\n \"resource_fragment\": \"/saml/login\",\n \"request_uri\": \"/saml/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"\",\n \"username\": \"john.doe@sampledomain.com\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:50:39.913Z\",\n \"response_code\": 302,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{\\\"RelayState\\\":[\\\"https://service.sample.com/saml/login\\\"]}\",\n \"resource_fragment\": \"/saml/login\",\n \"request_uri\": \"/saml/login\",\n \"user_agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 11.6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"\",\n \"username\": \"jane.doe@sampledomain.com\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:50:33.135Z\",\n \"response_code\": 401,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{\\\"username\\\":[\\\"john.doe\\\"],\\\"loginType\\\":[\\\"onlineLogin\\\"]}\",\n \"resource_fragment\": \"/servlet/login\",\n \"request_uri\": \"/servlet/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"FAIL\",\n \"username\": \"\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:50:06.470Z\",\n \"response_code\": 429,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{\\\"username\\\":[\\\"john.doe\\\"],\\\"loginType\\\":[\\\"onlineLogin\\\"]}\",\n \"resource_fragment\": \"/servlet/login\",\n \"request_uri\": \"/servlet/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"CAPTCHA_REQUIRED\",\n \"username\": \"\"\n }\n ]}",
"not_json": false,
"records": {
"0": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:51:11.132Z",
"request_method": "POST",
"request_payload": "{}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": "302",
"response_payload": "",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "john.doe@sampledomain.com"
},
"1": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:51:03.373Z",
"request_method": "POST",
"request_payload": "{}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": 302,
"response_payload": "",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "john.doe@sampledomain.com"
},
"2": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:39.913Z",
"request_method": "POST",
"request_payload": "{\"RelayState\":[\"https://service.sample.com/saml/login\"]}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": 302,
"response_payload": "",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11.6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "jane.doe@sampledomain.com"
},
"3": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:33.135Z",
"request_method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"request_uri": "/servlet/login",
"resource": "login",
"resource_fragment": "/servlet/login",
"response_code": 401,
"response_payload": "FAIL",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": ""
},
"4": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:06.470Z",
"request_method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"request_uri": "/servlet/login",
"resource": "login",
"resource_fragment": "/servlet/login",
"response_code": 429,
"response_payload": "CAPTCHA_REQUIRED",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": ""
}
},
"resource_fragment_label": {
"key": "resource_fragment",
"value": "/saml/login"
},
"resource_fragment_label_merge_failed": false
}
Internal State (label=):
{
"@createTimestamp": {
"nanos": 0,
"seconds": 1731477370
},
"@enableCbnForLoop": true,
"@onErrorCount": 0,
"@output": [
{
"idm": {
"read_only_udm": {
"metadata": {
"event_source": "UI",
"event_type": "GENERIC_EVENT",
"product_name": "Mambu",
"vendor_name": "Mambu"
},
"network": {
"http": {
"method": "POST",
"request_payload": "{}",
"response_code": "302",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
}
},
"principal": {
"ip": "10.30.40.60",
"resource": {
"attribute": {
"labels": [
{
"key": "resource_fragment",
"value": "/saml/login"
},
{
"key": "resource_fragment",
"value": "/saml/login"
}
]
}
}
},
"target": {
"resource": "login",
"url": "/saml/login"
},
"user": {
"user_id": "john.doe@sampledomain.com"
}
}
}
}
],
"@timezone": "",
"data": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:51:03.373Z",
"request_method": "POST",
"request_payload": "{}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": "302",
"response_payload": "",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "john.doe@sampledomain.com"
},
"event": {
"idm": {
"read_only_udm": {
"metadata": {
"event_source": "UI",
"event_type": "GENERIC_EVENT",
"product_name": "Mambu",
"vendor_name": "Mambu"
},
"network": {
"http": {
"method": "POST",
"request_payload": "{}",
"response_code": "302",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
}
},
"principal": {
"ip": "10.30.40.60",
"resource": {
"attribute": {
"labels": [
{
"key": "resource_fragment",
"value": "/saml/login"
},
{
"key": "resource_fragment",
"value": "/saml/login"
}
]
}
}
},
"target": {
"resource": "login",
"url": "/saml/login"
},
"user": {
"user_id": "john.doe@sampledomain.com"
}
}
}
},
"index": 1,
"invalid_event_source": false,
"invalid_http_fields": false,
"invalid_principal_ip": false,
"invalid_resource_fragment_value": false,
"invalid_response_code": false,
"invalid_response_code_conversion": false,
"invalid_target_fields": false,
"invalid_user_id": false,
"iter": {
"records-25": 1
},
"message": "{\"records\":[\n {\n \"occurred_at\": \"2024-11-07T05:51:11.132Z\",\n \"response_code\": 302,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{}\",\n \"resource_fragment\": \"/saml/login\",\n \"request_uri\": \"/saml/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"\",\n \"username\": \"john.doe@sampledomain.com\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:51:03.373Z\",\n \"response_code\": 302,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{}\",\n \"resource_fragment\": \"/saml/login\",\n \"request_uri\": \"/saml/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"\",\n \"username\": \"john.doe@sampledomain.com\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:50:39.913Z\",\n \"response_code\": 302,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{\\\"RelayState\\\":[\\\"https://service.sample.com/saml/login\\\"]}\",\n \"resource_fragment\": \"/saml/login\",\n \"request_uri\": \"/saml/login\",\n \"user_agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 11.6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"\",\n \"username\": \"jane.doe@sampledomain.com\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:50:33.135Z\",\n \"response_code\": 401,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{\\\"username\\\":[\\\"john.doe\\\"],\\\"loginType\\\":[\\\"onlineLogin\\\"]}\",\n \"resource_fragment\": \"/servlet/login\",\n \"request_uri\": \"/servlet/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"FAIL\",\n \"username\": \"\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:50:06.470Z\",\n \"response_code\": 429,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{\\\"username\\\":[\\\"john.doe\\\"],\\\"loginType\\\":[\\\"onlineLogin\\\"]}\",\n \"resource_fragment\": \"/servlet/login\",\n \"request_uri\": \"/servlet/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"CAPTCHA_REQUIRED\",\n \"username\": \"\"\n }\n ]}",
"not_json": false,
"output_merge_failed": false,
"records": {
"0": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:51:11.132Z",
"request_method": "POST",
"request_payload": "{}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": "302",
"response_payload": "",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "john.doe@sampledomain.com"
},
"1": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:51:03.373Z",
"request_method": "POST",
"request_payload": "{}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": "302",
"response_payload": "",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "john.doe@sampledomain.com"
},
"2": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:39.913Z",
"request_method": "POST",
"request_payload": "{\"RelayState\":[\"https://service.sample.com/saml/login\"]}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": 302,
"response_payload": "",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11.6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "jane.doe@sampledomain.com"
},
"3": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:33.135Z",
"request_method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"request_uri": "/servlet/login",
"resource": "login",
"resource_fragment": "/servlet/login",
"response_code": 401,
"response_payload": "FAIL",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": ""
},
"4": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:06.470Z",
"request_method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"request_uri": "/servlet/login",
"resource": "login",
"resource_fragment": "/servlet/login",
"response_code": 429,
"response_payload": "CAPTCHA_REQUIRED",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": ""
}
},
"resource_fragment_label": {
"key": "resource_fragment",
"value": "/saml/login"
},
"resource_fragment_label_merge_failed": false
}
Internal State (label=):
{
"@createTimestamp": {
"nanos": 0,
"seconds": 1731477370
},
"@enableCbnForLoop": true,
"@onErrorCount": 0,
"@output": [
{
"idm": {
"read_only_udm": {
"metadata": {
"event_source": "UI",
"event_type": "GENERIC_EVENT",
"product_name": "Mambu",
"vendor_name": "Mambu"
},
"network": {
"http": {
"method": "POST",
"request_payload": "{\"RelayState\":[\"https://service.sample.com/saml/login\"]}",
"response_code": "302",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11.6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
}
},
"principal": {
"ip": "10.30.40.60",
"resource": {
"attribute": {
"labels": [
{
"key": "resource_fragment",
"value": "/saml/login"
},
{
"key": "resource_fragment",
"value": "/saml/login"
},
{
"key": "resource_fragment",
"value": "/saml/login"
}
]
}
}
},
"target": {
"resource": "login",
"url": "/saml/login"
},
"user": {
"user_id": "jane.doe@sampledomain.com"
}
}
}
},
{
"idm": {
"read_only_udm": {
"metadata": {
"event_source": "UI",
"event_type": "GENERIC_EVENT",
"product_name": "Mambu",
"vendor_name": "Mambu"
},
"network": {
"http": {
"method": "POST",
"request_payload": "{\"RelayState\":[\"https://service.sample.com/saml/login\"]}",
"response_code": "302",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11.6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
}
},
"principal": {
"ip": "10.30.40.60",
"resource": {
"attribute": {
"labels": [
{
"key": "resource_fragment",
"value": "/saml/login"
},
{
"key": "resource_fragment",
"value": "/saml/login"
},
{
"key": "resource_fragment",
"value": "/saml/login"
}
]
}
}
},
"target": {
"resource": "login",
"url": "/saml/login"
},
"user": {
"user_id": "jane.doe@sampledomain.com"
}
}
}
}
],
"@timezone": "",
"data": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:39.913Z",
"request_method": "POST",
"request_payload": "{\"RelayState\":[\"https://service.sample.com/saml/login\"]}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": "302",
"response_payload": "",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11.6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "jane.doe@sampledomain.com"
},
"event": {
"idm": {
"read_only_udm": {
"metadata": {
"event_source": "UI",
"event_type": "GENERIC_EVENT",
"product_name": "Mambu",
"vendor_name": "Mambu"
},
"network": {
"http": {
"method": "POST",
"request_payload": "{\"RelayState\":[\"https://service.sample.com/saml/login\"]}",
"response_code": "302",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11.6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
}
},
"principal": {
"ip": "10.30.40.60",
"resource": {
"attribute": {
"labels": [
{
"key": "resource_fragment",
"value": "/saml/login"
},
{
"key": "resource_fragment",
"value": "/saml/login"
},
{
"key": "resource_fragment",
"value": "/saml/login"
}
]
}
}
},
"target": {
"resource": "login",
"url": "/saml/login"
},
"user": {
"user_id": "jane.doe@sampledomain.com"
}
}
}
},
"index": 2,
"invalid_event_source": false,
"invalid_http_fields": false,
"invalid_principal_ip": false,
"invalid_resource_fragment_value": false,
"invalid_response_code": false,
"invalid_response_code_conversion": false,
"invalid_target_fields": false,
"invalid_user_id": false,
"iter": {
"records-25": 2
},
"message": "{\"records\":[\n {\n \"occurred_at\": \"2024-11-07T05:51:11.132Z\",\n \"response_code\": 302,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{}\",\n \"resource_fragment\": \"/saml/login\",\n \"request_uri\": \"/saml/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"\",\n \"username\": \"john.doe@sampledomain.com\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:51:03.373Z\",\n \"response_code\": 302,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{}\",\n \"resource_fragment\": \"/saml/login\",\n \"request_uri\": \"/saml/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"\",\n \"username\": \"john.doe@sampledomain.com\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:50:39.913Z\",\n \"response_code\": 302,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{\\\"RelayState\\\":[\\\"https://service.sample.com/saml/login\\\"]}\",\n \"resource_fragment\": \"/saml/login\",\n \"request_uri\": \"/saml/login\",\n \"user_agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 11.6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"\",\n \"username\": \"jane.doe@sampledomain.com\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:50:33.135Z\",\n \"response_code\": 401,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{\\\"username\\\":[\\\"john.doe\\\"],\\\"loginType\\\":[\\\"onlineLogin\\\"]}\",\n \"resource_fragment\": \"/servlet/login\",\n \"request_uri\": \"/servlet/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"FAIL\",\n \"username\": \"\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:50:06.470Z\",\n \"response_code\": 429,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{\\\"username\\\":[\\\"john.doe\\\"],\\\"loginType\\\":[\\\"onlineLogin\\\"]}\",\n \"resource_fragment\": \"/servlet/login\",\n \"request_uri\": \"/servlet/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"CAPTCHA_REQUIRED\",\n \"username\": \"\"\n }\n ]}",
"not_json": false,
"output_merge_failed": false,
"records": {
"0": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:51:11.132Z",
"request_method": "POST",
"request_payload": "{}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": "302",
"response_payload": "",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "john.doe@sampledomain.com"
},
"1": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:51:03.373Z",
"request_method": "POST",
"request_payload": "{}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": "302",
"response_payload": "",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "john.doe@sampledomain.com"
},
"2": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:39.913Z",
"request_method": "POST",
"request_payload": "{\"RelayState\":[\"https://service.sample.com/saml/login\"]}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": "302",
"response_payload": "",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11.6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "jane.doe@sampledomain.com"
},
"3": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:33.135Z",
"request_method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"request_uri": "/servlet/login",
"resource": "login",
"resource_fragment": "/servlet/login",
"response_code": 401,
"response_payload": "FAIL",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": ""
},
"4": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:06.470Z",
"request_method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"request_uri": "/servlet/login",
"resource": "login",
"resource_fragment": "/servlet/login",
"response_code": 429,
"response_payload": "CAPTCHA_REQUIRED",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": ""
}
},
"resource_fragment_label": {
"key": "resource_fragment",
"value": "/saml/login"
},
"resource_fragment_label_merge_failed": false
}
Internal State (label=):
{
"@createTimestamp": {
"nanos": 0,
"seconds": 1731477370
},
"@enableCbnForLoop": true,
"@onErrorCount": 0,
"@output": [
{
"idm": {
"read_only_udm": {
"metadata": {
"event_source": "UI",
"event_type": "GENERIC_EVENT",
"product_name": "Mambu",
"vendor_name": "Mambu"
},
"network": {
"http": {
"method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"response_code": "401",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
}
},
"principal": {
"ip": "10.30.40.60",
"resource": {
"attribute": {
"labels": [
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
}
]
}
}
},
"target": {
"resource": "login",
"url": "/servlet/login"
},
"user": {
"user_id": ""
}
}
}
},
{
"idm": {
"read_only_udm": {
"metadata": {
"event_source": "UI",
"event_type": "GENERIC_EVENT",
"product_name": "Mambu",
"vendor_name": "Mambu"
},
"network": {
"http": {
"method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"response_code": "401",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
}
},
"principal": {
"ip": "10.30.40.60",
"resource": {
"attribute": {
"labels": [
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
}
]
}
}
},
"target": {
"resource": "login",
"url": "/servlet/login"
},
"user": {
"user_id": ""
}
}
}
},
{
"idm": {
"read_only_udm": {
"metadata": {
"event_source": "UI",
"event_type": "GENERIC_EVENT",
"product_name": "Mambu",
"vendor_name": "Mambu"
},
"network": {
"http": {
"method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"response_code": "401",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
}
},
"principal": {
"ip": "10.30.40.60",
"resource": {
"attribute": {
"labels": [
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
}
]
}
}
},
"target": {
"resource": "login",
"url": "/servlet/login"
},
"user": {
"user_id": ""
}
}
}
}
],
"@timezone": "",
"data": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:33.135Z",
"request_method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"request_uri": "/servlet/login",
"resource": "login",
"resource_fragment": "/servlet/login",
"response_code": "401",
"response_payload": "FAIL",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": ""
},
"event": {
"idm": {
"read_only_udm": {
"metadata": {
"event_source": "UI",
"event_type": "GENERIC_EVENT",
"product_name": "Mambu",
"vendor_name": "Mambu"
},
"network": {
"http": {
"method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"response_code": "401",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
}
},
"principal": {
"ip": "10.30.40.60",
"resource": {
"attribute": {
"labels": [
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
}
]
}
}
},
"target": {
"resource": "login",
"url": "/servlet/login"
},
"user": {
"user_id": ""
}
}
}
},
"index": 3,
"invalid_event_source": false,
"invalid_http_fields": false,
"invalid_principal_ip": false,
"invalid_resource_fragment_value": false,
"invalid_response_code": false,
"invalid_response_code_conversion": false,
"invalid_target_fields": false,
"invalid_user_id": false,
"iter": {
"records-25": 3
},
"message": "{\"records\":[\n {\n \"occurred_at\": \"2024-11-07T05:51:11.132Z\",\n \"response_code\": 302,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{}\",\n \"resource_fragment\": \"/saml/login\",\n \"request_uri\": \"/saml/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"\",\n \"username\": \"john.doe@sampledomain.com\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:51:03.373Z\",\n \"response_code\": 302,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{}\",\n \"resource_fragment\": \"/saml/login\",\n \"request_uri\": \"/saml/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"\",\n \"username\": \"john.doe@sampledomain.com\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:50:39.913Z\",\n \"response_code\": 302,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{\\\"RelayState\\\":[\\\"https://service.sample.com/saml/login\\\"]}\",\n \"resource_fragment\": \"/saml/login\",\n \"request_uri\": \"/saml/login\",\n \"user_agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 11.6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"\",\n \"username\": \"jane.doe@sampledomain.com\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:50:33.135Z\",\n \"response_code\": 401,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{\\\"username\\\":[\\\"john.doe\\\"],\\\"loginType\\\":[\\\"onlineLogin\\\"]}\",\n \"resource_fragment\": \"/servlet/login\",\n \"request_uri\": \"/servlet/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"FAIL\",\n \"username\": \"\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:50:06.470Z\",\n \"response_code\": 429,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{\\\"username\\\":[\\\"john.doe\\\"],\\\"loginType\\\":[\\\"onlineLogin\\\"]}\",\n \"resource_fragment\": \"/servlet/login\",\n \"request_uri\": \"/servlet/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"CAPTCHA_REQUIRED\",\n \"username\": \"\"\n }\n ]}",
"not_json": false,
"output_merge_failed": false,
"records": {
"0": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:51:11.132Z",
"request_method": "POST",
"request_payload": "{}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": "302",
"response_payload": "",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "john.doe@sampledomain.com"
},
"1": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:51:03.373Z",
"request_method": "POST",
"request_payload": "{}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": "302",
"response_payload": "",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "john.doe@sampledomain.com"
},
"2": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:39.913Z",
"request_method": "POST",
"request_payload": "{\"RelayState\":[\"https://service.sample.com/saml/login\"]}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": "302",
"response_payload": "",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11.6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "jane.doe@sampledomain.com"
},
"3": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:33.135Z",
"request_method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"request_uri": "/servlet/login",
"resource": "login",
"resource_fragment": "/servlet/login",
"response_code": "401",
"response_payload": "FAIL",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": ""
},
"4": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:06.470Z",
"request_method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"request_uri": "/servlet/login",
"resource": "login",
"resource_fragment": "/servlet/login",
"response_code": 429,
"response_payload": "CAPTCHA_REQUIRED",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": ""
}
},
"resource_fragment_label": {
"key": "resource_fragment",
"value": "/servlet/login"
},
"resource_fragment_label_merge_failed": false
}
Internal State (label=):
{
"@createTimestamp": {
"nanos": 0,
"seconds": 1731477370
},
"@enableCbnForLoop": true,
"@onErrorCount": 0,
"@output": [
{
"idm": {
"read_only_udm": {
"metadata": {
"event_source": "UI",
"event_type": "GENERIC_EVENT",
"product_name": "Mambu",
"vendor_name": "Mambu"
},
"network": {
"http": {
"method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"response_code": "429",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
}
},
"principal": {
"ip": "10.30.40.60",
"resource": {
"attribute": {
"labels": [
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
}
]
}
}
},
"target": {
"resource": "login",
"url": "/servlet/login"
},
"user": {
"user_id": ""
}
}
}
},
{
"idm": {
"read_only_udm": {
"metadata": {
"event_source": "UI",
"event_type": "GENERIC_EVENT",
"product_name": "Mambu",
"vendor_name": "Mambu"
},
"network": {
"http": {
"method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"response_code": "429",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
}
},
"principal": {
"ip": "10.30.40.60",
"resource": {
"attribute": {
"labels": [
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
}
]
}
}
},
"target": {
"resource": "login",
"url": "/servlet/login"
},
"user": {
"user_id": ""
}
}
}
},
{
"idm": {
"read_only_udm": {
"metadata": {
"event_source": "UI",
"event_type": "GENERIC_EVENT",
"product_name": "Mambu",
"vendor_name": "Mambu"
},
"network": {
"http": {
"method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"response_code": "429",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
}
},
"principal": {
"ip": "10.30.40.60",
"resource": {
"attribute": {
"labels": [
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
}
]
}
}
},
"target": {
"resource": "login",
"url": "/servlet/login"
},
"user": {
"user_id": ""
}
}
}
},
{
"idm": {
"read_only_udm": {
"metadata": {
"event_source": "UI",
"event_type": "GENERIC_EVENT",
"product_name": "Mambu",
"vendor_name": "Mambu"
},
"network": {
"http": {
"method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"response_code": "429",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
}
},
"principal": {
"ip": "10.30.40.60",
"resource": {
"attribute": {
"labels": [
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
}
]
}
}
},
"target": {
"resource": "login",
"url": "/servlet/login"
},
"user": {
"user_id": ""
}
}
}
}
],
"@timezone": "",
"data": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:06.470Z",
"request_method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"request_uri": "/servlet/login",
"resource": "login",
"resource_fragment": "/servlet/login",
"response_code": "429",
"response_payload": "CAPTCHA_REQUIRED",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": ""
},
"event": {
"idm": {
"read_only_udm": {
"metadata": {
"event_source": "UI",
"event_type": "GENERIC_EVENT",
"product_name": "Mambu",
"vendor_name": "Mambu"
},
"network": {
"http": {
"method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"response_code": "429",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
}
},
"principal": {
"ip": "10.30.40.60",
"resource": {
"attribute": {
"labels": [
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
},
{
"key": "resource_fragment",
"value": "/servlet/login"
}
]
}
}
},
"target": {
"resource": "login",
"url": "/servlet/login"
},
"user": {
"user_id": ""
}
}
}
},
"index": 4,
"invalid_event_source": false,
"invalid_http_fields": false,
"invalid_principal_ip": false,
"invalid_resource_fragment_value": false,
"invalid_response_code": false,
"invalid_response_code_conversion": false,
"invalid_target_fields": false,
"invalid_user_id": false,
"iter": {
"records-25": 4
},
"message": "{\"records\":[\n {\n \"occurred_at\": \"2024-11-07T05:51:11.132Z\",\n \"response_code\": 302,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{}\",\n \"resource_fragment\": \"/saml/login\",\n \"request_uri\": \"/saml/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"\",\n \"username\": \"john.doe@sampledomain.com\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:51:03.373Z\",\n \"response_code\": 302,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{}\",\n \"resource_fragment\": \"/saml/login\",\n \"request_uri\": \"/saml/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"\",\n \"username\": \"john.doe@sampledomain.com\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:50:39.913Z\",\n \"response_code\": 302,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{\\\"RelayState\\\":[\\\"https://service.sample.com/saml/login\\\"]}\",\n \"resource_fragment\": \"/saml/login\",\n \"request_uri\": \"/saml/login\",\n \"user_agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 11.6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"\",\n \"username\": \"jane.doe@sampledomain.com\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:50:33.135Z\",\n \"response_code\": 401,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{\\\"username\\\":[\\\"john.doe\\\"],\\\"loginType\\\":[\\\"onlineLogin\\\"]}\",\n \"resource_fragment\": \"/servlet/login\",\n \"request_uri\": \"/servlet/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"FAIL\",\n \"username\": \"\"\n },\n {\n \"occurred_at\": \"2024-11-07T05:50:06.470Z\",\n \"response_code\": 429,\n \"resource\": \"login\",\n \"event_source\": \"UI\",\n \"client_ip\": \"10.30.40.60\",\n \"request_method\": \"POST\",\n \"request_payload\": \"{\\\"username\\\":[\\\"john.doe\\\"],\\\"loginType\\\":[\\\"onlineLogin\\\"]}\",\n \"resource_fragment\": \"/servlet/login\",\n \"request_uri\": \"/servlet/login\",\n \"user_agent\": \"Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\",\n \"response_payload\": \"CAPTCHA_REQUIRED\",\n \"username\": \"\"\n }\n ]}",
"not_json": false,
"output_merge_failed": false,
"records": {
"0": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:51:11.132Z",
"request_method": "POST",
"request_payload": "{}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": "302",
"response_payload": "",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "john.doe@sampledomain.com"
},
"1": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:51:03.373Z",
"request_method": "POST",
"request_payload": "{}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": "302",
"response_payload": "",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "john.doe@sampledomain.com"
},
"2": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:39.913Z",
"request_method": "POST",
"request_payload": "{\"RelayState\":[\"https://service.sample.com/saml/login\"]}",
"request_uri": "/saml/login",
"resource": "login",
"resource_fragment": "/saml/login",
"response_code": "302",
"response_payload": "",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11.6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": "jane.doe@sampledomain.com"
},
"3": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:33.135Z",
"request_method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"request_uri": "/servlet/login",
"resource": "login",
"resource_fragment": "/servlet/login",
"response_code": "401",
"response_payload": "FAIL",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": ""
},
"4": {
"client_ip": "10.30.40.60",
"event_source": "UI",
"occurred_at": "2024-11-07T05:50:06.470Z",
"request_method": "POST",
"request_payload": "{\"username\":[\"john.doe\"],\"loginType\":[\"onlineLogin\"]}",
"request_uri": "/servlet/login",
"resource": "login",
"resource_fragment": "/servlet/login",
"response_code": "429",
"response_payload": "CAPTCHA_REQUIRED",
"user_agent": "Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36",
"username": ""
}
},
"resource_fragment_label": {
"key": "resource_fragment",
"value": "/servlet/login"
},
"resource_fragment_label_merge_failed": false
}
Top Labels in this Space
-
Admin
64 -
AI
8 -
API
73 -
Applied Analytics
3 -
BigQuery
11 -
Browser Management
3 -
Chrome Enterprise
4 -
Chronicle
291 -
Compliance
9 -
Curated Detections
31 -
Custom List
1 -
Dashboard
82 -
Data Management
60 -
Ingestion
204 -
Investigation
52 -
Logs
2 -
MCP
3 -
Parsers
172 -
Rules Engine
160 -
Search
79 -
SecOps
302 -
Security Command Center
1 -
SIEM
534 -
Siemplify
1 -
Slack
1 -
SOAR
56 -
Spotlight series
1 -
Threat Intelligence
40 -
Troubleshooting
69
- « Previous
- Next »
