Reporting Schema for Elevate24
Application-Level Reporting Schema
Elevate24 will log two entries, one at the beginning of the session when the user has elevated and another at the end of the session. The main differences will be the output of Action and Trigger.
Schema
json
{
"User" : String,
"ComputerSerial" : String,
"DateTimeRequested" : String,
"LengthOfElevation" : String,
"Reason" : String,
"ReasonText" : String,
"TimeGenerated" : String,
"Action" : String,
"Trigger" : String,
"SessionId" : String
}Information
User= Logged in username from the device that has elevated or demoted.ComputerSerial= The serial number of the device that has elevated or demoted.DateTimeRequested= Date and Time the user has elevated or demoted.LengthOfElevation= The time selected by the user or time enforced when elevating.Reason= The reason chosen by the user when elevating.ReasonText= The output of the free text entry (if configured) when elevating.TimeGenerated= Date and Time the user has elevated or demoted. This is included alongsideDateTimeRequestedas it is a requested entry by Microsoft Sentinel.Action= Will include "Elevate" or "Demote" depending if its a log entry for the beginning or end of the session.Trigger= Will output one of the below depending on the trigger of elevation or demoting.- "User Request" - User clicked elevate button or revoke button.
- "Session Timeout" - Application reached the end of its timer.
- "App Start" - Demoted on application load.
- "Background Process" - The background process has detected an admin user with no active Elevate24 Session.
- "App Quit" - Elevate24 app has been quit.
SessionId= Each elevated session has an ID. This will output that ID for that specific elevated session.
Security Monitoring Reporting Schema
Schema
json
{
"properties": {
"id": {
"type": "string",
"format": "uuid"
},
"eventtype": {
"type": "string"
},
"processpath": {
"type": "string"
},
"target": {
"type": "string",
"default": ""
},
"pid": {
"type": "integer"
},
"ppid": {
"type": "integer"
},
"isplatform": {
"type": "boolean"
},
"timestamp": {
"type": "integer"
},
"username": {
"type": "string"
},
"signingid": {
"type": "string"
},
"teamId": {
"type": "string"
},
"arguments": {
"type": "array",
"items": {
"type": "string"
}
},
"source": {
"type": "string"
},
"action": {
"type": "string"
},
"customReference": {
"type": ["string", "null"]
},
"processTree": {
"type": "array",
"items": {
"$ref": "#/definitions/EndpointSecurityProcessTree"
},
"default": []
},
"extensionVersion": {
"type": ["string", "null"]
},
"newFile": {
"type": ["boolean", "null"]
},
"log": {
"type": "boolean",
"default": true
},
"sourceSigningId": {
"type": ["string", "null"]
},
"TimeGenerated": {
"type": ["string", "null"]
},
"serialNumber": {
"type": ["string", "null"]
},
"signal": {
"type": ["integer", "null"]
},
"blocked": {
"type": ["boolean", "null"]
},
"path": {
"type": ["string", "null"]
},
"fromMacAppStore": {
"type": ["boolean", "null"]
},
"CFBundleShortVersionString": {
"type": ["string", "null"]
},
"CFBundleVersion": {
"type": ["string", "null"]
},
"CFBundleIdentifier": {
"type": ["string", "null"]
},
"originalFromMacAppStore": {
"type": ["boolean", "null"]
},
"originalCFBundleShortVersionString": {
"type": ["string", "null"]
},
"originalCFBundleVersion": {
"type": ["string", "null"]
},
"originalCFBundleIdentifier": {
"type": ["string", "null"]
}
},
"required": [
"id",
"eventtype",
"processpath",
"pid",
"ppid",
"isplatform",
"timestamp",
"username",
"signingid",
"teamId",
"arguments",
"source",
"action"
],
"definitions": {
"EndpointSecurityProcessTree": {
"type": "object",
"properties": {
"pid": {
"type": "integer"
},
"name": {
"type": "string"
}
},
"required": [
"pid",
"name"
]
}
}
}