OCSF Schema Audit Messages
On this page
In the OCSF schema, recorded log messages have this syntax:
{ "activity_id" : <int>, "category_uid" : <int>, "class_uid" : <int>, "time" : <int>, "severity_id" : <int>, "type_uid" : <int>, "metadata" : <document> "actor" : { "user" : { "type_id" : <int>, "name" : <string>, "groups" : <array of documents> } } }
Field | Type | Description |
|---|---|---|
activity_id | Integer | Activity type. See OCSF Type Mapping. |
category_uid | Integer | Audit event category. See OCSF Category Mapping. |
class_uid | Integer | Audit event class. See OCSF Class Mapping. |
time | Integer | Number of milliseconds after the Unix epoch that the event
occurred. |
severity_id | Integer | Severity of the audited event. |
type_uid | Integer | Combination of the audited event's class, activity, and category.
See OCSF Type Mapping. |
metadata | Document | Metadata about the event such as product and schema version. |
actor | Document | Information about the user who performed the action. |
Note
Log messages may contain additional fields depending on the event that was logged.
OCSF Category Mapping
This table describes the category_uid values:
category_uid | Category |
|---|---|
1 | System Activity |
2 | Findings |
3 | IAM |
4 | Network Activity |
5 | Discovery |
6 | Application Activity |
OCSF Class Mapping
For a complete list of OCSF class_uids and how they map to
different classes, see the OCSF Documentation.
OCSF Type Mapping
The type_uid field represents a combination of the audited event's
class, activity, and category. The resulting UUID indicates the type of
activity that occurred.
Specifically, type_uid is ( class_uid * 100 ) + (activity_id),
with category_id being the thousands place in a class_id.
This table describes how audited actions map to type_uid:
Action Type | type_uid | Category | Class | Activity |
|---|---|---|---|---|
addShard | 500101 | Configuration | Device Config State | Log |
applicationMessage | 100799 | System | Process Activity | Other |
auditConfigure | 500201 or 500203 | Discovery | Device Config State |
|
authzCheck | 600301 - 600304 | Application | API Activity |
|
authenticate | 300201 | IAM | Authentication | Logon |
clientMetadata | 400101 | Network | Network Activity | Open |
createCollection | 300401 | IAM | Entity Management | Create |
createDatabase | 300401 | IAM | Entity Management | Create |
createIndex | 300401 | IAM | Entity Management | Create |
createRole | 300101 | IAM | Account Change | Create |
createUser | 300101 | IAM | Account Change | Create |
directAuthMutation | 300100 | IAM | Account Change | Unknown |
dropAllRolesFromDatabase | 300106 | IAM | Account Change | Delete |
dropAllUsersFromDatabase | 300106 | IAM | Account Change | Delete |
dropCollection | 300404 | IAM | Entity Management | Delete |
dropDatabase | 300404 | IAM | Entity Management | Delete |
dropIndex | 300404 | IAM | Entity Management | Delete |
dropPrivilegesToRole | 300107 | IAM | Account Change | Attach Policy |
dropRole | 300106 | IAM | Account Change | Delete |
dropUser | 300106 | IAM | Account Change | Delete |
enableSharding | 500201 | Configuration | Device Config State | Log |
getClusterParameter | 600302 | Application | API Activity | Read |
grantRolesToRole | 300107 | IAM | Account Change | Attach Policy |
grantRolesToUser | 300107 | IAM | Account Change | Attach Policy |
importCollection | 300401 | IAM | Entity Management | Create |
logout | 300202 | IAM | Authentication | Logoff |
refineCollectionShardKey | 500201 | Configuration | Device Config State | Log |
removeShard | 500201 | Configuration | Device Config State | Log |
renameCollection | 300403 | IAM | Entity Management | Update |
replSetReconfig | 500201 | Configuration | Device Config State | Log |
revokePrivilegesFromRole | 300108 | IAM | Account Change | Detach Policy |
revokeRolesFromRole | 300108 | IAM | Account Change | Detach Policy |
revokeRolesFromUser | 300108 | IAM | Account Change | Detach Policy |
rotateLog | 100799 | System | Process | Other |
setClusterParameter | 500201 | Configuration | Device Config State | Log |
shardCollection | 500201 | Configuration | Device Config State | Log |
shutdown | 100702 | System | Process | Terminate |
startup | 100701 | System | Process | Launch |
updateCachedClusterServerParameter | 500201 | Configuration | Device Config State | Log |
updateRole | 300199 | IAM | Account Change | Other |
updateUser | 300199 | IAM | Account Change | Other |
Examples
The following examples show OCSF schema log messages for different action types.
Authenticate Action
{ "activity_id" : 1, "category_uid" : 3, "class_uid" : 3002, "time" : 1710715316123, "severity_id" : 1, "type_uid" : 300201, "metadata" : { "correlation_uid" : "20ec4769-984d-445c-aea7-da0429da9122", "product" : "MongoDB Server", "version" : "1.0.0" }, "actor" : { "user" : { "type_id" : 1, "name" : "admin.admin", "groups" : [ { "name" : "admin.root" } ] } }, "src_endpoint" : { "ip" : "127.0.0.1", "port" : 56692 }, "dst_endpoint" : { "ip" : "127.0.0.1", "port" : 20040 }, "user" : { "type_id" : 1, "name" : "admin.admin" }, "auth_protocol" : "SCRAM-SHA-256", "unmapped" : { "atype" : "authenticate" } }
AuthCheck Action
{ "activity_id" : 0, "category_uid" : 6, "class_uid" : 6003, "time" : 1710715315002, "severity_id" : 1, "type_uid" : 600300, "metadata" : { "correlation_uid" : "af4510fb-0a9f-49aa-b988-06259a7a861d", "product" : "MongoDB Server", "version" : "1.0.0" }, "actor" : {}, "src_endpoint" : { "ip" : "127.0.0.1", "port" : 45836 }, "dst_endpoint" : { "ip" : "127.0.0.1", "port" : 20040 }, "api" : { "operation" : "getParameter", "request" : { "uid" : "admin" }, "response" : { "code" : 13, "error" : "Unauthorized" } } }