topic How to write a data model to map to an authentication story in Cortex XSIAM Discussions https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/how-to-write-a-data-model-to-map-to-an-authentication-story/m-p/1220561#M156 <P><SPAN>We are creating a data model and have questions like:</SPAN></P> <P>&nbsp;</P> <P>==============================================</P> <P>&nbsp;</P> <P>We are aware that the method of mapping to an authentication story requires defining the following, <BR />as described in the documentation.</P> <P>However, we are experiencing issues where the authentication story is not mapped.<BR />Specifically, We have created the data model rules as follows, but do you know the cause?</P> <P><BR />After creating the data model, we have confirmed that the actual data is mapped to the following six schemas.<BR /><BR />■Required Schemas<BR /><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/MODEL" target="_blank" rel="noopener">https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/MODEL</A><BR />xdm.source.ipv4<BR />xdm.source.user.upn ※<SPAN>Automatic enrichment</SPAN><BR />xdm.event.original_event_type<BR />xdm.event.outcome<BR />xdm.event.outcome_reason<BR />xdm.event.operation</P> <P><BR />■Created data model<BR />[MODEL: dataset=xxx_xxxxx_raw]<BR />alter<BR />xdm.event.type = "authentication",<BR />xdm.event.description = "authentication",<BR />xdm.source.ipv4 = json_extract_scalar(_raw_log , "$.ip"),<BR />xdm.source.user.username= json_extract_scalar(_raw_log , "$.username"),<BR />xdm.source.user.domain= "XXX.LOCAL",<BR />xdm.source.user.user_type = XDM_CONST.USER_TYPE_REGULAR,<BR />xdm.event.original_event_type = "Logon",<BR />xdm.event.outcome = if(lowercase(json_extract_scalar(_raw_log , "$.login_successful")) = "true", XDM_CONST.OUTCOME_SUCCESS, lowercase(json_extract_scalar(_raw_log , "$.login_successful")) = "false", XDM_CONST.OUTCOME_FAILED, null),<BR />xdm.event.outcome_reason = if(json_extract_scalar(_raw_log , "$.reason") != null,json_extract_scalar(_raw_log , "$.reason"), lowercase(json_extract_scalar(_raw_log , "$.login_successful")) = "true", "SUCCESS",null),<BR />xdm.event.operation = XDM_CONST.OPERATION_TYPE_AUTH_LOGIN,<BR />xdm.auth.service = json_extract_scalar(_raw_log , "$.service_name"),<BR />xdm.auth.auth_method = json_extract_scalar(_raw_log , "$.login_type"),<BR />xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,<BR />xdm.logon.type = XDM_CONST.LOGON_TYPE_SERVICE,<BR />xdm.event.operation_sub_type = "LOGIN_EVENT";<BR /><BR /><LI-PRODUCT title="Cortex XSIAM" id="Cortex_XSIAM"></LI-PRODUCT>&nbsp;</P> Sat, 15 Feb 2025 12:50:58 GMT Hisashi_Abe 2025-02-15T12:50:58Z How to write a data model to map to an authentication story https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/how-to-write-a-data-model-to-map-to-an-authentication-story/m-p/1220561#M156 <P><SPAN>We are creating a data model and have questions like:</SPAN></P> <P>&nbsp;</P> <P>==============================================</P> <P>&nbsp;</P> <P>We are aware that the method of mapping to an authentication story requires defining the following, <BR />as described in the documentation.</P> <P>However, we are experiencing issues where the authentication story is not mapped.<BR />Specifically, We have created the data model rules as follows, but do you know the cause?</P> <P><BR />After creating the data model, we have confirmed that the actual data is mapped to the following six schemas.<BR /><BR />■Required Schemas<BR /><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/MODEL" target="_blank" rel="noopener">https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/MODEL</A><BR />xdm.source.ipv4<BR />xdm.source.user.upn ※<SPAN>Automatic enrichment</SPAN><BR />xdm.event.original_event_type<BR />xdm.event.outcome<BR />xdm.event.outcome_reason<BR />xdm.event.operation</P> <P><BR />■Created data model<BR />[MODEL: dataset=xxx_xxxxx_raw]<BR />alter<BR />xdm.event.type = "authentication",<BR />xdm.event.description = "authentication",<BR />xdm.source.ipv4 = json_extract_scalar(_raw_log , "$.ip"),<BR />xdm.source.user.username= json_extract_scalar(_raw_log , "$.username"),<BR />xdm.source.user.domain= "XXX.LOCAL",<BR />xdm.source.user.user_type = XDM_CONST.USER_TYPE_REGULAR,<BR />xdm.event.original_event_type = "Logon",<BR />xdm.event.outcome = if(lowercase(json_extract_scalar(_raw_log , "$.login_successful")) = "true", XDM_CONST.OUTCOME_SUCCESS, lowercase(json_extract_scalar(_raw_log , "$.login_successful")) = "false", XDM_CONST.OUTCOME_FAILED, null),<BR />xdm.event.outcome_reason = if(json_extract_scalar(_raw_log , "$.reason") != null,json_extract_scalar(_raw_log , "$.reason"), lowercase(json_extract_scalar(_raw_log , "$.login_successful")) = "true", "SUCCESS",null),<BR />xdm.event.operation = XDM_CONST.OPERATION_TYPE_AUTH_LOGIN,<BR />xdm.auth.service = json_extract_scalar(_raw_log , "$.service_name"),<BR />xdm.auth.auth_method = json_extract_scalar(_raw_log , "$.login_type"),<BR />xdm.auth.privilege_level = XDM_CONST.PRIVILEGE_LEVEL_USER,<BR />xdm.logon.type = XDM_CONST.LOGON_TYPE_SERVICE,<BR />xdm.event.operation_sub_type = "LOGIN_EVENT";<BR /><BR /><LI-PRODUCT title="Cortex XSIAM" id="Cortex_XSIAM"></LI-PRODUCT>&nbsp;</P> Sat, 15 Feb 2025 12:50:58 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/how-to-write-a-data-model-to-map-to-an-authentication-story/m-p/1220561#M156 Hisashi_Abe 2025-02-15T12:50:58Z