AppOmni¶
About¶
AppOmni is focused on empowering Security and IT teams with preventive and detective solutions that allow them to protect and secure important SaaS applications. It monitors and normalizes event types across critical SaaS applications such as Salesforce, Box, Office365, Teams, and Zoom.
Product Details¶
Vendor URL: AppOmni: SaaS Security Management & Posture Solutions
Product Type: SaaS Application
Product Tier: Tier III
Integration Method: Syslog
Integration URL: N/A
Log Guide: N/A
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 75%
Data Label: APPOMNI
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| @timestamp | metadata.event_timestamp |
| appomni.event.id | metadata.product_log_id |
| appomni.event.sortable_ingest_id | additional.sortable_ingest_id |
| appomni.organization.id | metadata.product_deployment_id |
| appomni.service.name.0 | principal.user.company_name |
| appomni.service.type.0 | metadata.product_name |
| cloud.account.id | additional.cloud_account_id |
| ecs.version | metadata.product_version |
| event.action | metadata.product_event_type |
| event.category.0 | security_result.category_details |
| event.dataset | security_result.description |
| event.outcome | security_result.action |
| event.type.0 | security_result.severity |
| host.os.name | principal.asset.platform_software.platform |
| host.os.version | principal.asset.platform_software.platform_version |
| http.request.method | network.http.method |
| labels.session_id | network.session_id |
| labels.user_location | additional.user_location |
| resource.metadata.action_message | principal.process.command_line |
| resource.metadata.language | principal.application |
| resource.metadata.platform | target.platform_version |
| resource.metadata.query | principal.process.command_line |
| resource.metadata.type | extensions.auth.auth_details |
| resource.name | target.file.full_path |
| sfdc.event_table.data.payload.Records | target.process.command_line |
| sfdc.event_table.data.payload.Subdivision | principal.asset.location.state |
| sfdc.eventlog.aura_request.EVENT_TYPE | security_result.summary |
| sfdc.eventlog.aura_request.LOGIN_KEY | additional.login_key |
| sfdc.eventlog.aura_request.REQUEST_ID | additional.request_id |
| sfdc.eventlog.aura_request.RUN_TIME | network.session_duration |
| slack.audit.entity.file.name | target.file.full_path |
| source.as.organization.name | principal.asset.location.name |
| source.geo.city_name | principal.asset.location.city |
| source.geo.country_iso_code | principal.asset.location.country_or_region |
| source.geo.location.lat | principal.asset.location.region_latitude |
| source.geo.location.lon | principal.asset.location.region_longitude |
| source.ip | principal.ip |
| url.original | target.url |
| user.id | principal.user.userid |
| user.name | principal.user.user_display_name |
| user.roles.0 | principal.user.attribute.roles |
| user_agent.name | network.http.user_agent |
| user_agent.original | network.http.user_agent |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| Default | GENERIC_EVENT | ||
| update_resource | RESOURCE_WRITTEN | Y | |
| access_resource | RESOURCE_READ | ||
| download_resource | RESOURCE_CREATION | ||
| login_user | USER_LOGIN |
Log Sample¶
{"labels":{"session_level":"STANDARD","user_location":"internal"},"cloud":{"account":{"id":"0v698we41f9651v0445"}},"url":{"original":"login.salesforce.com"},"sfdc":{"event_table":{"channel":"/event/LoginEventStream","data":{"event":{"replayId":""},"payload":{"LoginHistoryId":"123adf465adf789aef","SessionLevel":"STANDARD","Username":"johndoe@companydomain.com","Browser":"Unknown","CountryIso":"US","Application":"App Web Prod","LoginType":"Remote Access 2.0","Platform":"Unknown","PostalCode":"12345","RelatedEventIdentifier":null,"TlsProtocol":"TLS 1.2","UserId":"0v698we41f9651v0445","AdditionalInfo":"{}","EvaluationTime":0,"AuthServiceId":null,"CipherSuite":"ECDHE-RSA-AES256-GCM-SHA384","LoginLongitude":-80.4903,"SessionKey":null,"Status":"Success","ApiType":"N/A","ApiVersion":"N/A","PolicyOutcome":null,"Country":"United States","CreatedDate":"2022-04-15T17:17:35.937+0000","LoginGeoId":"123asdf456asdf7890","LoginUrl":"login.salesforce.com","attributes":{"url":"/services/data/v51.0/sobjects/LoginEvent/000000000000000AAA","type":"LoginEvent"},"ClientVersion":"N/A","EventIdentifier":"123-456-789-asdf","LoginKey":"123asdf456asdf789","LoginLatitude":40.0469,"PolicyId":null,"SourceIp":"10.0.0.91","UserType":"Standard","City":"Ashburn","EventDate":"2022-04-15T17:17:31.403+0000","HttpMethod":"POST","Subdivision":"Virginia"},"schema":"AppOmni"}}},"appomni":{"event":{"id":"123-asdf-456-asdf-789-asdf","dataset":"sfdc_login_event_table","sortable_ingest_id":"123asdf456asdf789asdf0","ingestion_time":"2022-04-15T17:18:38.590Z","collected_time":"2022-04-15T17:18:37.608Z"},"organization":{"id":123},"service":{"id":[11283],"account_id":["0v698we41f9651v0445"],"type":["sfdc"],"name":["company name"]}},"http":{"request":{"method":"POST"}},"source":{"address":"10.0.0.91","geo":{"postal_code":"12345","region_name":"Virginia","city_name":"Ashburn","country_iso_code":"US","country_name":"United States","location":{"lon":-80.4903,"lat":40.0469}},"ip":"10.0.0.91","as":{"number":123456,"organization":{"name":"AMAZON"}}},"user":{"id":"0v698we41f9651v0445","name":"johndoe@companydomain.com","roles":["Standard"]},"user_agent":{"name":"Unknown"},"event":{"ingested":"2022-04-15T17:18:38.590Z","module":"sfdc","original":"{\"channel\":\"/event/LoginEventStream\",\"data\":{\"schema\":\"AppOmni\",\"payload\":{\"CountryIso\":\"US\",\"LoginLatitude\":40.0469,\"Subdivision\":\"Virginia\",\"AuthServiceId\":null,\"Browser\":\"Unknown\",\"City\":\"Ashburn\",\"PolicyOutcome\":null,\"SessionKey\":null,\"SourceIp\":\"10.0.0.91\",\"UserType\":\"Standard\",\"ApiType\":\"N/A\",\"Application\":\"App Web Prod\",\"RelatedEventIdentifier\":null,\"ApiVersion\":\"N/A\",\"LoginLongitude\":-80.4903,\"HttpMethod\":\"POST\",\"LoginKey\":\"123asdf456asdf789\",\"LoginUrl\":\"login.salesforce.com\",\"TlsProtocol\":\"TLS 1.2\",\"CreatedDate\":\"2022-04-15T17:17:35.937+0000\",\"EventDate\":\"2022-04-15T17:17:31.403+0000\",\"PostalCode\":\"12345\",\"UserId\":\"0v698we41f9651v0445\",\"ClientVersion\":\"N/A\",\"Country\":\"United States\",\"EvaluationTime\":0.0,\"EventIdentifier\":\"123-456-789-asdf\",\"LoginType\":\"Remote Access 2.0\",\"attributes\":{\"type\":\"LoginEvent\",\"url\":\"/services/data/v51.0/sobjects/LoginEvent/000000000000000AAA\"},\"AdditionalInfo\":\"{}\",\"PolicyId\":null,\"SessionLevel\":\"STANDARD\",\"LoginGeoId\":\"123asdf456asdf7890\",\"LoginHistoryId\":\"123adf465adf789aef\",\"Status\":\"Success\",\"Username\":\"johndoe@companydomain.com\",\"CipherSuite\":\"ECDHE-RSA-AES256-GCM-SHA384\",\"Platform\":\"Unknown\"},\"event\":{\"replayId\":\"\"}}}","outcome":"success","reason":"Success","action":"login_user","created":"2022-04-15T17:18:37.608Z","dataset":"sfdc_login_event_table","id":"123-456-789-asdf","kind":"event","provider":"/event/LoginEventStream","category":["audit","cloud","authentication"]},"resource":{"metadata":{"application":"App Web Prod","type":"Remote Access 2.0"}},"service":{"type":"sfdc"},"tls":{"cipher":"ECDHE-RSA-AES256-GCM-SHA384","version":"1.2"},"@timestamp":"2022-04-15T17:17:31.403Z","ecs":{"version":"1.9.0"},"host":{"os":{"name":"Unknown"}},"related":{"ip":["10.0.0.91"],"user":["johndoe@companydomain.com"]}}
Sample Parsing¶
metadata.product_log_id = "123-asdf-456-asdf-789-asdf"
metadata.event_timestamp = "2022-04-15T17:17:31Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "AppOmni"
metadata.product_name = "sfdc"
metadata.product_version = "1.9.0"
metadata.product_event_type = "login_user"
metadata.ingested_timestamp = "2022-04-15T17:23:01.202037Z"
metadata.product_deployment_id = "123"
additional.user_location = "internal"
additional.sortable_ingest_id = "123asdf456asdf789asdf0"
additional.cloud_account_id = "0v698we41f9651v0445"
principal.user.userid = "0v698we41f9651v0445"
principal.user.user_display_name = "johndoe"
principal.user.attribute.roles.name = "Standard"
principal.user.company_name = "company name"
principal.ip = "10.0.0.91"
principal.asset.ip = "10.0.0.91"
principal.asset.location.city = "Ashburn"
principal.asset.location.state = "Virginia"
principal.asset.location.country_or_region = "US"
principal.asset.location.name = "AMAZON"
principal.asset.location.region_latitude = 40.0469
principal.asset.location.region_longitude = -80.4903
principal.domain.name = "companydomain.com"
target.url = "login.salesforce.com"
target.application = "App Web Prod"
security_result.category_details = "audit"
security_result.category_details = "cloud"
security_result.category_details = "authentication"
security_result.description = "sfdc_login_event_table"
security_result.action = "ALLOW"
network.http.method = "POST"
network.http.user_agent = "Unknown"
extensions.auth.auth_details = "Remote Access 2.0"
Parser Alerting¶
This product currently has Parser-based Alerting for High and Critical severities for Enterprise Insights alerting.
Rules¶
Coming Soon