Supported source types and event types

Edge Processors support OCSF conversions for specific source types and event types.

The following table lists the source types and event types that Edge Processors support for converting data into OCSF format.

Note: The Edge Processor solution is updated periodically to add support for more source types and event types. Refer to this table for the latest support information.


Source type	Event type	Description
box:events	ADD_LOGIN_ACTIVITY_DEVICE ADMIN_LOGIN COLLABORATION_ACCEPT COLLABORATION_REMOVE DELETE DOWNLOAD EDIT FAILED_LOGIN ITEM_MODIFY ITEM_OPEN ITEM_SHARED_UPDATE ITEM_SYNC ITEM_UNSYNC LOGIN MOVE PREVIEW RENAME SHARE SHARE_EXPIRATION UPLOAD	The `box:events` source type corresponds to Box enterprise audit events that have been formatted by the Splunk Add-on for Box. For more information, see the Splunk Add-on for Box manual.
cisco:asa	113019 113039 602303 602304 611101 611103 716001 716002 716006 716038 722022 722023 722029 722031 722033 722034 722051 723001 723002	The `cisco:asa` source type corresponds to syslog messages from Cisco Adaptive Security Appliance (ASA) devices and Cisco Firepower Threat Defense (FTD) devices. The Splunk Add-on for Cisco ASA emits `cisco:asa` data. For more information, see the Splunk Add-on for Cisco ASA manual.
infoblox:dhcp	DHCPACK DHCPEXPIRE DHCPRELEASE	The `infoblox:dhcp` source type corresponds to Infoblox DHCP logs. The Splunk Add-on for Infoblox emits `infoblox:dhcp` data. For more information, see the Splunk Add-on for Infoblox manual.
o365:management:activity	FileCopied FileDeleted FileDownloaded FileModified FileMoved FileRenamed FileRestored FileUploaded SharingRevoked SharingSet UserLoggedIn UserLoginFailed	The `o365:management:activity` source type corresponds to audit events that are visible through the Office 365 Management Activity API. The Splunk Add-on for Microsoft Office 365 emits `o365:management:activity` data. For more information, see the Splunk Add-on for Microsoft Office 365 manual.
o365:reporting:messagetrace	MessageTrace	The `o365:reporting:messagetrace` source type corresponds to Message Trace events that are visible through the Microsoft Report API endpoints. The Splunk Add-on for Microsoft Office 365 emits `o365:reporting:messagetrace` data. For more information, see the Splunk Add-on for Microsoft Office 365 manual.
OktaIM2:log	device.enrollment.create user.account.lock user.account.report_suspicious_activity_by_enduser user.authentication.auth_via_mfa	The `OktaIM2:log` source type corresponds to system log events coming from Okta Rest API endpoints. The Splunk Add-on for Okta Identity Cloud emits `OktaIM2:log` data. For more information, see the Splunk Add-on for Okta Identity Cloud manual.
pan:globalprotect	gateway-auth gateway-connected gateway-logout gateway-setup-ipsec gateway-switch-to-ssl portal-auth	The `pan:globalprotect` source type corresponds to Palo Alto Network GlobalProtect events. The Splunk Add-on for Palo Alto Networks emits `pan:globalprotect` data. For more information, see the Splunk Add-on for Palo Alto Networks manual.
WinEventLog or XmlWinEventLog	1102 4103 4104 4624 4625 4634 4648 4661 4662 4663 4672 4673 4688 4689 4720 4722 4723 4724 4726 4728 4729 4732 4733 4740 4756 4757 4768 4769 4770 4771 4776 4781 5140 5145	The `WinEventLog` source type corresponds to Windows Event Log data in standard format, and the `XmlWinEventLog` source type corresponds to Windows Event Log data in XML format. The Splunk Add-on for Microsoft Windows emits these source types. For more information, see the Splunk Add-on for Microsoft Windows manual.

Documentation

Supported source types and event types

See also