Supported source types and event types

• ADD_LOGIN_ACTIVITY_DEVICE

• ADMIN_LOGIN

• COLLABORATION_ACCEPT

• COLLABORATION_REMOVE

• DELETE

• DOWNLOAD

• EDIT

• FAILED_LOGIN

• ITEM_MODIFY

• ITEM_OPEN

• ITEM_SHARED_UPDATE

• ITEM_SYNC

• ITEM_UNSYNC

• LOGIN

• MOVE

• PREVIEW

• RENAME

• SHARE

• SHARE_EXPIRATION

• UPLOAD

The box:events source type corresponds to Box enterprise audit events that have been formatted by the Splunk Add-on for Box.

For more information, see the Splunk Add-on for Box manual.

• 113019

• 113039

• 602303

• 602304

• 611101

• 611103

• 716001

• 716002

• 716006

• 716038

• 722022

• 722023

• 722029

• 722031

• 722033

• 722034

• 722051

• 723001

• 723002

The cisco:asa source type corresponds to syslog messages from Cisco Adaptive Security Appliance (ASA) devices and Cisco Firepower Threat Defense (FTD) devices.

The Splunk Add-on for Cisco ASA emits cisco:asa data. For more information, see the Splunk Add-on for Cisco ASA manual.

• DHCPACK

• DHCPEXPIRE

• DHCPRELEASE

The infoblox:dhcp source type corresponds to Infoblox DHCP logs.

The Splunk Add-on for Infoblox emits infoblox:dhcp data. For more information, see the Splunk Add-on for Infoblox manual.

• FileCopied

• FileDeleted

• FileDownloaded

• FileModified

• FileMoved

• FileRenamed

• FileRestored

• FileUploaded

• SharingRevoked

• SharingSet

• UserLoggedIn

• UserLoginFailed

The o365:management:activity source type corresponds to audit events that are visible through the Office 365 Management Activity API.

The Splunk Add-on for Microsoft Office 365 emits o365:management:activity data. For more information, see the Splunk Add-on for Microsoft Office 365 manual.

MessageTrace

The o365:reporting:messagetrace source type corresponds to Message Trace events that are visible through the Microsoft Report API endpoints.

The Splunk Add-on for Microsoft Office 365 emits o365:reporting:messagetrace data. For more information, see the Splunk Add-on for Microsoft Office 365 manual.

• device.enrollment.create

• user.account.lock

• user.account.report_suspicious_activity_by_enduser

• user.authentication.auth_via_mfa

The OktaIM2:log source type corresponds to system log events coming from Okta Rest API endpoints.

The Splunk Add-on for Okta Identity Cloud emits OktaIM2:log data. For more information, see the Splunk Add-on for Okta Identity Cloud manual.

• gateway-auth

• gateway-connected

• gateway-logout

• gateway-setup-ipsec

• gateway-switch-to-ssl

• portal-auth

The pan:globalprotect source type corresponds to Palo Alto Network GlobalProtect events.

The Splunk Add-on for Palo Alto Networks emits pan:globalprotect data. For more information, see the Splunk Add-on for Palo Alto Networks manual.

• 1102

• 4103

• 4104

• 4624

• 4625

• 4634

• 4648

• 4661

• 4662

• 4663

• 4672

• 4673

• 4688

• 4689

• 4720

• 4722

• 4723

• 4724

• 4726

• 4728

• 4729

• 4732

• 4733

• 4740

• 4756

• 4757

• 4768

• 4769

• 4770

• 4771

• 4776

• 4781

• 5140

• 5145

The WinEventLog source type corresponds to Windows Event Log data in standard format, and the XmlWinEventLog source type corresponds to Windows Event Log data in XML format.

The Splunk Add-on for Microsoft Windows emits these source types. For more information, see the Splunk Add-on for Microsoft Windows manual.