Message fields

Overview

Base security events share the common fields below, plus the additional fields listed in each event subsection. Web-server access events have a different shape, they do not use these common fields and instead carry the set in the Web-server access fields table at the end.

Common fields

These fields appear on Base security events.

FieldValueExplanationPresent when
messagestringHuman-readable summary of the event.Always
activity_namestringThe action the event represents (for example, Logon, Setting Change).Always
statusSuccess / Failure / Other / UnknownOutcome of the action.Always
status_id1 / 2 / 99 / 0Numeric form of the status (1 Success, 2 Failure, 99 Other, 0 Unknown).Always
timeintegerEvent time, as a Unix timestamp in milliseconds.Always
status_detailstringReason or detail for a failure.On some failures (for example, a failed password sign-in)
actor.user.namestringThe administrator who performed the action.When the action is tied to an administrator session
src_endpoint.ipstringSource IP address of the request that triggered the event.When the event originates from a request through the web interface
metadata.correlation_uidstringCorrelation ID shared by all events produced by the same request.When the event originates from a request through the web interface

Sign-in fields

FieldValueExplanationPresent when
auth_protocolPassword / Token / SAMLThe sign-in method used.Always
auth_protocol_idintegerNumeric form of the sign-in method.Always
service.nameAppliance WebThe service that was signed in to.Always
unmapped.identity_provider_idstringThe identity provider used.SAML sign-ins only

auth_protocol reflects the sign-in method, Password or SAML for a direct sign-in to the appliance, or Token when the appliance interface is opened from the product's /login interface (as on cloud-managed appliances).

Account-change fields

FieldValueExplanationPresent when
userobjectThe account that was changed, in its state before the change.Always
user_resultobjectThe changed values of the account after the change.Account Update only
unmapped.changesobjectThe specific fields that changed, with their old and new values.Account Update only
unmapped.user_stateobjectA snapshot of the account state.Create and Delete only
unmapped.backup_codes_remainingintegerThe number of unused backup codes remaining.MFA Backup Code Used only

Support-session fields

FieldValueExplanationPresent when
tunnel_type_idintegerNumeric form of the tunnel type.Always
tunnel_typestringThe tunnel type (for example, Support).Always
unmapped.userobjectThe contact name and email entered on the support request.New support-session requests only
unmapped.incidentstringThe incident reference entered on the support request.New support-session requests only
unmapped.support_codestringThe support code used to start the session.Legacy support sessions only

Software-update fields

FieldValueExplanationPresent when
app.namestringName of the update or patch.Install and Update events (not manual uploads)
unmapped.update_idstringIdentifier of the update.Single-update installs
unmapped.patchesarrayNames of the patches installed.Patch installs
unmapped.fileobjectUploaded package name and size.Manual package uploads

Certificate fields

FieldValueExplanationPresent when
certificate.subjectstringThe certificate subject (distinguished name).Certificate operations on a specific certificate
certificate.issuerstringThe certificate issuer (distinguished name).Certificate operations on a specific certificate
certificate.serial_numberstringThe certificate serial number.Certificate operations on a specific certificate
certificate.expiration_timeintegerCertificate expiry, as a Unix timestamp in milliseconds.Certificate operations on a specific certificate
certificate.fingerprintsarrayCertificate fingerprints (SHA-1 and SHA-256).Certificate operations on a specific certificate
common_namestringThe common name of the certificate or request.Certificate and request creation and deletion
acme_serverstringThe ACME directory URL.ACME-related events
cert_hostnamestringThe hostname the certificate was issued for.ACME-related events
exported_with_private_keytrueIndicates the private key was included in the export.Certificate Export when the private key is included
days_remainingintegerDays remaining until the certificate expires.Certificate Expiry only

Configuration-change fields

FieldValueExplanationPresent when
setting.keystringThe setting that changed.Setting Change and Update Settings Change
setting.old_valueanyThe value before the change.Setting Change and Update Settings Change
setting.new_valueanyThe value after the change.Setting Change and Update Settings Change

Secret-operation fields

FieldValueExplanationPresent when
store_idstringIdentifier of the secret store involved.Always

Web-server access fields (on-premises only)

FieldValueExplanationPresent when
src_endpoint.ipstringSource IP address of the client.Always
src_endpoint.portintegerSource port of the client.Not on all requests
metadata.correlation_uidstringCorrelation ID shared with related events from the same request.Always
timeintegerRequest time, as a Unix timestamp in milliseconds.Always
http_request.http_methodstringHTTP method (for example, GET, POST).Always
http_request.url.hostnamestringRequested host.Always
http_request.url.schemehttp / httpsRequest scheme.Always
http_request.url.pathstringRequested path.Always
http_request.url.query_stringstringQuery string.Always
http_request.versionstringHTTP version.Always
http_request.user_agentstringClient user agent.Always
http_request.referrerstringReferring URL.Not on all requests
http_request.lengthintegerBytes received from the client.Not on all requests
http_response.codeintegerHTTP status code.Always
http_response.lengthintegerBytes returned to the client.Always
durationintegerRequest duration in milliseconds.Always
tls.versionstringTLS protocol version.HTTPS requests only
tls.cipherstringTLS cipher.HTTPS requests only
tls.snistringServer name indication.HTTPS requests only

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.