OCSF Schema Audit Messages

On this page

OCSF Category Mapping

OCSF Class Mapping
OCSF Type Mapping
Examples
Authenticate Action
AuthCheck Action

In the OCSF schema, recorded log messages have this syntax:

{
   "activity_id" : <int>,
   "category_uid" : <int>,
   "class_uid" : <int>,
   "time" : <int>,
   "severity_id" : <int>,
   "type_uid" : <int>,
   "metadata" : <document>
   "actor" : {
      "user" : {
         "type_id" : <int>,
         "name" : <string>,
         "groups" : <array of documents>
      }
   }
}

Field	Type	Description
`activity_id`	Integer	Activity type. See OCSF Type Mapping.
`category_uid`	Integer	Audit event category. See OCSF Category Mapping.
`class_uid`	Integer	Audit event class. See OCSF Class Mapping.
`time`	Integer	Number of milliseconds after the Unix epoch that the event occurred.
`severity_id`	Integer	Severity of the audited event.
`type_uid`	Integer	Combination of the audited event's class, activity, and category. See OCSF Type Mapping.
`metadata`	Document	Metadata about the event such as product and schema version.
`actor`	Document	Information about the user who performed the action.

Note

Log messages may contain additional fields depending on the event that was logged.

OCSF Category Mapping

This table describes the category_uid values:

`category_uid`	Category
`1`	System Activity
`2`	Findings
`3`	IAM
`4`	Network Activity
`5`	Discovery
`6`	Application Activity

OCSF Class Mapping

For a complete list of OCSF class_uids and how they map to different classes, see the OCSF Documentation.

OCSF Type Mapping

The type_uid field represents a combination of the audited event's class, activity, and category. The resulting UUID indicates the type of activity that occurred.

Specifically, type_uid is ( class_uid * 100 ) + (activity_id), with category_id being the thousands place in a class_id.

This table describes how audited actions map to type_uid:

Action Type	`type_uid`	Category	Class	Activity
`addShard`	`500101`	Configuration	Device Config State	Log
`applicationMessage`	`100799`	System	Process Activity	Other
`auditConfigure`	`500201` or `500203`	Discovery	Device Config State	`1` is Create `3` is Update
`authzCheck`	`600301` - `600304`	Application	API Activity	`1` is Create `2` is Read `3` is Update `4` is Delete
`authenticate`	`300201`	IAM	Authentication	Logon
`clientMetadata`	`400101`	Network	Network Activity	Open
`createCollection`	`300401`	IAM	Entity Management	Create
`createDatabase`	`300401`	IAM	Entity Management	Create
`createIndex`	`300401`	IAM	Entity Management	Create
`createRole`	`300101`	IAM	Account Change	Create
`createUser`	`300101`	IAM	Account Change	Create
`directAuthMutation`	`300100`	IAM	Account Change	Unknown
`dropAllRolesFromDatabase`	`300106`	IAM	Account Change	Delete
`dropAllUsersFromDatabase`	`300106`	IAM	Account Change	Delete
`dropCollection`	`300404`	IAM	Entity Management	Delete
`dropDatabase`	`300404`	IAM	Entity Management	Delete
`dropIndex`	`300404`	IAM	Entity Management	Delete
`dropPrivilegesToRole`	`300107`	IAM	Account Change	Attach Policy
`dropRole`	`300106`	IAM	Account Change	Delete
`dropUser`	`300106`	IAM	Account Change	Delete
`enableSharding`	`500201`	Configuration	Device Config State	Log
`getClusterParameter`	`600302`	Application	API Activity	Read
`grantRolesToRole`	`300107`	IAM	Account Change	Attach Policy
`grantRolesToUser`	`300107`	IAM	Account Change	Attach Policy
`importCollection`	`300401`	IAM	Entity Management	Create
`logout`	`300202`	IAM	Authentication	Logoff
`refineCollectionShardKey`	`500201`	Configuration	Device Config State	Log
`removeShard`	`500201`	Configuration	Device Config State	Log
`renameCollection`	`300403`	IAM	Entity Management	Update
`replSetReconfig`	`500201`	Configuration	Device Config State	Log
`revokePrivilegesFromRole`	`300108`	IAM	Account Change	Detach Policy
`revokeRolesFromRole`	`300108`	IAM	Account Change	Detach Policy
`revokeRolesFromUser`	`300108`	IAM	Account Change	Detach Policy
`rotateLog`	`100799`	System	Process	Other
`setClusterParameter`	`500201`	Configuration	Device Config State	Log
`shardCollection`	`500201`	Configuration	Device Config State	Log
`shutdown`	`100702`	System	Process	Terminate
`startup`	`100701`	System	Process	Launch
`updateCachedClusterServerParameter`	`500201`	Configuration	Device Config State	Log
`updateRole`	`300199`	IAM	Account Change	Other
`updateUser`	`300199`	IAM	Account Change	Other

Examples

The following examples show OCSF schema log messages for different action types.

Authenticate Action

{
   "activity_id" : 1,
   "category_uid" : 3,
   "class_uid" : 3002,
   "time" : 1710715316123,
   "severity_id" : 1,
   "type_uid" : 300201,
   "metadata" : {
      "correlation_uid" : "20ec4769-984d-445c-aea7-da0429da9122",
      "product" : "MongoDB Server",
      "version" : "1.0.0"
   },
   "actor" : {
      "user" : {
         "type_id" : 1,
         "name" : "admin.admin",
         "groups" : [ { "name" : "admin.root" } ]
      }
   },
   "src_endpoint" : { "ip" : "127.0.0.1", "port" : 56692 },
   "dst_endpoint" : { "ip" : "127.0.0.1", "port" : 20040 },
   "user" : { "type_id" : 1, "name" : "admin.admin" },
   "auth_protocol" : "SCRAM-SHA-256",
   "unmapped" : { "atype" : "authenticate" }
}

AuthCheck Action

{
   "activity_id" : 0,
   "category_uid" : 6,
   "class_uid" : 6003,
   "time" : 1710715315002,
   "severity_id" : 1,
   "type_uid" : 600300,
   "metadata" : {
      "correlation_uid" : "af4510fb-0a9f-49aa-b988-06259a7a861d",
      "product" : "MongoDB Server",
      "version" : "1.0.0"
   },
   "actor" : {},
   "src_endpoint" : { "ip" : "127.0.0.1", "port" : 45836 },
   "dst_endpoint" : { "ip" : "127.0.0.1", "port" : 20040 },
   "api" : {
      "operation" : "getParameter",
      "request" : { "uid" : "admin" },
      "response" : { "code" : 13, "error" : "Unauthorized" }
   }
}

Back

mongo Schema

Network & Configuration Hardening