diff --git a/anthropic_compliance_logs/README.md b/anthropic_compliance_logs/README.md index 0883bbbf73b36..eed55df5de67a 100644 --- a/anthropic_compliance_logs/README.md +++ b/anthropic_compliance_logs/README.md @@ -41,7 +41,7 @@ The Compliance API is available to Anthropic Enterprise plan customers with the 1. Wait up to 5 minutes for the first crawl. 2. Open [Log Explorer][3] and filter on `source:claude-compliance-logs`. -3. Confirm logs appear with `evt.name` values such as `claude_chat_viewed`, `admin_api_key_created`, or `user_signed_in_sso`. +3. Confirm logs appear with `evt.name` values such as `claude_chat_viewed`, `admin_api_key_created`, or `sso_login_succeeded`. ## Data Collected @@ -51,7 +51,7 @@ The integration collects audit activity logs from `GET /v1/compliance/activities - A timestamp (`created_at`) with microsecond precision - An actor (user, API key, SCIM, or system) with email, user ID, IP address, and User-Agent when applicable -- An activity `type` such as `user_signed_in_sso`, `admin_api_key_created`, `org_user_invite_accepted`, or `claude_chat_viewed` (150+ activity types across 35+ categories) +- An activity `type` such as `sso_login_succeeded`, `admin_api_key_created`, `org_user_invite_accepted`, or `claude_chat_viewed` (150+ activity types across 35+ categories) - Organization and workspace context Logs are tagged `source:claude-compliance-logs` and processed by a Datadog log pipeline that flattens the actor object into standard `usr.*` and `network.client.*` attributes and enriches the source IP with GeoIP and the User-Agent string. diff --git a/anthropic_compliance_logs/assets/logs/anthropic-compliance-logs.yaml b/anthropic_compliance_logs/assets/logs/anthropic-compliance-logs.yaml index 975da722e2bbf..d8065b01a1f84 100644 --- a/anthropic_compliance_logs/assets/logs/anthropic-compliance-logs.yaml +++ b/anthropic_compliance_logs/assets/logs/anthropic-compliance-logs.yaml @@ -88,6 +88,104 @@ facets: name: User ID path: usr.id source: log + - groups: + - OCSF + name: Activity ID + path: ocsf.activity_id + source: log + type: integer + - groups: + - OCSF + name: Activity Name + path: ocsf.activity_name + source: log + - groups: + - OCSF + name: Category + path: ocsf.category_name + source: log + - groups: + - OCSF + name: Category ID + path: ocsf.category_uid + source: log + type: integer + - groups: + - OCSF + name: Class + path: ocsf.class_name + source: log + - groups: + - OCSF + name: Class ID + path: ocsf.class_uid + source: log + type: integer + - groups: + - OCSF + name: Type ID + path: ocsf.type_uid + source: log + type: integer + - groups: + - OCSF + name: Severity ID + path: ocsf.severity_id + source: log + type: integer + - groups: + - OCSF + name: Status + path: ocsf.status + source: log + - groups: + - OCSF + name: Status ID + path: ocsf.status_id + source: log + type: integer + - groups: + - OCSF + name: Event Code + path: ocsf.metadata.event_code + source: log + - groups: + - OCSF + name: Product Name + path: ocsf.metadata.product.name + source: log + - groups: + - OCSF + name: Vendor Name + path: ocsf.metadata.product.vendor_name + source: log + - groups: + - OCSF + name: Email Address + path: ocsf.actor.user.email_addr + source: log + - groups: + - OCSF + name: Unique ID + path: ocsf.actor.user.uid + source: log + - groups: + - OCSF + name: Source IP Address + path: ocsf.src_endpoint.ip + source: log + - groups: + - OCSF + name: Auth Protocol ID + path: ocsf.auth_protocol_id + source: log + type: integer + - groups: + - OCSF + name: Multi Factor Authentication + path: ocsf.is_mfa + source: log + type: boolean pipeline: type: pipeline name: Claude Compliance Logs @@ -108,7 +206,7 @@ pipeline: sourceType: attribute target: evt.name targetType: attribute - preserveSource: false + preserveSource: true overrideOnConflict: true - type: attribute-remapper name: Map `actor.email_address` to `usr.email` @@ -118,7 +216,7 @@ pipeline: sourceType: attribute target: usr.email targetType: attribute - preserveSource: false + preserveSource: true overrideOnConflict: true - type: attribute-remapper name: Map `actor.user_id` to `usr.id` @@ -128,7 +226,7 @@ pipeline: sourceType: attribute target: usr.id targetType: attribute - preserveSource: false + preserveSource: true overrideOnConflict: true - type: attribute-remapper name: Map `actor.ip_address` to `network.client.ip` @@ -138,7 +236,7 @@ pipeline: sourceType: attribute target: network.client.ip targetType: attribute - preserveSource: false + preserveSource: true overrideOnConflict: true - type: attribute-remapper name: Map `actor.user_agent` to `http.useragent` @@ -148,7 +246,7 @@ pipeline: sourceType: attribute target: http.useragent targetType: attribute - preserveSource: false + preserveSource: true overrideOnConflict: true - type: geo-ip-parser name: GeoIP parser on `network.client.ip` @@ -163,3 +261,1539 @@ pipeline: - http.useragent target: http.useragent_details encoded: false + - type: pipeline + name: OCSF pre transformations + enabled: true + ocsf: + isOcsf: true + filter: + query: "*" + processors: + - type: string-builder-processor + name: Add product name + enabled: true + template: "Claude" + target: ocsf.metadata.product.name + replaceMissing: false + - type: string-builder-processor + name: Add product vendor + enabled: true + template: "Anthropic" + target: ocsf.metadata.product.vendor_name + replaceMissing: false + - type: attribute-remapper + name: Map `type` to `ocsf.metadata.event_code` + enabled: true + sources: + - type + sourceType: attribute + target: ocsf.metadata.event_code + targetType: attribute + preserveSource: true + overrideOnConflict: true + - type: attribute-remapper + name: Map `created_at` to `ocsf.metadata.original_time` + enabled: true + sources: + - created_at + sourceType: attribute + target: ocsf.metadata.original_time + targetType: attribute + preserveSource: true + overrideOnConflict: true + - type: grok-parser + name: Parse `created_at` to `ocsf.time` + enabled: true + source: created_at + samples: + - "2026-05-22T15:21:54.358426Z" + grok: + supportRules: "" + matchRules: | + parsing_time %{date("yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'"):ocsf.time} + parsing_time_ms %{date("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"):ocsf.time} + parsing_time_s %{date("yyyy-MM-dd'T'HH:mm:ss'Z'"):ocsf.time} + - type: pipeline + name: OCSF sub pipeline for class Account Change [3001] - target events + enabled: true + ocsf: + isOcsf: true + filter: + query: "@ocsf.metadata.event_code:(org_user_deleted OR org_user_invite_sent)" + processors: + - type: schema-processor + name: Apply OCSF schema for 3001 + enabled: true + mappers: + - type: schema-remapper + name: Map `ocsf.metadata.product.name` to `ocsf.metadata.product.name` + sources: + - ocsf.metadata.product.name + target: ocsf.metadata.product.name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` + sources: + - ocsf.metadata.product.vendor_name + target: ocsf.metadata.product.vendor_name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.event_code` to `ocsf.metadata.event_code` + sources: + - ocsf.metadata.event_code + target: ocsf.metadata.event_code + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `id` to `ocsf.metadata.uid` + sources: + - id + target: ocsf.metadata.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.time` to `ocsf.time` + sources: + - ocsf.time + target: ocsf.time + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.original_time` to `ocsf.metadata.original_time` + sources: + - ocsf.metadata.original_time + target: ocsf.metadata.original_time + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.email_address` to `ocsf.actor.user.email_addr` + sources: + - actor.email_address + target: ocsf.actor.user.email_addr + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.user_id`, `actor.admin_api_key_id` to `ocsf.actor.user.uid` + sources: + - actor.user_id + - actor.admin_api_key_id + target: ocsf.actor.user.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.ip_address` to `ocsf.src_endpoint.ip` + sources: + - actor.ip_address + target: ocsf.src_endpoint.ip + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.user_agent` to `ocsf.http_request.user_agent` + sources: + - actor.user_agent + target: ocsf.http_request.user_agent + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `organization_id`, `organization_uuid` to `ocsf.actor.user.org.uid` + sources: + - organization_id + - organization_uuid + target: ocsf.actor.user.org.uid + preserveSource: true + overrideOnConflict: false + - type: schema-remapper + name: Map `deleted_user_id` to `ocsf.user.uid` + sources: + - deleted_user_id + target: ocsf.user.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `deleted_user_email`, `invited_email` to `ocsf.user.email_addr` + sources: + - deleted_user_email + - invited_email + target: ocsf.user.email_addr + preserveSource: true + overrideOnConflict: false + - type: schema-remapper + name: Map `deleted_user_email`, `invited_email` to `ocsf.user.name` + sources: + - deleted_user_email + - invited_email + target: ocsf.user.name + preserveSource: true + overrideOnConflict: false + - type: schema-category-mapper + name: ocsf.actor.user.type_id + categories: + - filter: + query: "@actor.type:user_actor" + name: User + id: 1 + - filter: + query: "@actor.type:admin*" + name: Admin + id: 2 + - filter: + query: "-@actor.type:*" + name: Unknown + id: 0 + - filter: + query: "@actor.type:*" + name: Other + id: 99 + targets: + name: ocsf.actor.user.type + id: ocsf.actor.user.type_id + fallback: + values: + ocsf.actor.user.type: Other + ocsf.actor.user.type_id: "99" + sources: + ocsf.actor.user.type: + - actor.type + - type: schema-category-mapper + name: ocsf.activity_id + categories: + - filter: + query: "@ocsf.metadata.event_code:org_user_invite_sent" + name: Create + id: 1 + - filter: + query: "@ocsf.metadata.event_code:org_user_deleted" + name: Delete + id: 6 + - filter: + query: "@ocsf.metadata.event_code:*" + name: Other + id: 99 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + fallback: + values: + ocsf.activity_name: Other + ocsf.activity_id: "99" + sources: + ocsf.activity_name: + - type + - type: schema-category-mapper + name: ocsf.severity_id + categories: + - filter: + query: "*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + - type: schema-category-mapper + name: ocsf.status_id + categories: + - filter: + query: "*" + name: Success + id: 1 + targets: + name: ocsf.status + id: ocsf.status_id + schema: + schemaType: ocsf + version: 1.5.0 + className: Account Change + classUid: 3001 + extensions: [] + profiles: [] + - type: pipeline + name: OCSF sub pipeline for class Account Change [3001] - self events + enabled: true + ocsf: + isOcsf: true + filter: + query: "@ocsf.metadata.event_code:(org_user_invite_accepted OR claude_user_settings_updated OR *_api_key_*)" + processors: + - type: schema-processor + name: Apply OCSF schema for 3001 + enabled: true + mappers: + - type: schema-remapper + name: Map `ocsf.metadata.product.name` to `ocsf.metadata.product.name` + sources: + - ocsf.metadata.product.name + target: ocsf.metadata.product.name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` + sources: + - ocsf.metadata.product.vendor_name + target: ocsf.metadata.product.vendor_name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.event_code` to `ocsf.metadata.event_code` + sources: + - ocsf.metadata.event_code + target: ocsf.metadata.event_code + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `id` to `ocsf.metadata.uid` + sources: + - id + target: ocsf.metadata.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.time` to `ocsf.time` + sources: + - ocsf.time + target: ocsf.time + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.original_time` to `ocsf.metadata.original_time` + sources: + - ocsf.metadata.original_time + target: ocsf.metadata.original_time + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.email_address` to `ocsf.actor.user.email_addr` + sources: + - actor.email_address + target: ocsf.actor.user.email_addr + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.user_id`, `actor.admin_api_key_id` to `ocsf.actor.user.uid` + sources: + - actor.user_id + - actor.admin_api_key_id + target: ocsf.actor.user.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.ip_address` to `ocsf.src_endpoint.ip` + sources: + - actor.ip_address + target: ocsf.src_endpoint.ip + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.user_agent` to `ocsf.http_request.user_agent` + sources: + - actor.user_agent + target: ocsf.http_request.user_agent + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `organization_id`, `organization_uuid` to `ocsf.actor.user.org.uid` + sources: + - organization_id + - organization_uuid + target: ocsf.actor.user.org.uid + preserveSource: true + overrideOnConflict: false + - type: schema-remapper + name: Map `actor.user_id`, `actor.admin_api_key_id` to `ocsf.user.uid` + sources: + - actor.user_id + - actor.admin_api_key_id + target: ocsf.user.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.email_address` to `ocsf.user.email_addr` + sources: + - actor.email_address + target: ocsf.user.email_addr + preserveSource: true + overrideOnConflict: true + - type: schema-category-mapper + name: ocsf.actor.user.type_id + categories: + - filter: + query: "@actor.type:user_actor" + name: User + id: 1 + - filter: + query: "@actor.type:admin*" + name: Admin + id: 2 + - filter: + query: "-@actor.type:*" + name: Unknown + id: 0 + - filter: + query: "@actor.type:*" + name: Other + id: 99 + targets: + name: ocsf.actor.user.type + id: ocsf.actor.user.type_id + fallback: + values: + ocsf.actor.user.type: Other + ocsf.actor.user.type_id: "99" + sources: + ocsf.actor.user.type: + - actor.type + - type: schema-category-mapper + name: ocsf.activity_id + categories: + - filter: + query: "@ocsf.metadata.event_code:(*_api_key_created OR org_user_invite_accepted)" + name: Create + id: 1 + - filter: + query: "@ocsf.metadata.event_code:*_api_key_updated AND @updates.current_value:active" + name: Enable + id: 2 + - filter: + query: "@ocsf.metadata.event_code:*_api_key_updated AND @updates.current_value:archived" + name: Disable + id: 5 + - filter: + query: "@ocsf.metadata.event_code:*_api_key_deleted" + name: Delete + id: 6 + - filter: + query: "@ocsf.metadata.event_code:*" + name: Other + id: 99 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + fallback: + values: + ocsf.activity_name: Other + ocsf.activity_id: "99" + sources: + ocsf.activity_name: + - type + - type: schema-category-mapper + name: ocsf.severity_id + categories: + - filter: + query: "*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + - type: schema-category-mapper + name: ocsf.status_id + categories: + - filter: + query: "*" + name: Success + id: 1 + targets: + name: ocsf.status + id: ocsf.status_id + schema: + schemaType: ocsf + version: 1.5.0 + className: Account Change + classUid: 3001 + extensions: [] + profiles: [] + - type: pipeline + name: OCSF sub pipeline for class Authentication [3002] + enabled: true + ocsf: + isOcsf: true + filter: + query: "@ocsf.metadata.event_code:(sso_* OR magic_link_* OR social_login_* OR anonymous_mobile_login_* OR user_logged_out)" + processors: + - type: string-builder-processor + name: Add service name + enabled: true + template: "Claude" + target: ocsf.service.name + replaceMissing: false + - type: schema-processor + name: Apply OCSF schema for 3002 + enabled: true + mappers: + - type: schema-remapper + name: Map `ocsf.metadata.product.name` to `ocsf.metadata.product.name` + sources: + - ocsf.metadata.product.name + target: ocsf.metadata.product.name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` + sources: + - ocsf.metadata.product.vendor_name + target: ocsf.metadata.product.vendor_name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.event_code` to `ocsf.metadata.event_code` + sources: + - ocsf.metadata.event_code + target: ocsf.metadata.event_code + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `id` to `ocsf.metadata.uid` + sources: + - id + target: ocsf.metadata.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.time` to `ocsf.time` + sources: + - ocsf.time + target: ocsf.time + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.original_time` to `ocsf.metadata.original_time` + sources: + - ocsf.metadata.original_time + target: ocsf.metadata.original_time + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.email_address`, `actor.unauthenticated_email_address` to `ocsf.actor.user.email_addr` + sources: + - actor.email_address + - actor.unauthenticated_email_address + target: ocsf.actor.user.email_addr + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.user_id` to `ocsf.actor.user.uid` + sources: + - actor.user_id + target: ocsf.actor.user.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.email_address`, `actor.unauthenticated_email_address` to `ocsf.actor.user.name` + sources: + - actor.email_address + - actor.unauthenticated_email_address + target: ocsf.actor.user.name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.email_address`, `actor.unauthenticated_email_address` to `ocsf.user.email_addr` + sources: + - actor.email_address + - actor.unauthenticated_email_address + target: ocsf.user.email_addr + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.user_id` to `ocsf.user.uid` + sources: + - actor.user_id + target: ocsf.user.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.email_address`, `actor.unauthenticated_email_address` to `ocsf.user.name` + sources: + - actor.email_address + - actor.unauthenticated_email_address + target: ocsf.user.name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.ip_address` to `ocsf.src_endpoint.ip` + sources: + - actor.ip_address + target: ocsf.src_endpoint.ip + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.user_agent` to `ocsf.http_request.user_agent` + sources: + - actor.user_agent + target: ocsf.http_request.user_agent + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `organization_id`, `organization_uuid` to `ocsf.actor.user.org.uid` + sources: + - organization_id + - organization_uuid + target: ocsf.actor.user.org.uid + preserveSource: true + overrideOnConflict: false + - type: schema-remapper + name: Map `ocsf.service.name` to `ocsf.service.name` + sources: + - ocsf.service.name + target: ocsf.service.name + preserveSource: true + overrideOnConflict: true + - type: schema-category-mapper + name: ocsf.actor.user.type_id + categories: + - filter: + query: "@actor.type:user_actor" + name: User + id: 1 + - filter: + query: "@actor.type:admin*" + name: Admin + id: 2 + - filter: + query: "-@actor.type:*" + name: Unknown + id: 0 + - filter: + query: "@actor.type:*" + name: Other + id: 99 + targets: + name: ocsf.actor.user.type + id: ocsf.actor.user.type_id + fallback: + values: + ocsf.actor.user.type: Other + ocsf.actor.user.type_id: "99" + sources: + ocsf.actor.user.type: + - actor.type + - type: schema-category-mapper + name: ocsf.activity_id + categories: + - filter: + query: "@ocsf.metadata.event_code:(sso_* OR magic_link_* OR social_login_* OR anonymous_mobile_login_*)" + name: Logon + id: 1 + - filter: + query: "@ocsf.metadata.event_code:user_logged_out" + name: Logoff + id: 2 + - filter: + query: "@ocsf.metadata.event_code:*" + name: Other + id: 99 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + fallback: + values: + ocsf.activity_name: Other + ocsf.activity_id: "99" + sources: + ocsf.activity_name: + - type + - type: schema-remapper + name: Map `provider` to `ocsf.actor.idp.name` + sources: + - provider + target: ocsf.actor.idp.name + preserveSource: true + overrideOnConflict: true + - type: schema-category-mapper + name: ocsf.auth_protocol_id + categories: + - filter: + query: "@auth_method:sso OR @ocsf.metadata.event_code:sso_*" + name: SAML + id: 5 + - filter: + query: "@auth_method:social OR @ocsf.metadata.event_code:social_login_succeeded" + name: OpenID + id: 4 + - filter: + query: "@ocsf.metadata.event_code:*" + name: Other + id: 99 + targets: + name: ocsf.auth_protocol + id: ocsf.auth_protocol_id + fallback: + values: + ocsf.auth_protocol: Other + ocsf.auth_protocol_id: "99" + sources: + ocsf.auth_protocol: + - auth_method + - type + - type: schema-category-mapper + name: ocsf.status_id + categories: + - filter: + query: "@ocsf.metadata.event_code:(sso_login_succeeded OR magic_link_login_succeeded OR social_login_succeeded OR sso_second_factor_magic_link OR user_logged_out)" + name: Success + id: 1 + - filter: + query: "@ocsf.metadata.event_code:(sso_login_failed OR magic_link_login_failed)" + name: Failure + id: 2 + - filter: + query: "@ocsf.metadata.event_code:(sso_login_initiated OR magic_link_login_initiated OR anonymous_mobile_login_attempted)" + name: Unknown + id: 0 + - filter: + query: "@ocsf.metadata.event_code:*" + name: Other + id: 99 + targets: + name: ocsf.status + id: ocsf.status_id + fallback: + values: + ocsf.status: Other + ocsf.status_id: "99" + sources: + ocsf.status: + - type + - type: schema-category-mapper + name: ocsf.severity_id + categories: + - filter: + query: "*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + schema: + schemaType: ocsf + version: 1.5.0 + className: Authentication + classUid: 3002 + extensions: [] + profiles: [] + - type: pipeline + name: OCSF sub pipeline for class User Access Management [3005] + enabled: true + ocsf: + isOcsf: true + filter: + query: "@ocsf.metadata.event_code:(role_assignment_granted OR role_assignment_revoked)" + processors: + - type: grok-parser + name: Parse `created_at` to `ocsf.time` + enabled: true + source: created_at + samples: + - "2026-05-22T15:21:54.358426Z" + grok: + supportRules: "" + matchRules: | + parsing_time %{date("yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'"):ocsf.time} + parsing_time_ms %{date("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"):ocsf.time} + parsing_time_s %{date("yyyy-MM-dd'T'HH:mm:ss'Z'"):ocsf.time} + - type: attribute-remapper + name: Map `role` to `ocsf.privilege` + enabled: true + sources: + - role + sourceType: attribute + target: ocsf.privilege + targetType: attribute + preserveSource: true + overrideOnConflict: false + - type: array-processor + name: Move privilege into privileges array + enabled: true + operation: + source: ocsf.privilege + target: ocsf.privileges + preserveSource: false + type: append + - type: attribute-remapper + name: Map `resource_id` to `ocsf.resource.uid` + enabled: true + sources: + - resource_id + sourceType: attribute + target: ocsf.resource.uid + targetType: attribute + preserveSource: true + overrideOnConflict: false + - type: attribute-remapper + name: Map `resource_type` to `ocsf.resource.type` + enabled: true + sources: + - resource_type + sourceType: attribute + target: ocsf.resource.type + targetType: attribute + preserveSource: true + overrideOnConflict: false + - type: array-processor + name: Move resource into resources array + enabled: true + operation: + source: ocsf.resource + target: ocsf.resources + preserveSource: false + type: append + - type: schema-processor + name: Apply OCSF schema for 3005 + enabled: true + mappers: + - type: schema-remapper + name: Map `ocsf.metadata.product.name` to `ocsf.metadata.product.name` + sources: + - ocsf.metadata.product.name + target: ocsf.metadata.product.name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` + sources: + - ocsf.metadata.product.vendor_name + target: ocsf.metadata.product.vendor_name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.event_code` to `ocsf.metadata.event_code` + sources: + - ocsf.metadata.event_code + target: ocsf.metadata.event_code + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `id` to `ocsf.metadata.uid` + sources: + - id + target: ocsf.metadata.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.time` to `ocsf.time` + sources: + - ocsf.time + target: ocsf.time + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.original_time` to `ocsf.metadata.original_time` + sources: + - ocsf.metadata.original_time + target: ocsf.metadata.original_time + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.email_address` to `ocsf.actor.user.email_addr` + sources: + - actor.email_address + target: ocsf.actor.user.email_addr + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.user_id` to `ocsf.actor.user.uid` + sources: + - actor.user_id + target: ocsf.actor.user.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.ip_address` to `ocsf.src_endpoint.ip` + sources: + - actor.ip_address + target: ocsf.src_endpoint.ip + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.user_agent` to `ocsf.http_request.user_agent` + sources: + - actor.user_agent + target: ocsf.http_request.user_agent + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `organization_id`, `organization_uuid` to `ocsf.user.org.uid` + sources: + - organization_id + - organization_uuid + target: ocsf.user.org.uid + preserveSource: true + overrideOnConflict: false + - type: schema-remapper + name: Map `target_id` to `ocsf.user.uid` + sources: + - target_id + target: ocsf.user.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.privileges` to `ocsf.privileges` + sources: + - ocsf.privileges + target: ocsf.privileges + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.resources` to `ocsf.resources` + sources: + - ocsf.resources + target: ocsf.resources + preserveSource: true + overrideOnConflict: true + - type: schema-category-mapper + name: ocsf.actor.user.type_id + categories: + - filter: + query: "@actor.type:user_actor" + name: User + id: 1 + - filter: + query: "@actor.type:admin*" + name: Admin + id: 2 + - filter: + query: "-@actor.type:*" + name: Unknown + id: 0 + - filter: + query: "@actor.type:*" + name: Other + id: 99 + targets: + name: ocsf.actor.user.type + id: ocsf.actor.user.type_id + fallback: + values: + ocsf.actor.user.type: Other + ocsf.actor.user.type_id: "99" + sources: + ocsf.actor.user.type: + - actor.type + - type: schema-category-mapper + name: ocsf.activity_id + categories: + - filter: + query: "@ocsf.metadata.event_code:role_assignment_granted" + name: Assign Privileges + id: 1 + - filter: + query: "@ocsf.metadata.event_code:role_assignment_revoked" + name: Revoke Privileges + id: 2 + - filter: + query: "@ocsf.metadata.event_code:*" + name: Other + id: 99 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + fallback: + values: + ocsf.activity_name: Other + ocsf.activity_id: "99" + sources: + ocsf.activity_name: + - type + - type: schema-category-mapper + name: ocsf.severity_id + categories: + - filter: + query: "*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + - type: schema-category-mapper + name: ocsf.status_id + categories: + - filter: + query: "*" + name: Success + id: 1 + targets: + name: ocsf.status + id: ocsf.status_id + schema: + schemaType: ocsf + version: 1.5.0 + className: User Access Management + classUid: 3005 + extensions: [] + profiles: [] + - type: pipeline + name: OCSF sub pipeline for class Web Resources Activity [6001] + enabled: true + ocsf: + isOcsf: true + filter: + query: "@ocsf.metadata.event_code:(claude_chat_* OR claude_project_* OR claude_file_* OR claude_artifact_* OR claude_skill_*)" + processors: + - type: attribute-remapper + name: Map `claude_chat_id`, `claude_file_id`, `claude_project_document_id`, `claude_artifact_id`, `skill_id`, `claude_project_id` to `ocsf.web_resource.uid` + enabled: true + sources: + - claude_chat_id + - claude_file_id + - claude_project_document_id + - claude_artifact_id + - skill_id + - claude_project_id + sourceType: attribute + target: ocsf.web_resource.uid + targetType: attribute + preserveSource: true + overrideOnConflict: false + - type: attribute-remapper + name: Map `filename`, `skill_name` to `ocsf.web_resource.name` + enabled: true + sources: + - filename + - skill_name + sourceType: attribute + target: ocsf.web_resource.name + targetType: attribute + preserveSource: true + overrideOnConflict: false + - type: array-processor + name: Move web_resource into web_resources array + enabled: true + operation: + source: ocsf.web_resource + target: ocsf.web_resources + preserveSource: false + type: append + - type: schema-processor + name: Apply OCSF schema for 6001 + enabled: true + mappers: + - type: schema-remapper + name: Map `ocsf.metadata.product.name` to `ocsf.metadata.product.name` + sources: + - ocsf.metadata.product.name + target: ocsf.metadata.product.name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` + sources: + - ocsf.metadata.product.vendor_name + target: ocsf.metadata.product.vendor_name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.event_code` to `ocsf.metadata.event_code` + sources: + - ocsf.metadata.event_code + target: ocsf.metadata.event_code + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `id` to `ocsf.metadata.uid` + sources: + - id + target: ocsf.metadata.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.time` to `ocsf.time` + sources: + - ocsf.time + target: ocsf.time + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.original_time` to `ocsf.metadata.original_time` + sources: + - ocsf.metadata.original_time + target: ocsf.metadata.original_time + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.email_address` to `ocsf.src_endpoint.owner.email_addr` + sources: + - actor.email_address + target: ocsf.src_endpoint.owner.email_addr + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.user_id`, `actor.admin_api_key_id` to `ocsf.src_endpoint.owner.uid` + sources: + - actor.user_id + - actor.admin_api_key_id + target: ocsf.src_endpoint.owner.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.ip_address` to `ocsf.src_endpoint.ip` + sources: + - actor.ip_address + target: ocsf.src_endpoint.ip + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.user_agent` to `ocsf.http_request.user_agent` + sources: + - actor.user_agent + target: ocsf.http_request.user_agent + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `organization_id`, `organization_uuid` to `ocsf.src_endpoint.owner.org.uid` + sources: + - organization_id + - organization_uuid + target: ocsf.src_endpoint.owner.org.uid + preserveSource: true + overrideOnConflict: false + - type: schema-remapper + name: Map `ocsf.web_resources` to `ocsf.web_resources` + sources: + - ocsf.web_resources + target: ocsf.web_resources + preserveSource: true + overrideOnConflict: true + - type: schema-category-mapper + name: ocsf.src_endpoint.owner.type_id + categories: + - filter: + query: "@actor.type:user_actor" + name: User + id: 1 + - filter: + query: "@actor.type:admin*" + name: Admin + id: 2 + - filter: + query: "-@actor.type:*" + name: Unknown + id: 0 + - filter: + query: "@actor.type:*" + name: Other + id: 99 + targets: + name: ocsf.src_endpoint.owner.type + id: ocsf.src_endpoint.owner.type_id + fallback: + values: + ocsf.src_endpoint.owner.type: Other + ocsf.src_endpoint.owner.type_id: "99" + sources: + ocsf.src_endpoint.owner.type: + - actor.type + - type: schema-category-mapper + name: ocsf.activity_id + categories: + - filter: + query: "@ocsf.metadata.event_code:(*_created OR *_uploaded)" + name: Create + id: 1 + - filter: + query: "@ocsf.metadata.event_code:*_viewed" + name: Read + id: 2 + - filter: + query: "@ocsf.metadata.event_code:(*_updated OR *_replaced)" + name: Update + id: 3 + - filter: + query: "@ocsf.metadata.event_code:*_deleted" + name: Delete + id: 4 + - filter: + query: "@ocsf.metadata.event_code:*" + name: Other + id: 99 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + fallback: + values: + ocsf.activity_name: Other + ocsf.activity_id: "99" + sources: + ocsf.activity_name: + - type + - type: schema-category-mapper + name: ocsf.severity_id + categories: + - filter: + query: "*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + - type: schema-category-mapper + name: ocsf.status_id + categories: + - filter: + query: "*" + name: Success + id: 1 + targets: + name: ocsf.status + id: ocsf.status_id + schema: + schemaType: ocsf + version: 1.5.0 + className: Web Resources Activity + classUid: 6001 + extensions: [] + profiles: [] + - type: pipeline + name: OCSF sub pipeline for class API Activity [6003] + enabled: true + ocsf: + isOcsf: true + filter: + query: "@ocsf.metadata.event_code:compliance_api_accessed" + processors: + - type: schema-processor + name: Apply OCSF schema for 6003 + enabled: true + mappers: + - type: schema-remapper + name: Map `ocsf.metadata.product.name` to `ocsf.metadata.product.name` + sources: + - ocsf.metadata.product.name + target: ocsf.metadata.product.name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` + sources: + - ocsf.metadata.product.vendor_name + target: ocsf.metadata.product.vendor_name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.event_code` to `ocsf.metadata.event_code` + sources: + - ocsf.metadata.event_code + target: ocsf.metadata.event_code + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `id` to `ocsf.metadata.uid` + sources: + - id + target: ocsf.metadata.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.time` to `ocsf.time` + sources: + - ocsf.time + target: ocsf.time + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.original_time` to `ocsf.metadata.original_time` + sources: + - ocsf.metadata.original_time + target: ocsf.metadata.original_time + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.api_key_id` to `ocsf.actor.user.uid` + sources: + - actor.api_key_id + target: ocsf.actor.user.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.api_key_id` to `ocsf.actor.app_uid` + sources: + - actor.api_key_id + target: ocsf.actor.app_uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.ip_address` to `ocsf.src_endpoint.ip` + sources: + - actor.ip_address + target: ocsf.src_endpoint.ip + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `actor.user_agent` to `ocsf.http_request.user_agent` + sources: + - actor.user_agent + target: ocsf.http_request.user_agent + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `request_method` to `ocsf.http_request.http_method` + sources: + - request_method + target: ocsf.http_request.http_method + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `url` to `ocsf.http_request.url.url_string` + sources: + - url + target: ocsf.http_request.url.url_string + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `request_id` to `ocsf.http_request.uid` + sources: + - request_id + target: ocsf.http_request.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `status_code` to `ocsf.http_response.code` + sources: + - status_code + target: ocsf.http_response.code + preserveSource: true + overrideOnConflict: true + targetFormat: integer + - type: schema-remapper + name: Map `request_method` to `ocsf.api.operation` + sources: + - request_method + target: ocsf.api.operation + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `request_id` to `ocsf.api.request.uid` + sources: + - request_id + target: ocsf.api.request.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `status_code` to `ocsf.api.response.code` + sources: + - status_code + target: ocsf.api.response.code + preserveSource: true + overrideOnConflict: true + targetFormat: integer + - type: schema-category-mapper + name: ocsf.actor.user.type_id + categories: + - filter: + query: "@actor.type:user_actor" + name: User + id: 1 + - filter: + query: "@actor.type:admin*" + name: Admin + id: 2 + - filter: + query: "-@actor.type:*" + name: Unknown + id: 0 + - filter: + query: "@actor.type:*" + name: Other + id: 99 + targets: + name: ocsf.actor.user.type + id: ocsf.actor.user.type_id + fallback: + values: + ocsf.actor.user.type: Other + ocsf.actor.user.type_id: "99" + sources: + ocsf.actor.user.type: + - actor.type + - type: schema-category-mapper + name: ocsf.activity_id + categories: + - filter: + query: "@request_method:POST" + name: Create + id: 1 + - filter: + query: "@request_method:GET" + name: Read + id: 2 + - filter: + query: "@request_method:(PUT OR PATCH)" + name: Update + id: 3 + - filter: + query: "@request_method:DELETE" + name: Delete + id: 4 + - filter: + query: "@request_method:*" + name: Other + id: 99 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + fallback: + values: + ocsf.activity_name: Other + ocsf.activity_id: "99" + sources: + ocsf.activity_name: + - request_method + - type: schema-category-mapper + name: ocsf.status_id + categories: + - filter: + query: "@status_code:[200 TO 299]" + name: Success + id: 1 + - filter: + query: "@status_code:[400 TO 599]" + name: Failure + id: 2 + - filter: + query: "-@status_code:*" + name: Unknown + id: 0 + - filter: + query: "@status_code:*" + name: Other + id: 99 + targets: + name: ocsf.status + id: ocsf.status_id + fallback: + values: + ocsf.status: Other + ocsf.status_id: "99" + sources: + ocsf.status: + - status_code + - type: schema-category-mapper + name: ocsf.severity_id + categories: + - filter: + query: "@status_code:[200 TO 399]" + name: Informational + id: 1 + - filter: + query: "@status_code:[400 TO 499]" + name: Medium + id: 3 + - filter: + query: "@status_code:[500 TO 599]" + name: High + id: 4 + - filter: + query: "-@status_code:*" + name: Unknown + id: 0 + - filter: + query: "@status_code:*" + name: Other + id: 99 + targets: + name: ocsf.severity + id: ocsf.severity_id + fallback: + values: + ocsf.severity: Other + ocsf.severity_id: "99" + sources: + ocsf.severity: + - status_code + schema: + schemaType: ocsf + version: 1.5.0 + className: API Activity + classUid: 6003 + extensions: [] + profiles: [] + - type: pipeline + name: OCSF sub pipeline for class Base Event [0] + enabled: true + ocsf: + isOcsf: true + filter: + query: "-@ocsf.class_uid:*" + processors: + - type: schema-processor + name: Apply OCSF schema for 0 + enabled: true + mappers: + - type: schema-remapper + name: Map `ocsf.metadata.product.name` to `ocsf.metadata.product.name` + sources: + - ocsf.metadata.product.name + target: ocsf.metadata.product.name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` + sources: + - ocsf.metadata.product.vendor_name + target: ocsf.metadata.product.vendor_name + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.event_code` to `ocsf.metadata.event_code` + sources: + - ocsf.metadata.event_code + target: ocsf.metadata.event_code + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `id` to `ocsf.metadata.uid` + sources: + - id + target: ocsf.metadata.uid + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.time` to `ocsf.time` + sources: + - ocsf.time + target: ocsf.time + preserveSource: true + overrideOnConflict: true + - type: schema-remapper + name: Map `ocsf.metadata.original_time` to `ocsf.metadata.original_time` + sources: + - ocsf.metadata.original_time + target: ocsf.metadata.original_time + preserveSource: true + overrideOnConflict: true + - type: schema-category-mapper + name: ocsf.activity_id + categories: + - filter: + query: "*" + name: Unknown + id: 0 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + - type: schema-category-mapper + name: ocsf.severity_id + categories: + - filter: + query: "*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + - type: schema-category-mapper + name: ocsf.status_id + categories: + - filter: + query: "*" + name: Unknown + id: 0 + targets: + name: ocsf.status + id: ocsf.status_id + schema: + schemaType: ocsf + version: 1.5.0 + className: Base Event + classUid: 0 + extensions: [] + profiles: [] diff --git a/anthropic_compliance_logs/assets/logs/anthropic-compliance-logs_tests.yaml b/anthropic_compliance_logs/assets/logs/anthropic-compliance-logs_tests.yaml index 17d3d7c1f3948..a3fb1fd394044 100644 --- a/anthropic_compliance_logs/assets/logs/anthropic-compliance-logs_tests.yaml +++ b/anthropic_compliance_logs/assets/logs/anthropic-compliance-logs_tests.yaml @@ -1,72 +1,2745 @@ id: "anthropic-compliance-logs" tests: - - sample: |- + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36" + }, + "claude_artifact_id" : "claude_artifact_01EXAMPLEARTIFACT0", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:25:13.701734Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_artifact_viewed" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "2001:db8::1" + type: "user_actor" + user_agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36" + user_id: "user_01EXAMPLEUSERID0000000000" + claude_artifact_id: "claude_artifact_01EXAMPLEARTIFACT0" + created_at: "2026-05-22T15:25:13.701734Z" + evt: + name: "claude_artifact_viewed" + http: + useragent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36" + useragent_details: + browser: + family: "Chrome" + major: "148" + minor: "0" + patch: "0" + patch_minor: "0" + device: + brand: "Apple" + category: "Desktop" + family: "Mac" + model: "Mac" + os: + family: "Mac OS X" + major: "10" + minor: "15" + patch: "7" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "2001:db8::1" + ocsf: + activity_id: 2 + activity_name: "Read" + category_name: "Application Activity" + category_uid: 6 + class_name: "Web Resources Activity" + class_uid: 6001 + http_request: + user_agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36" + metadata: + event_code: "claude_artifact_viewed" + original_time: "2026-05-22T15:25:13.701734Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "2001:db8::1" + owner: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + status: "Success" + status_id: 1 + time: 1779463513701 + web_resources: + - uid: "claude_artifact_01EXAMPLEARTIFACT0" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + type: "claude_artifact_viewed" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- { "actor" : { "email_address" : "user@example.com", - "user_id" : "user_01FBY4qyk7SdPxJCAd4EfPbT", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36" + }, + "claude_artifact_id" : "claude_artifact_01EXAMPLEARTIFACT0", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:25:13.701734Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_artifact_viewed" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463513701 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0 Claude/1.3883.0" + }, + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:54.358426Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_chat_created", + "claude_chat_id" : "claude_chat_01EXAMPLECHATID000000" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "192.0.2.1" + type: "user_actor" + user_agent: "Mozilla/5.0 Claude/1.3883.0" + user_id: "user_01EXAMPLEUSERID0000000000" + claude_chat_id: "claude_chat_01EXAMPLECHATID000000" + created_at: "2026-05-22T15:21:54.358426Z" + evt: + name: "claude_chat_created" + http: + useragent: "Mozilla/5.0 Claude/1.3883.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "192.0.2.1" + ocsf: + activity_id: 1 + activity_name: "Create" + category_name: "Application Activity" + category_uid: 6 + class_name: "Web Resources Activity" + class_uid: 6001 + http_request: + user_agent: "Mozilla/5.0 Claude/1.3883.0" + metadata: + event_code: "claude_chat_created" + original_time: "2026-05-22T15:21:54.358426Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "192.0.2.1" + owner: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + status: "Success" + status_id: 1 + time: 1779463314358 + web_resources: + - uid: "claude_chat_01EXAMPLECHATID000000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + type: "claude_chat_created" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", "ip_address" : "192.0.2.1", "type" : "user_actor", - "user_agent" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15" + "user_agent" : "Mozilla/5.0 Claude/1.3883.0" }, - "organization_id" : "org_01GuSHHxdWNCcTtk6Wr5arBM", - "organization_uuid" : "80cb55fa-462c-4bc0-82d6-07ebb1a6f004", - "created_at" : "2026-05-05T16:04:57.150724Z", - "id" : "activity_01R1sBnxj7yvtdZnt8DsfpRL", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:54.358426Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_chat_created", + "claude_chat_id" : "claude_chat_01EXAMPLECHATID000000" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463314358 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0 Claude/1.5354.0" + }, + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:03.415347Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_chat_deleted", + "claude_chat_id" : "claude_chat_01EXAMPLECHATID000000" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "2001:db8::1" + type: "user_actor" + user_agent: "Mozilla/5.0 Claude/1.5354.0" + user_id: "user_01EXAMPLEUSERID0000000000" + claude_chat_id: "claude_chat_01EXAMPLECHATID000000" + created_at: "2026-05-22T15:21:03.415347Z" + evt: + name: "claude_chat_deleted" + http: + useragent: "Mozilla/5.0 Claude/1.5354.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "2001:db8::1" + ocsf: + activity_id: 4 + activity_name: "Delete" + category_name: "Application Activity" + category_uid: 6 + class_name: "Web Resources Activity" + class_uid: 6001 + http_request: + user_agent: "Mozilla/5.0 Claude/1.5354.0" + metadata: + event_code: "claude_chat_deleted" + original_time: "2026-05-22T15:21:03.415347Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "2001:db8::1" + owner: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + status: "Success" + status_id: 1 + time: 1779463263415 + web_resources: + - uid: "claude_chat_01EXAMPLECHATID000000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + type: "claude_chat_deleted" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0 Claude/1.5354.0" + }, + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:03.415347Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_chat_deleted", + "claude_chat_id" : "claude_chat_01EXAMPLECHATID000000" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463263415 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "claude_project_id" : "claude_proj_01EXAMPLEPROJECT00000", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:44.621308Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_chat_updated", + "claude_chat_id" : "claude_chat_01EXAMPLECHATID000000" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "2001:db8::1" + type: "user_actor" + user_agent: "Mozilla/5.0" + user_id: "user_01EXAMPLEUSERID0000000000" + claude_chat_id: "claude_chat_01EXAMPLECHATID000000" + claude_project_id: "claude_proj_01EXAMPLEPROJECT00000" + created_at: "2026-05-22T15:21:44.621308Z" + evt: + name: "claude_chat_updated" + http: + useragent: "Mozilla/5.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "2001:db8::1" + ocsf: + activity_id: 3 + activity_name: "Update" + category_name: "Application Activity" + category_uid: 6 + class_name: "Web Resources Activity" + class_uid: 6001 + http_request: + user_agent: "Mozilla/5.0" + metadata: + event_code: "claude_chat_updated" + original_time: "2026-05-22T15:21:44.621308Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "2001:db8::1" + owner: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + status: "Success" + status_id: 1 + time: 1779463304621 + web_resources: + - uid: "claude_chat_01EXAMPLECHATID000000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + type: "claude_chat_updated" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "claude_project_id" : "claude_proj_01EXAMPLEPROJECT00000", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:44.621308Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_chat_updated", + "claude_chat_id" : "claude_chat_01EXAMPLECHATID000000" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463304621 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:53.556370Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_chat_viewed", + "claude_chat_id" : "claude_chat_01EXAMPLECHATID000000" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "2001:db8::1" + type: "user_actor" + user_agent: "Mozilla/5.0" + user_id: "user_01EXAMPLEUSERID0000000000" + claude_chat_id: "claude_chat_01EXAMPLECHATID000000" + created_at: "2026-05-22T15:21:53.556370Z" + evt: + name: "claude_chat_viewed" + http: + useragent: "Mozilla/5.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "2001:db8::1" + ocsf: + activity_id: 2 + activity_name: "Read" + category_name: "Application Activity" + category_uid: 6 + class_name: "Web Resources Activity" + class_uid: 6001 + http_request: + user_agent: "Mozilla/5.0" + metadata: + event_code: "claude_chat_viewed" + original_time: "2026-05-22T15:21:53.556370Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "2001:db8::1" + owner: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + status: "Success" + status_id: 1 + time: 1779463313556 + web_resources: + - uid: "claude_chat_01EXAMPLECHATID000000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + type: "claude_chat_viewed" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:53.556370Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", "type" : "claude_chat_viewed", - "claude_chat_id" : "claude_chat_01AxWT9aH4swoDJ8u6dShxMV" + "claude_chat_id" : "claude_chat_01EXAMPLECHATID000000" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463313556 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "filename" : "example-image.png", + "claude_file_id" : "claude_file_01EXAMPLEFILEID000000", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:32.702968Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_file_uploaded" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "2001:db8::1" + type: "user_actor" + user_agent: "Mozilla/5.0" + user_id: "user_01EXAMPLEUSERID0000000000" + claude_file_id: "claude_file_01EXAMPLEFILEID000000" + created_at: "2026-05-22T15:21:32.702968Z" + evt: + name: "claude_file_uploaded" + filename: "example-image.png" + http: + useragent: "Mozilla/5.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "2001:db8::1" + ocsf: + activity_id: 1 + activity_name: "Create" + category_name: "Application Activity" + category_uid: 6 + class_name: "Web Resources Activity" + class_uid: 6001 + http_request: + user_agent: "Mozilla/5.0" + metadata: + event_code: "claude_file_uploaded" + original_time: "2026-05-22T15:21:32.702968Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "2001:db8::1" + owner: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + status: "Success" + status_id: 1 + time: 1779463292702 + web_resources: + - name: "example-image.png" + uid: "claude_file_01EXAMPLEFILEID000000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + type: "claude_file_uploaded" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "filename" : "example-image.png", + "claude_file_id" : "claude_file_01EXAMPLEFILEID000000", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:32.702968Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_file_uploaded" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463292702 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0 Claude/1.3883.0" + }, + "filename" : "example-screenshot.png", + "claude_file_id" : "claude_file_01EXAMPLEFILEID000000", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:50.616332Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_file_viewed" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "192.0.2.1" + type: "user_actor" + user_agent: "Mozilla/5.0 Claude/1.3883.0" + user_id: "user_01EXAMPLEUSERID0000000000" + claude_file_id: "claude_file_01EXAMPLEFILEID000000" + created_at: "2026-05-22T15:21:50.616332Z" + evt: + name: "claude_file_viewed" + filename: "example-screenshot.png" + http: + useragent: "Mozilla/5.0 Claude/1.3883.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "192.0.2.1" + ocsf: + activity_id: 2 + activity_name: "Read" + category_name: "Application Activity" + category_uid: 6 + class_name: "Web Resources Activity" + class_uid: 6001 + http_request: + user_agent: "Mozilla/5.0 Claude/1.3883.0" + metadata: + event_code: "claude_file_viewed" + original_time: "2026-05-22T15:21:50.616332Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "192.0.2.1" + owner: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + status: "Success" + status_id: 1 + time: 1779463310616 + web_resources: + - name: "example-screenshot.png" + uid: "claude_file_01EXAMPLEFILEID000000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + type: "claude_file_viewed" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0 Claude/1.3883.0" + }, + "filename" : "example-screenshot.png", + "claude_file_id" : "claude_file_01EXAMPLEFILEID000000", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:50.616332Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_file_viewed" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463310616 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "claude_project_id" : "claude_proj_01EXAMPLEPROJECT00000", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:10.594873Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_project_created" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "2001:db8::1" + type: "user_actor" + user_agent: "Mozilla/5.0" + user_id: "user_01EXAMPLEUSERID0000000000" + claude_project_id: "claude_proj_01EXAMPLEPROJECT00000" + created_at: "2026-05-22T15:21:10.594873Z" + evt: + name: "claude_project_created" + http: + useragent: "Mozilla/5.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "2001:db8::1" + ocsf: + activity_id: 1 + activity_name: "Create" + category_name: "Application Activity" + category_uid: 6 + class_name: "Web Resources Activity" + class_uid: 6001 + http_request: + user_agent: "Mozilla/5.0" + metadata: + event_code: "claude_project_created" + original_time: "2026-05-22T15:21:10.594873Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "2001:db8::1" + owner: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + status: "Success" + status_id: 1 + time: 1779463270594 + web_resources: + - uid: "claude_proj_01EXAMPLEPROJECT00000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + type: "claude_project_created" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "claude_project_id" : "claude_proj_01EXAMPLEPROJECT00000", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:10.594873Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_project_created" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463270594 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "claude_project_id" : "claude_proj_01EXAMPLEPROJECT00000", + "filename" : "example-document.pdf", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:23:05.845058Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_project_document_uploaded", + "claude_project_document_id" : "claude_proj_doc_01EXAMPLEDOC0000000000" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "2001:db8::1" + type: "user_actor" + user_agent: "Mozilla/5.0" + user_id: "user_01EXAMPLEUSERID0000000000" + claude_project_document_id: "claude_proj_doc_01EXAMPLEDOC0000000000" + claude_project_id: "claude_proj_01EXAMPLEPROJECT00000" + created_at: "2026-05-22T15:23:05.845058Z" + evt: + name: "claude_project_document_uploaded" + filename: "example-document.pdf" + http: + useragent: "Mozilla/5.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "2001:db8::1" + ocsf: + activity_id: 1 + activity_name: "Create" + category_name: "Application Activity" + category_uid: 6 + class_name: "Web Resources Activity" + class_uid: 6001 + http_request: + user_agent: "Mozilla/5.0" + metadata: + event_code: "claude_project_document_uploaded" + original_time: "2026-05-22T15:23:05.845058Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "2001:db8::1" + owner: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + status: "Success" + status_id: 1 + time: 1779463385845 + web_resources: + - name: "example-document.pdf" + uid: "claude_proj_doc_01EXAMPLEDOC0000000000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + type: "claude_project_document_uploaded" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "claude_project_id" : "claude_proj_01EXAMPLEPROJECT00000", + "filename" : "example-document.pdf", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:23:05.845058Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_project_document_uploaded", + "claude_project_document_id" : "claude_proj_doc_01EXAMPLEDOC0000000000" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463385845 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "claude_project_id" : "claude_proj_01EXAMPLEPROJECT00000", + "filename" : "example-file.txt", + "claude_file_id" : "claude_file_01EXAMPLEFILEID000000", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:20:23.462825Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_project_file_uploaded" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "2001:db8::1" + type: "user_actor" + user_agent: "Mozilla/5.0" + user_id: "user_01EXAMPLEUSERID0000000000" + claude_file_id: "claude_file_01EXAMPLEFILEID000000" + claude_project_id: "claude_proj_01EXAMPLEPROJECT00000" + created_at: "2026-05-22T15:20:23.462825Z" + evt: + name: "claude_project_file_uploaded" + filename: "example-file.txt" + http: + useragent: "Mozilla/5.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "2001:db8::1" + ocsf: + activity_id: 1 + activity_name: "Create" + category_name: "Application Activity" + category_uid: 6 + class_name: "Web Resources Activity" + class_uid: 6001 + http_request: + user_agent: "Mozilla/5.0" + metadata: + event_code: "claude_project_file_uploaded" + original_time: "2026-05-22T15:20:23.462825Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "2001:db8::1" + owner: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + status: "Success" + status_id: 1 + time: 1779463223462 + web_resources: + - name: "example-file.txt" + uid: "claude_file_01EXAMPLEFILEID000000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + type: "claude_project_file_uploaded" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "claude_project_id" : "claude_proj_01EXAMPLEPROJECT00000", + "filename" : "example-file.txt", + "claude_file_id" : "claude_file_01EXAMPLEFILEID000000", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:20:23.462825Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_project_file_uploaded" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463223462 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "claude_project_id" : "claude_proj_01EXAMPLEPROJECT00000", + "preview_only" : false, + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:48.506301Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_project_viewed" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "192.0.2.1" + type: "user_actor" + user_agent: "Mozilla/5.0" + user_id: "user_01EXAMPLEUSERID0000000000" + claude_project_id: "claude_proj_01EXAMPLEPROJECT00000" + created_at: "2026-05-22T15:21:48.506301Z" + evt: + name: "claude_project_viewed" + http: + useragent: "Mozilla/5.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "192.0.2.1" + ocsf: + activity_id: 2 + activity_name: "Read" + category_name: "Application Activity" + category_uid: 6 + class_name: "Web Resources Activity" + class_uid: 6001 + http_request: + user_agent: "Mozilla/5.0" + metadata: + event_code: "claude_project_viewed" + original_time: "2026-05-22T15:21:48.506301Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "192.0.2.1" + owner: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + status: "Success" + status_id: 1 + time: 1779463308506 + web_resources: + - uid: "claude_proj_01EXAMPLEPROJECT00000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + preview_only: false + type: "claude_project_viewed" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "claude_project_id" : "claude_proj_01EXAMPLEPROJECT00000", + "preview_only" : false, + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:48.506301Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_project_viewed" } - result: - custom: + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463308506 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0 Claude/1.3883.0" + }, + "organization_id" : "org_01EXAMPLEORGID00000000000", + "skill_name" : "example-skill-name", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:44.267747Z", + "skill_id" : "skill_01EXAMPLESKILLID00000000", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_skill_created" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "192.0.2.1" + type: "user_actor" + user_agent: "Mozilla/5.0 Claude/1.3883.0" + user_id: "user_01EXAMPLEUSERID0000000000" + created_at: "2026-05-22T15:21:44.267747Z" + evt: + name: "claude_skill_created" + http: + useragent: "Mozilla/5.0 Claude/1.3883.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "192.0.2.1" + ocsf: + activity_id: 1 + activity_name: "Create" + category_name: "Application Activity" + category_uid: 6 + class_name: "Web Resources Activity" + class_uid: 6001 + http_request: + user_agent: "Mozilla/5.0 Claude/1.3883.0" + metadata: + event_code: "claude_skill_created" + original_time: "2026-05-22T15:21:44.267747Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "192.0.2.1" + owner: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + status: "Success" + status_id: 1 + time: 1779463304267 + web_resources: + - name: "example-skill-name" + uid: "skill_01EXAMPLESKILLID00000000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + skill_id: "skill_01EXAMPLESKILLID00000000" + skill_name: "example-skill-name" + type: "claude_skill_created" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0 Claude/1.3883.0" + }, + "organization_id" : "org_01EXAMPLEORGID00000000000", + "skill_name" : "example-skill-name", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:44.267747Z", + "skill_id" : "skill_01EXAMPLESKILLID00000000", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_skill_created" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463304267 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0 Claude/1.7196.1" + }, + "organization_id" : "org_01EXAMPLEORGID00000000000", + "skill_name" : "example-skill-name", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:17.287525Z", + "skill_id" : "skill_01EXAMPLESKILLID00000000", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_skill_replaced" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "192.0.2.1" + type: "user_actor" + user_agent: "Mozilla/5.0 Claude/1.7196.1" + user_id: "user_01EXAMPLEUSERID0000000000" + created_at: "2026-05-22T15:21:17.287525Z" + evt: + name: "claude_skill_replaced" + http: + useragent: "Mozilla/5.0 Claude/1.7196.1" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "192.0.2.1" + ocsf: + activity_id: 3 + activity_name: "Update" + category_name: "Application Activity" + category_uid: 6 + class_name: "Web Resources Activity" + class_uid: 6001 + http_request: + user_agent: "Mozilla/5.0 Claude/1.7196.1" + metadata: + event_code: "claude_skill_replaced" + original_time: "2026-05-22T15:21:17.287525Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "192.0.2.1" + owner: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + status: "Success" + status_id: 1 + time: 1779463277287 + web_resources: + - name: "example-skill-name" + uid: "skill_01EXAMPLESKILLID00000000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + skill_id: "skill_01EXAMPLESKILLID00000000" + skill_name: "example-skill-name" + type: "claude_skill_replaced" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0 Claude/1.7196.1" + }, + "organization_id" : "org_01EXAMPLEORGID00000000000", + "skill_name" : "example-skill-name", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:17.287525Z", + "skill_id" : "skill_01EXAMPLESKILLID00000000", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_skill_replaced" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463277287 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "created_at" : "2026-05-22T15:21:50.371418Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_user_settings_updated", + "updates" : [ { + "previous_value" : { + "example_tool" : false + }, + "type" : "mcp_tools_enabled", + "current_value" : { + "example_tool" : true + } + } ] + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "192.0.2.1" + type: "user_actor" + user_agent: "Mozilla/5.0" + user_id: "user_01EXAMPLEUSERID0000000000" + created_at: "2026-05-22T15:21:50.371418Z" + evt: + name: "claude_user_settings_updated" + http: + useragent: "Mozilla/5.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "192.0.2.1" + ocsf: + activity_id: 99 + activity_name: "claude_user_settings_updated" actor: - type: "user_actor" - claude_chat_id: "claude_chat_01AxWT9aH4swoDJ8u6dShxMV" - created_at: "2026-05-05T16:04:57.150724Z" - evt: - name: "claude_chat_viewed" - http: - useragent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15" - useragent_details: - browser: - family: "Safari" - major: "17" - minor: "0" - device: - brand: "Apple" - category: "Desktop" - family: "Mac" - model: "Mac" - os: - family: "Mac OS X" - major: "10" - minor: "15" - patch: "7" - id: "activity_01R1sBnxj7yvtdZnt8DsfpRL" - network: - client: - geoip: {} - ip: "192.0.2.1" - organization_id: "org_01GuSHHxdWNCcTtk6Wr5arBM" - organization_uuid: "80cb55fa-462c-4bc0-82d6-07ebb1a6f004" - usr: - email: "user@example.com" - id: "user_01FBY4qyk7SdPxJCAd4EfPbT" - message: |- - { - "actor" : { - "email_address" : "user@example.com", - "user_id" : "user_01FBY4qyk7SdPxJCAd4EfPbT", - "ip_address" : "192.0.2.1", - "type" : "user_actor", - "user_agent" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15" + user: + email_addr: "user@example.com" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "Account Change" + class_uid: 3001 + http_request: + user_agent: "Mozilla/5.0" + metadata: + event_code: "claude_user_settings_updated" + original_time: "2026-05-22T15:21:50.371418Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "192.0.2.1" + status: "Success" + status_id: 1 + time: 1779463310371 + user: + email_addr: "user@example.com" + uid: "user_01EXAMPLEUSERID0000000000" + type: "claude_user_settings_updated" + updates: + - current_value: + example_tool: true + previous_value: + example_tool: false + type: "mcp_tools_enabled" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "created_at" : "2026-05-22T15:21:50.371418Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "claude_user_settings_updated", + "updates" : [ { + "previous_value" : { + "example_tool" : false }, - "organization_id" : "org_01GuSHHxdWNCcTtk6Wr5arBM", - "organization_uuid" : "80cb55fa-462c-4bc0-82d6-07ebb1a6f004", - "created_at" : "2026-05-05T16:04:57.150724Z", - "id" : "activity_01R1sBnxj7yvtdZnt8DsfpRL", - "type" : "claude_chat_viewed", - "claude_chat_id" : "claude_chat_01AxWT9aH4swoDJ8u6dShxMV" - } - tags: - - "source:LOGS_SOURCE" - timestamp: 1777997097150 + "type" : "mcp_tools_enabled", + "current_value" : { + "example_tool" : true + } + } ] + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463310371 + - + sample: |- + { + "actor" : { + "ip_address" : "192.0.2.1", + "type" : "api_actor", + "api_key_id" : "apikey_01EXAMPLEAPIKEY000000000", + "user_agent" : "example-client/1.0" + }, + "status_code" : 200, + "created_at" : "2026-05-22T15:21:38.920308Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "request_method" : "GET", + "type" : "compliance_api_accessed", + "request_id" : "req_011CbEXAMPLEREQUEST00000", + "url" : "https://api.anthropic.com/v1/compliance/activities?" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + api_key_id: "apikey_01EXAMPLEAPIKEY000000000" + ip_address: "192.0.2.1" + type: "api_actor" + user_agent: "example-client/1.0" + created_at: "2026-05-22T15:21:38.920308Z" + evt: + name: "compliance_api_accessed" + http: + useragent: "example-client/1.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "192.0.2.1" + ocsf: + activity_id: 2 + activity_name: "Read" + actor: + app_uid: "apikey_01EXAMPLEAPIKEY000000000" + user: + type: "api_actor" + type_id: 99 + uid: "apikey_01EXAMPLEAPIKEY000000000" + api: + operation: "GET" + request: + uid: "req_011CbEXAMPLEREQUEST00000" + response: + code: 200 + category_name: "Application Activity" + category_uid: 6 + class_name: "API Activity" + class_uid: 6003 + http_request: + http_method: "GET" + uid: "req_011CbEXAMPLEREQUEST00000" + url: + url_string: "https://api.anthropic.com/v1/compliance/activities?" + user_agent: "example-client/1.0" + http_response: + code: 200 + metadata: + event_code: "compliance_api_accessed" + original_time: "2026-05-22T15:21:38.920308Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "192.0.2.1" + status: "Success" + status_id: 1 + time: 1779463298920 + request_id: "req_011CbEXAMPLEREQUEST00000" + request_method: "GET" + status_code: 200 + type: "compliance_api_accessed" + url: "https://api.anthropic.com/v1/compliance/activities?" + message: |- + { + "actor" : { + "ip_address" : "192.0.2.1", + "type" : "api_actor", + "api_key_id" : "apikey_01EXAMPLEAPIKEY000000000", + "user_agent" : "example-client/1.0" + }, + "status_code" : 200, + "created_at" : "2026-05-22T15:21:38.920308Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "request_method" : "GET", + "type" : "compliance_api_accessed", + "request_id" : "req_011CbEXAMPLEREQUEST00000", + "url" : "https://api.anthropic.com/v1/compliance/activities?" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463298920 + - + sample: |- + { + "actor" : { + "admin_api_key_id" : "admin_api_key_01EXAMPLEADMIN0000", + "ip_address" : "192.0.2.1", + "type" : "admin_api_key_actor", + "user_agent" : "python-requests/2.32.5" + }, + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:07:03.419782Z", + "deleted_user_id" : "user_01EXAMPLEUSERID0000000000", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "org_user_deleted" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + admin_api_key_id: "admin_api_key_01EXAMPLEADMIN0000" + ip_address: "192.0.2.1" + type: "admin_api_key_actor" + user_agent: "python-requests/2.32.5" + created_at: "2026-05-22T15:07:03.419782Z" + deleted_user_id: "user_01EXAMPLEUSERID0000000000" + evt: + name: "org_user_deleted" + http: + useragent: "python-requests/2.32.5" + useragent_details: + browser: + family: "Python Requests" + major: "2" + minor: "32" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "192.0.2.1" + ocsf: + activity_id: 6 + activity_name: "Delete" + actor: + user: + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "Admin" + type_id: 2 + uid: "admin_api_key_01EXAMPLEADMIN0000" + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "Account Change" + class_uid: 3001 + http_request: + user_agent: "python-requests/2.32.5" + metadata: + event_code: "org_user_deleted" + original_time: "2026-05-22T15:07:03.419782Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "192.0.2.1" + status: "Success" + status_id: 1 + time: 1779462423419 + user: + uid: "user_01EXAMPLEUSERID0000000000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + type: "org_user_deleted" + message: |- + { + "actor" : { + "admin_api_key_id" : "admin_api_key_01EXAMPLEADMIN0000", + "ip_address" : "192.0.2.1", + "type" : "admin_api_key_actor", + "user_agent" : "python-requests/2.32.5" + }, + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:07:03.419782Z", + "deleted_user_id" : "user_01EXAMPLEUSERID0000000000", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "org_user_deleted" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779462423419 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "deleted_user_email" : "user@example.com", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-04-22T12:38:58.658822Z", + "deleted_user_id" : "user_01EXAMPLEUSERID0000000000", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "org_user_deleted" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "192.0.2.1" + type: "user_actor" + user_agent: "Mozilla/5.0" + user_id: "user_01EXAMPLEUSERID0000000000" + created_at: "2026-04-22T12:38:58.658822Z" + deleted_user_email: "user@example.com" + deleted_user_id: "user_01EXAMPLEUSERID0000000000" + evt: + name: "org_user_deleted" + http: + useragent: "Mozilla/5.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "192.0.2.1" + ocsf: + activity_id: 6 + activity_name: "Delete" + actor: + user: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "Account Change" + class_uid: 3001 + http_request: + user_agent: "Mozilla/5.0" + metadata: + event_code: "org_user_deleted" + original_time: "2026-04-22T12:38:58.658822Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "192.0.2.1" + status: "Success" + status_id: 1 + time: 1776861538658 + user: + email_addr: "user@example.com" + name: "user@example.com" + uid: "user_01EXAMPLEUSERID0000000000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + type: "org_user_deleted" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "deleted_user_email" : "user@example.com", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-04-22T12:38:58.658822Z", + "deleted_user_id" : "user_01EXAMPLEUSERID0000000000", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "org_user_deleted" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1776861538658 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "invite_id" : "invite_01EXAMPLEINVITE0000000000", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-15T15:22:37.490878Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "org_user_invite_accepted" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "192.0.2.1" + type: "user_actor" + user_agent: "Mozilla/5.0" + user_id: "user_01EXAMPLEUSERID0000000000" + created_at: "2026-05-15T15:22:37.490878Z" + evt: + name: "org_user_invite_accepted" + http: + useragent: "Mozilla/5.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + invite_id: "invite_01EXAMPLEINVITE0000000000" + network: + client: + geoip: {} + ip: "192.0.2.1" + ocsf: + activity_id: 1 + activity_name: "Create" + actor: + user: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "Account Change" + class_uid: 3001 + http_request: + user_agent: "Mozilla/5.0" + metadata: + event_code: "org_user_invite_accepted" + original_time: "2026-05-15T15:22:37.490878Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "192.0.2.1" + status: "Success" + status_id: 1 + time: 1778858557490 + user: + email_addr: "user@example.com" + uid: "user_01EXAMPLEUSERID0000000000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + type: "org_user_invite_accepted" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "invite_id" : "invite_01EXAMPLEINVITE0000000000", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-15T15:22:37.490878Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "org_user_invite_accepted" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1778858557490 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "invited_role" : "owner", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-15T15:22:11.738584Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "invited_email" : "invitee@example.com", + "type" : "org_user_invite_sent" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "2001:db8::1" + type: "user_actor" + user_agent: "Mozilla/5.0" + user_id: "user_01EXAMPLEUSERID0000000000" + created_at: "2026-05-15T15:22:11.738584Z" + evt: + name: "org_user_invite_sent" + http: + useragent: "Mozilla/5.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + invited_email: "invitee@example.com" + invited_role: "owner" + network: + client: + geoip: {} + ip: "2001:db8::1" + ocsf: + activity_id: 1 + activity_name: "Create" + actor: + user: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "Account Change" + class_uid: 3001 + http_request: + user_agent: "Mozilla/5.0" + metadata: + event_code: "org_user_invite_sent" + original_time: "2026-05-15T15:22:11.738584Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "2001:db8::1" + status: "Success" + status_id: 1 + time: 1778858531738 + user: + email_addr: "invitee@example.com" + name: "invitee@example.com" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + type: "org_user_invite_sent" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "invited_role" : "owner", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-15T15:22:11.738584Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "invited_email" : "invitee@example.com", + "type" : "org_user_invite_sent" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1778858531738 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:23.115384Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "platform_api_key_created", + "api_key_id" : "apikey_01EXAMPLEAPIKEY000000000" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "2001:db8::1" + type: "user_actor" + user_agent: "Mozilla/5.0" + user_id: "user_01EXAMPLEUSERID0000000000" + api_key_id: "apikey_01EXAMPLEAPIKEY000000000" + created_at: "2026-05-22T15:21:23.115384Z" + evt: + name: "platform_api_key_created" + http: + useragent: "Mozilla/5.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "2001:db8::1" + ocsf: + activity_id: 1 + activity_name: "Create" + actor: + user: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "Account Change" + class_uid: 3001 + http_request: + user_agent: "Mozilla/5.0" + metadata: + event_code: "platform_api_key_created" + original_time: "2026-05-22T15:21:23.115384Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "2001:db8::1" + status: "Success" + status_id: 1 + time: 1779463283115 + user: + email_addr: "user@example.com" + uid: "user_01EXAMPLEUSERID0000000000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + type: "platform_api_key_created" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:21:23.115384Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "platform_api_key_created", + "api_key_id" : "apikey_01EXAMPLEAPIKEY000000000" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463283115 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:23:11.707169Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "platform_api_key_updated", + "updates" : [ { + "previous_value" : "active", + "type" : "status", + "current_value" : "archived" + } ], + "api_key_id" : "apikey_01EXAMPLEAPIKEY000000000" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "2001:db8::1" + type: "user_actor" + user_agent: "Mozilla/5.0" + user_id: "user_01EXAMPLEUSERID0000000000" + api_key_id: "apikey_01EXAMPLEAPIKEY000000000" + created_at: "2026-05-22T15:23:11.707169Z" + evt: + name: "platform_api_key_updated" + http: + useragent: "Mozilla/5.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "2001:db8::1" + ocsf: + activity_id: 5 + activity_name: "Disable" + actor: + user: + email_addr: "user@example.com" + org: + uid: "org_01EXAMPLEORGID00000000000" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "Account Change" + class_uid: 3001 + http_request: + user_agent: "Mozilla/5.0" + metadata: + event_code: "platform_api_key_updated" + original_time: "2026-05-22T15:23:11.707169Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "2001:db8::1" + status: "Success" + status_id: 1 + time: 1779463391707 + user: + email_addr: "user@example.com" + uid: "user_01EXAMPLEUSERID0000000000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + type: "platform_api_key_updated" + updates: + - current_value: "archived" + previous_value: "active" + type: "status" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "created_at" : "2026-05-22T15:23:11.707169Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "platform_api_key_updated", + "updates" : [ { + "previous_value" : "active", + "type" : "status", + "current_value" : "archived" + } ], + "api_key_id" : "apikey_01EXAMPLEAPIKEY000000000" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463391707 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "role" : "chat_project:owner", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "resource_type" : "chat_project", + "target_type" : "organization_member", + "created_at" : "2026-05-22T15:21:10.596119Z", + "resource_id" : "claude_proj_01EXAMPLEPROJECT00000", + "target_id" : "user_01EXAMPLEUSERID0000000000", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "role_assignment_granted" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "2001:db8::1" + type: "user_actor" + user_agent: "Mozilla/5.0" + user_id: "user_01EXAMPLEUSERID0000000000" + created_at: "2026-05-22T15:21:10.596119Z" + evt: + name: "role_assignment_granted" + http: + useragent: "Mozilla/5.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "2001:db8::1" + ocsf: + activity_id: 1 + activity_name: "Assign Privileges" + actor: + user: + email_addr: "user@example.com" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "User Access Management" + class_uid: 3005 + http_request: + user_agent: "Mozilla/5.0" + metadata: + event_code: "role_assignment_granted" + original_time: "2026-05-22T15:21:10.596119Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + privileges: + - "chat_project:owner" + resources: + - type: "chat_project" + uid: "claude_proj_01EXAMPLEPROJECT00000" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "2001:db8::1" + status: "Success" + status_id: 1 + time: 1779463270596 + user: + org: + uid: "org_01EXAMPLEORGID00000000000" + uid: "user_01EXAMPLEUSERID0000000000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + resource_id: "claude_proj_01EXAMPLEPROJECT00000" + resource_type: "chat_project" + role: "chat_project:owner" + target_id: "user_01EXAMPLEUSERID0000000000" + target_type: "organization_member" + type: "role_assignment_granted" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "2001:db8::1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "role" : "chat_project:owner", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "resource_type" : "chat_project", + "target_type" : "organization_member", + "created_at" : "2026-05-22T15:21:10.596119Z", + "resource_id" : "claude_proj_01EXAMPLEPROJECT00000", + "target_id" : "user_01EXAMPLEUSERID0000000000", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "role_assignment_granted" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463270596 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0 Claude/1.6259.0" + }, + "role" : "skill:viewer", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "resource_type" : "skill", + "target_type" : "organization_member", + "created_at" : "2026-05-21T20:47:11.194821Z", + "resource_id" : "skill_01EXAMPLESKILLID00000000", + "target_id" : "user_01EXAMPLEUSERID0000000000", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "role_assignment_revoked" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "192.0.2.1" + type: "user_actor" + user_agent: "Mozilla/5.0 Claude/1.6259.0" + user_id: "user_01EXAMPLEUSERID0000000000" + created_at: "2026-05-21T20:47:11.194821Z" + evt: + name: "role_assignment_revoked" + http: + useragent: "Mozilla/5.0 Claude/1.6259.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "192.0.2.1" + ocsf: + activity_id: 2 + activity_name: "Revoke Privileges" + actor: + user: + email_addr: "user@example.com" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "User Access Management" + class_uid: 3005 + http_request: + user_agent: "Mozilla/5.0 Claude/1.6259.0" + metadata: + event_code: "role_assignment_revoked" + original_time: "2026-05-21T20:47:11.194821Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + privileges: + - "skill:viewer" + resources: + - type: "skill" + uid: "skill_01EXAMPLESKILLID00000000" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "192.0.2.1" + status: "Success" + status_id: 1 + time: 1779396431194 + user: + org: + uid: "org_01EXAMPLEORGID00000000000" + uid: "user_01EXAMPLEUSERID0000000000" + organization_id: "org_01EXAMPLEORGID00000000000" + organization_uuid: "00000000-0000-0000-0000-000000000000" + resource_id: "skill_01EXAMPLESKILLID00000000" + resource_type: "skill" + role: "skill:viewer" + target_id: "user_01EXAMPLEUSERID0000000000" + target_type: "organization_member" + type: "role_assignment_revoked" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0 Claude/1.6259.0" + }, + "role" : "skill:viewer", + "organization_id" : "org_01EXAMPLEORGID00000000000", + "organization_uuid" : "00000000-0000-0000-0000-000000000000", + "resource_type" : "skill", + "target_type" : "organization_member", + "created_at" : "2026-05-21T20:47:11.194821Z", + "resource_id" : "skill_01EXAMPLESKILLID00000000", + "target_id" : "user_01EXAMPLEUSERID0000000000", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "role_assignment_revoked" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779396431194 + - + sample: |- + { + "actor" : { + "unauthenticated_email_address" : "user@example.com", + "ip_address" : "192.0.2.1", + "type" : "unauthenticated_user_actor", + "user_agent" : "Mozilla/5.0" + }, + "created_at" : "2026-05-22T15:19:09.946100Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "sso_login_initiated" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + ip_address: "192.0.2.1" + type: "unauthenticated_user_actor" + unauthenticated_email_address: "user@example.com" + user_agent: "Mozilla/5.0" + created_at: "2026-05-22T15:19:09.946100Z" + evt: + name: "sso_login_initiated" + http: + useragent: "Mozilla/5.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "192.0.2.1" + ocsf: + activity_id: 1 + activity_name: "Logon" + actor: + user: + email_addr: "user@example.com" + name: "user@example.com" + type: "unauthenticated_user_actor" + type_id: 99 + auth_protocol: "SAML" + auth_protocol_id: 5 + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "Authentication" + class_uid: 3002 + http_request: + user_agent: "Mozilla/5.0" + metadata: + event_code: "sso_login_initiated" + original_time: "2026-05-22T15:19:09.946100Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + service: + name: "Claude" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "192.0.2.1" + status: "Unknown" + status_id: 0 + time: 1779463149946 + user: + email_addr: "user@example.com" + name: "user@example.com" + type: "sso_login_initiated" + message: |- + { + "actor" : { + "unauthenticated_email_address" : "user@example.com", + "ip_address" : "192.0.2.1", + "type" : "unauthenticated_user_actor", + "user_agent" : "Mozilla/5.0" + }, + "created_at" : "2026-05-22T15:19:09.946100Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "sso_login_initiated" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463149946 + - + sample: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "auth_method" : "sso", + "created_at" : "2026-05-22T15:19:14.445010Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "sso_login_succeeded" + } + tags: + - "source:LOGS_SOURCE" + result: + custom: + actor: + email_address: "user@example.com" + ip_address: "192.0.2.1" + type: "user_actor" + user_agent: "Mozilla/5.0" + user_id: "user_01EXAMPLEUSERID0000000000" + auth_method: "sso" + created_at: "2026-05-22T15:19:14.445010Z" + evt: + name: "sso_login_succeeded" + http: + useragent: "Mozilla/5.0" + useragent_details: + browser: + family: "Other" + device: + category: "Other" + family: "Other" + os: + family: "Other" + id: "activity_01EXAMPLEACTIVITY0000000" + network: + client: + geoip: {} + ip: "192.0.2.1" + ocsf: + activity_id: 1 + activity_name: "Logon" + actor: + user: + email_addr: "user@example.com" + name: "user@example.com" + type: "User" + type_id: 1 + uid: "user_01EXAMPLEUSERID0000000000" + auth_protocol: "SAML" + auth_protocol_id: 5 + category_name: "Identity & Access Management" + category_uid: 3 + class_name: "Authentication" + class_uid: 3002 + http_request: + user_agent: "Mozilla/5.0" + metadata: + event_code: "sso_login_succeeded" + original_time: "2026-05-22T15:19:14.445010Z" + product: + name: "Claude" + vendor_name: "Anthropic" + uid: "activity_01EXAMPLEACTIVITY0000000" + version: "1.5.0" + service: + name: "Claude" + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "192.0.2.1" + status: "Success" + status_id: 1 + time: 1779463154445 + user: + email_addr: "user@example.com" + name: "user@example.com" + uid: "user_01EXAMPLEUSERID0000000000" + type: "sso_login_succeeded" + usr: + email: "user@example.com" + id: "user_01EXAMPLEUSERID0000000000" + message: |- + { + "actor" : { + "email_address" : "user@example.com", + "user_id" : "user_01EXAMPLEUSERID0000000000", + "ip_address" : "192.0.2.1", + "type" : "user_actor", + "user_agent" : "Mozilla/5.0" + }, + "auth_method" : "sso", + "created_at" : "2026-05-22T15:19:14.445010Z", + "id" : "activity_01EXAMPLEACTIVITY0000000", + "type" : "sso_login_succeeded" + } + tags: + - "source:LOGS_SOURCE" + - "source:LOGS_SOURCE" + timestamp: 1779463154445 diff --git a/azure_active_directory/assets/logs/azure.activedirectory.yaml b/azure_active_directory/assets/logs/azure.activedirectory.yaml index e8050796da873..c39db0e784b51 100644 --- a/azure_active_directory/assets/logs/azure.activedirectory.yaml +++ b/azure_active_directory/assets/logs/azure.activedirectory.yaml @@ -83,6 +83,11 @@ facets: name: Client IP path: network.client.ip source: log + - groups: + - Web Access + name: Client Port + path: network.client.port + source: log - groups: - User name: User Email @@ -200,6 +205,13 @@ facets: name: Source IP Address path: ocsf.src_endpoint.ip source: log + - facetType: range + groups: + - OCSF + name: Src Endpoint Port + path: ocsf.src_endpoint.port + source: log + type: integer - groups: - OCSF name: Event Code @@ -281,6 +293,29 @@ pipeline: overrideOnConflict: false sourceType: attribute targetType: attribute + - type: grok-parser + name: Parse `network.client.ip` to `network.client.ip`, `network.client.port` + enabled: true + source: network.client.ip + grok: + supportRules: | + matchRules: | + ipv4_rule %{ipv4:network.client.ip}(:%{port:network.client.port})? + ipv6_rule \[?%{ipv6:network.client.ip}\]?(:%{port:network.client.port})? + samples: + - 15.113.255.209 + - 15.113.255.209:21341 + - type: attribute-remapper + name: Map `network.client.port` to `network.client.port` + enabled: true + sources: + - network.client.port + sourceType: attribute + target: network.client.port + targetType: attribute + targetFormat: integer + preserveSource: false + overrideOnConflict: false - type: arithmetic-processor name: Compute duration in nanoseconds from durationMs in miliseconds enabled: true @@ -548,6 +583,18 @@ pipeline: targetType: attribute preserveSource: true overrideOnConflict: false + - type: grok-parser + name: Parse `ocsf.src_endpoint.ip` to `ocsf.src_endpoint.ip`, `ocsf.src_endpoint.port` + enabled: true + source: ocsf.src_endpoint.ip + grok: + supportRules: | + matchRules: | + ipv4_rule %{ipv4:ocsf.src_endpoint.ip}(:%{port:ocsf.src_endpoint.port})? + ipv6_rule \[?%{ipv6:ocsf.src_endpoint.ip}\]?(:%{port:ocsf.src_endpoint.port})? + samples: + - 15.113.255.209 + - 15.113.255.209:21341 - type: attribute-remapper name: Map `properties.resultReason` to `ocsf.status_code` enabled: true @@ -1019,6 +1066,18 @@ pipeline: targetType: attribute preserveSource: true overrideOnConflict: false + - type: grok-parser + name: Parse `ocsf.src_endpoint.ip` to `ocsf.src_endpoint.ip`, `ocsf.src_endpoint.port` + enabled: true + source: ocsf.src_endpoint.ip + grok: + supportRules: | + matchRules: | + ipv4_rule %{ipv4:ocsf.src_endpoint.ip}(:%{port:ocsf.src_endpoint.port})? + ipv6_rule \[?%{ipv6:ocsf.src_endpoint.ip}\]?(:%{port:ocsf.src_endpoint.port})? + samples: + - 15.113.255.209 + - 15.113.255.209:21341 - type: attribute-remapper name: Map `properties.deviceDetail.operatingSystem` to `ocsf.src_endpoint.os.name` enabled: true @@ -1877,6 +1936,18 @@ pipeline: targetType: attribute preserveSource: true overrideOnConflict: false + - type: grok-parser + name: Parse `ocsf.src_endpoint.ip` to `ocsf.src_endpoint.ip`, `ocsf.src_endpoint.port` + enabled: true + source: ocsf.src_endpoint.ip + grok: + supportRules: | + matchRules: | + ipv4_rule %{ipv4:ocsf.src_endpoint.ip}(:%{port:ocsf.src_endpoint.port})? + ipv6_rule \[?%{ipv6:ocsf.src_endpoint.ip}\]?(:%{port:ocsf.src_endpoint.port})? + samples: + - 15.113.255.209 + - 15.113.255.209:21341 - type: string-builder-processor name: Add dst_endpoint.hostname enabled: true @@ -2194,6 +2265,16 @@ pipeline: targetType: attribute preserveSource: false overrideOnConflict: false + - type: attribute-remapper + name: Map `ocsf.src_endpoint.port` to `network.client.port` + enabled: true + sources: + - ocsf.src_endpoint.port + sourceType: attribute + target: callerIpAddress + targetType: attribute + preserveSource: false + overrideOnConflict: false - type: pipeline name: OCSF post transformations enabled: true @@ -2296,3 +2377,14 @@ pipeline: targetFormat: integer preserveSource: false overrideOnConflict: false + - type: attribute-remapper + name: Map `ocsf.src_endpoint.port` to `ocsf.src_endpoint.port` + enabled: true + sources: + - ocsf.src_endpoint.port + sourceType: attribute + target: ocsf.src_endpoint.port + targetType: attribute + targetFormat: integer + preserveSource: false + overrideOnConflict: false diff --git a/azure_active_directory/assets/logs/azure.activedirectory_tests.yaml b/azure_active_directory/assets/logs/azure.activedirectory_tests.yaml index 64cebba79dbcd..5d8e13a038638 100644 --- a/azure_active_directory/assets/logs/azure.activedirectory_tests.yaml +++ b/azure_active_directory/assets/logs/azure.activedirectory_tests.yaml @@ -328,7 +328,7 @@ tests: "tenantId": "4d3bac44-0230-4732-9e70-cc00736f0a97", "resultSignature": "None", "durationMs": 0, - "callerIpAddress": "192.182.149.21", + "callerIpAddress": "192.182.149.21:43210", "correlationId": "a13bd0fa-70d0-4e60-ae23-b687377b4695", "Level": 4, "properties": { @@ -353,7 +353,7 @@ tests: "id": "018af091-5465-4aed-9d6f-8c40981b2375", "displayName": null, "userPrincipalName": "test.test@datadoghq.com", - "ipAddress": "192.182.149.21", + "ipAddress": "192.182.149.21:43210", "roles": [] } }, @@ -384,7 +384,7 @@ tests: result: custom: Level: 4 - callerIpAddress: "192.182.149.21" + callerIpAddress: "192.182.149.21:43210" category: "AuditLogs" correlationId: "a13bd0fa-70d0-4e60-ae23-b687377b4695" duration: 0.0 @@ -397,6 +397,7 @@ tests: client: geoip: {} ip: "192.182.149.21" + port: 43210 ocsf: activity_id: 6 activity_name: "Delete" @@ -427,6 +428,7 @@ tests: severity_id: 1 src_endpoint: ip: "192.182.149.21" + port: 43210 status: "Success" status_code: "" status_id: 1 @@ -453,7 +455,7 @@ tests: initiatedBy: user: id: "018af091-5465-4aed-9d6f-8c40981b2375" - ipAddress: "192.182.149.21" + ipAddress: "192.182.149.21:43210" userPrincipalName: "test.test@datadoghq.com" loggedByService: "Core Directory" operationName: "Delete user" @@ -481,7 +483,7 @@ tests: name: "test.test@datadoghq.com" message: |- { - "callerIpAddress" : "192.182.149.21", + "callerIpAddress" : "192.182.149.21:43210", "resourceId" : "/tenants/4d3bac44-0230-4732-9e70-cc00736f0a97/providers/Microsoft.aadiam", "operationVersion" : "1.0", "tenantId" : "4d3bac44-0230-4732-9e70-cc00736f0a97", @@ -522,7 +524,7 @@ tests: "resultType" : "", "initiatedBy" : { "user" : { - "ipAddress" : "192.182.149.21", + "ipAddress" : "192.182.149.21:43210", "id" : "018af091-5465-4aed-9d6f-8c40981b2375", "userPrincipalName" : "test.test@datadoghq.com" } diff --git a/sqlserver/changelog.d/23862.fixed b/sqlserver/changelog.d/23862.fixed new file mode 100644 index 0000000000000..816b836c62be4 --- /dev/null +++ b/sqlserver/changelog.d/23862.fixed @@ -0,0 +1 @@ +Restore agent hostname instrumentation for SQL Server named instance host configurations. \ No newline at end of file diff --git a/sqlserver/datadog_checks/sqlserver/sqlserver.py b/sqlserver/datadog_checks/sqlserver/sqlserver.py index 3953b8f1bd3fb..8d15b54580c5d 100644 --- a/sqlserver/datadog_checks/sqlserver/sqlserver.py +++ b/sqlserver/datadog_checks/sqlserver/sqlserver.py @@ -328,6 +328,9 @@ def port(self): return self.host_and_port[1] def resolve_db_host(self): + if "\\" in self.host: + # SQL Server instance names are not resolvable, this preserves original fallback behavior prior to v7.79.0 + return datadog_agent.get_hostname() return agent_host_resolver(self.host) @property diff --git a/sqlserver/tests/test_unit.py b/sqlserver/tests/test_unit.py index 21e43ecd686aa..99b2d7790826a 100644 --- a/sqlserver/tests/test_unit.py +++ b/sqlserver/tests/test_unit.py @@ -11,6 +11,7 @@ import mock import pytest +from datadog_checks.base.stubs.datadog_agent import datadog_agent from datadog_checks.dev import EnvVars from datadog_checks.sqlserver import SQLServer from datadog_checks.sqlserver.connection import split_sqlserver_host_port @@ -908,6 +909,71 @@ def test_split_sqlserver_host(instance_host, split_host, split_port): assert (s_host, s_port) == (split_host, split_port) +AGENT_HOSTNAME = 'sql-agent-host.example.com' + + +@pytest.fixture +def agent_hostname_for_resolve_db_host(): + datadog_agent.set_hostname(AGENT_HOSTNAME) + yield + datadog_agent.reset_hostname() + + +@pytest.mark.parametrize( + 'instance_host,host_part', + [ + (r'SQL-HOST01\INSTANCE01,1601', r'SQL-HOST01\INSTANCE01'), + (r'MY-SERVER\SQLEXPRESS,1433', r'MY-SERVER\SQLEXPRESS'), + (r'MY-SERVER\SQLEXPRESS', r'MY-SERVER\SQLEXPRESS'), + ], +) +def test_resolve_db_host_named_instance_returns_agent_hostname( + agent_hostname_for_resolve_db_host, instance_host, host_part +): + instance = { + 'host': instance_host, + 'username': 'datadog', + 'password': 'secret', + } + check = SQLServer(CHECK_NAME, {}, [instance]) + assert check.host == host_part + + # Agent 7.79+ base resolver returns the literal host string for unresolvable names. + with mock.patch( + 'datadog_checks.sqlserver.sqlserver.agent_host_resolver', + return_value=host_part, + ): + assert check.resolve_db_host() == AGENT_HOSTNAME + assert check.resolved_hostname == AGENT_HOSTNAME + assert check.database_hostname == AGENT_HOSTNAME + + +@pytest.mark.parametrize( + 'instance_host,host_part,base_resolver_return', + [ + ('db.example.com,1433', 'db.example.com', 'resolved-db.example.com'), + ('192.0.2.10,1433', '192.0.2.10', '192.0.2.10'), + ], +) +def test_resolve_db_host_plain_host_delegates_to_base_resolver( + agent_hostname_for_resolve_db_host, instance_host, host_part, base_resolver_return +): + instance = { + 'host': instance_host, + 'username': 'datadog', + 'password': 'secret', + } + check = SQLServer(CHECK_NAME, {}, [instance]) + assert check.host == host_part + + with mock.patch( + 'datadog_checks.sqlserver.sqlserver.agent_host_resolver', + return_value=base_resolver_return, + ) as mock_resolver: + assert check.resolve_db_host() == base_resolver_return + mock_resolver.assert_called_once_with(host_part) + + @pytest.mark.parametrize( "query,expected_comments,is_proc,expected_name", [ diff --git a/traefik_mesh/assets/dashboards/traefik_mesh_overview.json b/traefik_mesh/assets/dashboards/traefik_mesh_overview.json index f621603991fc8..55708c1c9afe1 100644 --- a/traefik_mesh/assets/dashboards/traefik_mesh_overview.json +++ b/traefik_mesh/assets/dashboards/traefik_mesh_overview.json @@ -584,17 +584,17 @@ { "data_source": "metrics", "name": "query1", - "query": "sum:traefik_mesh.router.requests.count{$host,$service,$router,code:2*} by {code,router,service}.as_count()" + "query": "sum:traefik_mesh.router.requests.count{$host,$traefik_service,$router,code:2*} by {code,router,traefik_service}.as_count()" }, { "data_source": "metrics", "name": "query2", - "query": "sum:traefik_mesh.router.requests.count{$host AND $service AND $router AND code:4* OR code:5*} by {code,router,service}.as_count()" + "query": "sum:traefik_mesh.router.requests.count{$host AND $traefik_service AND $router AND code:4* OR code:5*} by {code,router,traefik_service}.as_count()" }, { "data_source": "metrics", "name": "query3", - "query": "sum:traefik_mesh.router.requests.count{$host,$service,$routercode:3*} by {code,router,service}.as_count()" + "query": "sum:traefik_mesh.router.requests.count{$host,$traefik_service,$router,code:3*} by {code,router,traefik_service}.as_count()" } ], "response_format": "timeseries", @@ -633,7 +633,7 @@ { "name": "query1", "data_source": "metrics", - "query": "sum:traefik_mesh.router.requests.count{$router, $endpoint} by {protocol,service}", + "query": "sum:traefik_mesh.router.requests.count{$router, $endpoint} by {protocol,traefik_service}", "aggregator": "sum" } ], @@ -694,7 +694,7 @@ { "data_source": "metrics", "name": "query1", - "query": "sum:traefik_mesh.router.responses.bytes.count{$service, $router, $host} by {service,router,host,protocol}" + "query": "sum:traefik_mesh.router.responses.bytes.count{$traefik_service, $router, $host} by {traefik_service,router,host,protocol}" } ], "response_format": "timeseries", @@ -900,17 +900,17 @@ { "data_source": "metrics", "name": "query1", - "query": "sum:traefik_mesh.service.requests.count{$host,$service,$endpoint,code:2*} by {protocol,code,method}.as_count()" + "query": "sum:traefik_mesh.service.requests.count{$host,$traefik_service,$endpoint,code:2*} by {protocol,code,method}.as_count()" }, { "data_source": "metrics", "name": "query2", - "query": "sum:traefik_mesh.service.requests.count{$host AND $service AND $endpoint AND code:4* OR code:5*} by {protocol,code,method}.as_count()" + "query": "sum:traefik_mesh.service.requests.count{$host AND $traefik_service AND $endpoint AND code:4* OR code:5*} by {protocol,code,method}.as_count()" }, { "data_source": "metrics", "name": "query3", - "query": "sum:traefik_mesh.service.requests.count{$host,$service ,$endpoint,code:3*} by {protocol,code,method}.as_count()" + "query": "sum:traefik_mesh.service.requests.count{$host,$traefik_service,$endpoint,code:3*} by {protocol,code,method}.as_count()" } ], "response_format": "timeseries", @@ -948,7 +948,7 @@ { "name": "query1", "data_source": "metrics", - "query": "avg:traefik_mesh.service.requests.count{$host} by {protocol,service,router}", + "query": "avg:traefik_mesh.service.requests.count{$host} by {protocol,traefik_service,router}", "aggregator": "sum" } ], @@ -1009,7 +1009,7 @@ { "data_source": "metrics", "name": "query1", - "query": "sum:traefik_mesh.service.responses.bytes.count{$host, $service, $endpoint} by {host,service,endpoint}" + "query": "sum:traefik_mesh.service.responses.bytes.count{$host, $traefik_service, $endpoint} by {host,traefik_service,endpoint}" } ], "response_format": "timeseries", @@ -1058,7 +1058,7 @@ { "data_source": "metrics", "name": "query1", - "query": "sum:traefik_mesh.service.server.up{$host, $service, $endpoint} by {service}" + "query": "sum:traefik_mesh.service.server.up{$host, $traefik_service, $endpoint} by {traefik_service}" } ], "response_format": "timeseries", @@ -1098,7 +1098,7 @@ { "data_source": "metrics", "name": "query1", - "query": "sum:traefik_mesh.service.request.duration.seconds.sum{$host, $service, $endpoint} by {service,endpoint}" + "query": "sum:traefik_mesh.service.request.duration.seconds.sum{$host, $traefik_service, $endpoint} by {traefik_service,endpoint}" } ], "response_format": "timeseries", @@ -1452,8 +1452,8 @@ "default": "*" }, { - "name": "service", - "prefix": "service", + "name": "traefik_service", + "prefix": "traefik_service", "available_values": [], "default": "*" }, @@ -1485,4 +1485,4 @@ "layout_type": "ordered", "notify_list": [], "reflow_type": "fixed" -} \ No newline at end of file +}