Authentication

The Authentication extension captures details specific to authentication events. General guidelines for authentication events: * Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login. * Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target. * Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution.

JSON representation 
{
  "type": enum (AuthType),
  "mechanism": [
    enum (Mechanism)
  ],
  "auth_details": string
}
Fields
type

enum (AuthType)

The type of authentication.
mechanism[]

enum (Mechanism)

The authentication mechanism.
auth_details

string

The vendor defined details of the authentication.