Threat Analytics Log

this section contains the kron pam threat analytics logs the packets are sent to the server in the following format dbid database identifier for the threat log entry accessprotocol the protocol is used to access the system (e g , sshv2) accessprotocolscore anomaly score is associated with the access protocol commandlogid unique identifier of the associated command log logtime timestamp when the log was recorded (iso 8601 format) clientip ip address of the client initiating the session clientipscore anomaly score related to the client ip address host ip address of the host being accessed hostscore anomaly score related to the host ip threattype type of detected threat (e g , host anomaly) sessionid unique session identifier for the user session severity severity level of the detected threat (e g , low) rulename name of the rule triggered during the threat analysis username the username of the person executing the session userscore an anomaly score associated with the user actiondetail description of the action taken as a result of the analysis (e g , logged only) commandscore anomaly score related to the executed command(s) firstresult score from the first anomaly detection result maxresult maximum score among all results totalscore combined anomaly score calculated for the session timescore anomaly score based on access time behavior example cef 0|krontech|kron pam|3 8 0|100|threatanalyticslog|10|dbid=2108456 accessprotocol=sshv2 accessprotocolscore=0 0 commandlogid=2108392 logtime=2025 04 25t14 41 04 164z clientip=10 10 10 10 clientipscore=0 030858738 host=10 10 20 20 hostscore=0 0 threattype=host anomaly sessionid=4894b3738fbd0cf86958fe38 severity=low rulename=low username=admin userscore=0 0 actiondetail=anomaly is logged\nno action commandscore=0 025566567 firstresult=0 maxresult=0 totalscore=0 10262209 timescore=0 45668516