Threat Analytics Log
This section contains the Kron PAM threat analytics logs. The packets are sent to the server in the following format:
dbId | Database identifier for the threat log entry. |
---|---|
accessProtocol | The protocol is used to access the system (e.g., SSHv2). |
accessProtocolScore | Anomaly score is associated with the access protocol. |
commandLogId | Unique identifier of the associated command log. |
logTime | Timestamp when the log was recorded (ISO 8601 format). |
clientIp | IP address of the client initiating the session. |
clientIpScore | Anomaly score related to the client IP address. |
host | IP address of the host being accessed. |
hostScore | Anomaly score related to the host IP. |
threatType | Type of detected threat (e.g., HOST_ANOMALY). |
sessionId | Unique session identifier for the user session. |
severity | Severity level of the detected threat (e.g., LOW). |
ruleName | Name of the rule triggered during the threat analysis. |
userName | The username of the person executing the session. |
userScore | An anomaly score associated with the user. |
actionDetail | Description of the action taken as a result of the analysis (e.g., logged only). |
commandScore | Anomaly score related to the executed command(s). |
firstResult | Score from the first anomaly detection result. |
maxResult | Maximum score among all results. |
totalScore | Combined anomaly score calculated for the session. |
timeScore | Anomaly score based on access time behavior. |
Example: