Active list was successfully imported or operation failed
Audit events for active lists are created only for actions performed by users. Audit events are not generated when the active lists are modified using correlation rules. If you need to track such changes, you can do so using alerts.
Active list items are imported in parts via a remote connection.
Since the import is performed via a remote connection, a data transfer error can occur at any time: when the data is imported partially or completely. EventOutcome returns the connection status, not the import status.
Event field name | Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress | This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress | The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort | Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName | User login that was used to perform the import. |
SourceUserID | User ID that was used to perform the import. |
DeviceExternalID | Service ID for which an import was performed. |
ExternalID | Active list ID. |
Name | Active list name. |
Message | If EventOutcome = |
DeviceCustomString5 | Service tenant ID. Some errors prevent adding tenant information to the event. |
DeviceCustomString5Label |
|
DeviceCustomString6 | Tenant name |
DeviceCustomString6Label |
|
