Docs Menu
Docs Home
/
MongoDB Manual
/ / /

OCSF Schema Audit Messages

On this page

  • OCSF Category Mapping
  • OCSF Class Mapping
  • OCSF Type Mapping
  • Examples
  • Authenticate Action
  • AuthCheck Action

In the OCSF schema, recorded log messages have this syntax:

{
"activity_id" : <int>,
"category_uid" : <int>,
"class_uid" : <int>,
"time" : <int>,
"severity_id" : <int>,
"type_uid" : <int>,
"metadata" : <document>
"actor" : {
"user" : {
"type_id" : <int>,
"name" : <string>,
"groups" : <array of documents>
}
}
}
Field
Type
Description
activity_id
Integer
Activity type. See OCSF Type Mapping.
category_uid
Integer
Audit event category. See OCSF Category Mapping.
class_uid
Integer
Audit event class. See OCSF Class Mapping.
time
Integer
Number of milliseconds after the Unix epoch that the event occurred.
severity_id
Integer
Severity of the audited event.
type_uid
Integer
Combination of the audited event's class, activity, and category. See OCSF Type Mapping.
metadata
Document
Metadata about the event such as product and schema version.
actor
Document
Information about the user who performed the action.

Note

Log messages may contain additional fields depending on the event that was logged.

This table describes the category_uid values:

category_uid
Category
1
System Activity
2
Findings
3
IAM
4
Network Activity
5
Discovery
6
Application Activity

For a complete list of OCSF class_uids and how they map to different classes, see the OCSF Documentation.

The type_uid field represents a combination of the audited event's class, activity, and category. The resulting UUID indicates the type of activity that occurred.

Specifically, type_uid is ( class_uid * 100 ) + (activity_id), with category_id being the thousands place in a class_id.

This table describes how audited actions map to type_uid:

Action Type
type_uid
Category
Class
Activity
addShard
500101
Configuration
Device Config State
Log
applicationMessage
100799
System
Process Activity
Other
auditConfigure
500201 or 500203
Discovery
Device Config State
  • 1 is Create

  • 3 is Update

authzCheck
600301 - 600304
Application
API Activity
  • 1 is Create

  • 2 is Read

  • 3 is Update

  • 4 is Delete

authenticate
300201
IAM
Authentication
Logon
clientMetadata
400101
Network
Network Activity
Open
createCollection
300401
IAM
Entity Management
Create
createDatabase
300401
IAM
Entity Management
Create
createIndex
300401
IAM
Entity Management
Create
createRole
300101
IAM
Account Change
Create
createUser
300101
IAM
Account Change
Create
directAuthMutation
300100
IAM
Account Change
Unknown
dropAllRolesFromDatabase
300106
IAM
Account Change
Delete
dropAllUsersFromDatabase
300106
IAM
Account Change
Delete
dropCollection
300404
IAM
Entity Management
Delete
dropDatabase
300404
IAM
Entity Management
Delete
dropIndex
300404
IAM
Entity Management
Delete
dropPrivilegesToRole
300107
IAM
Account Change
Attach Policy
dropRole
300106
IAM
Account Change
Delete
dropUser
300106
IAM
Account Change
Delete
enableSharding
500201
Configuration
Device Config State
Log
getClusterParameter
600302
Application
API Activity
Read
grantRolesToRole
300107
IAM
Account Change
Attach Policy
grantRolesToUser
300107
IAM
Account Change
Attach Policy
importCollection
300401
IAM
Entity Management
Create
logout
300202
IAM
Authentication
Logoff
refineCollectionShardKey
500201
Configuration
Device Config State
Log
removeShard
500201
Configuration
Device Config State
Log
renameCollection
300403
IAM
Entity Management
Update
replSetReconfig
500201
Configuration
Device Config State
Log
revokePrivilegesFromRole
300108
IAM
Account Change
Detach Policy
revokeRolesFromRole
300108
IAM
Account Change
Detach Policy
revokeRolesFromUser
300108
IAM
Account Change
Detach Policy
rotateLog
100799
System
Process
Other
setClusterParameter
500201
Configuration
Device Config State
Log
shardCollection
500201
Configuration
Device Config State
Log
shutdown
100702
System
Process
Terminate
startup
100701
System
Process
Launch
updateCachedClusterServerParameter
500201
Configuration
Device Config State
Log
updateRole
300199
IAM
Account Change
Other
updateUser
300199
IAM
Account Change
Other

The following examples show OCSF schema log messages for different action types.

{
"activity_id" : 1,
"category_uid" : 3,
"class_uid" : 3002,
"time" : 1710715316123,
"severity_id" : 1,
"type_uid" : 300201,
"metadata" : {
"correlation_uid" : "20ec4769-984d-445c-aea7-da0429da9122",
"product" : "MongoDB Server",
"version" : "1.0.0"
},
"actor" : {
"user" : {
"type_id" : 1,
"name" : "admin.admin",
"groups" : [ { "name" : "admin.root" } ]
}
},
"src_endpoint" : { "ip" : "127.0.0.1", "port" : 56692 },
"dst_endpoint" : { "ip" : "127.0.0.1", "port" : 20040 },
"user" : { "type_id" : 1, "name" : "admin.admin" },
"auth_protocol" : "SCRAM-SHA-256",
"unmapped" : { "atype" : "authenticate" }
}
{
"activity_id" : 0,
"category_uid" : 6,
"class_uid" : 6003,
"time" : 1710715315002,
"severity_id" : 1,
"type_uid" : 600300,
"metadata" : {
"correlation_uid" : "af4510fb-0a9f-49aa-b988-06259a7a861d",
"product" : "MongoDB Server",
"version" : "1.0.0"
},
"actor" : {},
"src_endpoint" : { "ip" : "127.0.0.1", "port" : 45836 },
"dst_endpoint" : { "ip" : "127.0.0.1", "port" : 20040 },
"api" : {
"operation" : "getParameter",
"request" : { "uid" : "admin" },
"response" : { "code" : 13, "error" : "Unauthorized" }
}
}

Back

mongo Schema

Next

Network & Configuration Hardening