Variables available in audit notification channels
Last updated
Last updated
Access Manager provides a comprehensive set of variables you can use in your audit notifications.
See the guides on PowerShell auditing scripts and HTML and JSON audit templates to learn how to use these variables in your audit scripts and templates.
| Property | Format/Type | Description |
|---|---|---|
Request elementThis group of attributes represents the incoming request
| Property | Format/Type | Description |
|---|---|---|
Response elementThis group of attributes represents the result of the access evaluation
| Property | Format/Type | Description |
|---|---|---|
User elementThis group of attributes represents the user who performed the access request
Role elementIf the authorization request was for a role, then this property will be populated with information about the role authorization rule
Computer elementIf the authorization request was for a computer, then this property will be populated with information about the computer
RapidLapsLogin elementIf the authorization request was for workstation login/unlock via RapidLAPS, then this property will be populated with information about the RapidLAPS login request
RapidLapsElevation elementIf the authorization request was for UAC elevation via RapidLAPS, then this property will be populated with information about the RapidLAPS elevation request
Signature data structureThe RapidLapsElevation.Signature field contains information about the code signing of the executable run by the user.
Signer data structureThe Signer data structure is used to represent an entity that has digitally singed an executable.
SignatureCertificate data structure
The SignatureCertificate data structure represents the elements of an X.509 code signing certificate.
Response data structureThe RapidLapsLogin.Responses and RapidLapsElevation.Responses fields contain a list of responses to any prompts defined in the RapidLAPS policy.
LoggedOnUser data structureThe RapidLapsLogin.LoggedOnUsers and RapidLapsElevation.Responses fields contain a list of users logged into the machine at the time of the request.
| Property | Format/Type | Description |
|---|---|---|
| Property | Format/Type | Description |
|---|---|---|
| Property | Format/Type | Description |
|---|---|---|
| Property | Format/Type | Description |
|---|---|---|
| Property | Format/Type | Description |
|---|---|---|
| Property | Format/Type | Description |
|---|---|---|
| Property | Format/Type | Description |
|---|---|---|
| Property | Format/Type | Description |
|---|---|---|
| Property | Format/Type | Description |
|---|---|---|
| Property | Format/Type | Description |
|---|---|---|
DateTime
string
The current date and time, in local server time
DateTimeUtc
string
The current date and time, in UTC time
Request.Target
string
The name of the target that the user requested access to
Request.TargetType
Computer or Role
The type of resource the user requested access to
Request.Reason
string
The reason that the user provided when requesting access
Request.IPAddress
IPv4 or IPv6 address string
The IP address of requestor
Request.HostName
string
The host name of the requestor, if available via reverse DNS lookup
Request.RequestedDuration
TimeSpan
The requested duration of access
Response.Target
string
The name of the target that the access request was evaluated against
Response.TargetType
Computer or Role
The type of resource that was evaluated
Response.IsSuccess
true or false
Indicates if access was granted to the resource
Response.IsFailure
true or false
Indicates if access was denied to the resource
Response.IsApproved
true or false
Indicates if access was approved to the resource
Response.NotificationChannels
string
A comma-separated list of audit channels IDs that apply to this access response
Response.MatchedRule
string
The ID of the authorization rule that was used to make the access decision
Response.MatchedRuleDescription
string
The 'description' field from the authorization rule that was used to make the access decision
Response.ExpireAfter
TimeSpan
The duration of time that access was granted for
Response.Code
Success, NoMatchingRuleForTarget, NoMatchingRuleForUser, ExplicitlyDenied, UserRateLimitExceeded, IpRateLimitExceeded
The result of the authorization decision. Codes other than Success represent an 'access denied' response.
Response.AccessType
None, LocalAdminPassword, LocalAdminPasswordHistory, Jit, Bitlocker, DeviceLogin, DeviceElevation
The type of access that was granted
Response.AccessTypeDescription
string
The friendly name of the type of access that was granted
Response.AccessExpiryDate
DateTime
The date and time when the user's access will expire, expressed in local server time
Response.Message
string
A user-friendly message describing the outcome of the access decision
Response.WorkflowResult
None, Approved, Rejected, Pending
The approval result of the workflow operation
User.Username
string
The samAccountName of the user requesting access
User.FullyQualifiedName
string
The user's username in domain\username format
User.DisplayName
string
The display name of the user
User.Sid
string
The user's security identifier
User.EmailAddress
string
The user's email address
Role.Name
string
The name of the role
Role.Description
string
The description of the role
Role.MaximumAllowedDuration
TimeSpan
The maximum amount of time that the user can request for the role according to the authorization rule
Computer.Name
string
The short name of the computer
Computer.Description
string
The description of the computer
Computer.FullyQualifiedName
string
The name of the computer in domain\computer format
Computer.DnsHostName
string
The computer's DNS host name, if known
Computer.DisplayName
string
The computer's display name
Computer.ObjectId
string
A unique identifier for the computer
Computer.Sid
string
The computer's security identifier
Computer.AuthorityType
ActiveDirectory, AzureActiveDirectory, Ams
The authoritative directory where this computer is located
Computer.AuthorityId
string
The ID of the authority where the computer is located
Computer.AuthorityDeviceId
string
The unique ID for the device, specific to the device's authority
RapidLapsLogin.Type
string
The type of RapidLAPS request, will always be Logon
RapidLapsLogin.DeviceLoginAccountName
string
The local account used for RapidLAPS login
RapidLapsLogin.UsageScenario
string
A description of where in the operating system the request occurred from (e.g., Logon, UnlockWorkstation)
RapidLapsLogin.Responses
Response[]
See below
RapidLapsLogin.LoggedOnUsers
LoggedOnUser[]
See below
RapidLapsElevation.Type
string
The type of RapidLAPS request, will always be "Elevation"
RapidLapsElevation.DeviceLoginAccountName
string
The local account used for RapidLAPS elevation
RapidLapsElevation.ComOperationName
string
The name of the COM operation the user is attempting to elevate (if applicable)
RapidLapsElevation.SessionID
string
The requesting user's Session ID
RapidLapsElevation.ProcessID
string
The parent process ID of the elevation (if applicable)
RapidLapsElevation.ProcessName
string
The parent process name of the elevation (if applicable)
RapidLapsElevation.ElevationType
string
RapidLapsElevation.RequesterUsername
string
The username of the user requesting elevation
RapidLapsElevation.RequesterSid
string
The security identifier (SID) of the user requesting elevation
RapidLapsElevation.RequesterDisplayName
string
The display name of the user requesting elevation
RapidLapsElevation.ProductName
string
The product name of the executable being elevated (if applicable)
RapidLapsElevation.Publisher
string
The publisher name of the executable being elevated (if applicable)
RapidLapsElevation.FileDescription
string
The file description of the executable being elevated (if applicable)
RapidLapsElevation.CredUIFlags
string
The internal flags passed to CredUI (e.g., the credential selector in UAC). GitHub
RapidLapsElevation.ConsentUIFlags
string
The internal flags passed to ConsentUI (e.g., UAC). For more information, see our windows-credential-provider repository on GitHub
RapidLapsElevation.UsageScenario
string
A description of where in the operating system the request occurred from; will always be "CredUI"
RapidLapsElevation.Responses
Response[]
See below
RapidLapsElevation.LoggedOnUsers
LoggedOnUser[]
See below
RapidLapsElevation.Hashes
string[]
A list of hashes of the executable the user is attempting to run
RapidLapsElevation.Signature
Signature
Contains signing information
State
string
The status of the digital signature (e.g. Valid, Invalid, etc.)
Signers
Signer[]
A list of each code signing certificate used to sign the executable
SignerCertificate
SignatureCertificate
The certificate used for code signing
CounterSignerCertificates
SignatureCertificate[]
All countersigner certificates used for code signing
Thumbprint
string
The certificate's thumbprint
SerialNumber
string
The certificate's serial number
Subject
string
The certificate's subject
DisplayName
string
The certificate's display name
Issuer
string
The certificate issuer's distinguished name
IssuerDisplayName
string
The certificate issuer's display name
NotBefore
DateTime
The issuance date of the certificate
NotAfter
DateTime
The expiry date of the certificate
Id
string
Unique identifier for the prompt message
Label
string
The human-readable label for the prompt
Type
string
The type of prompt (e.g., Text, Checkbox, etc.)
Value
string
The value provided as an answer to the prompt
UserName
string
The user's username
SessionID
integer
The user's Windows Session ID
IsRemoteSession
boolean
Indicates if the user was logged in remotely