Skip to main content
Sumo Logic

CSE Record Types

Learn about the Record types to which you can map schema attributes.

This topic defines the record types that CSE supports. For related information, see Attributes You Can Map to Records

Each message that CSE maps must be assigned one, and only one, record type.

Note that it is possible for multiple mappers to match a particular log message and each create a unique Record for that message—those multiple Records can have different record types. It isn’t standard practice to create multiple CSE Records from a single log message, but it is possible if there is a use case.

Record Type When to Use
Audit Use this record type for log sources that leave a basic audit trail. Whenever possible, it is preferable to use one of these more specific audit record types: AuditChange, AuditFile, or AuditResourceAccess.
AuditChange Use this record type for log sources that leave an audit record indicating a change has occurred on a system.
AuditFile Use this record type for log sources that record information about file changes such as file integrity monitoring.
AuditResourceAccess Use this record type for log sources that track when  an entity accesses a resource. For example, the Windows Security-5140 log event indicates when a network share object was accessed.
Authentication Use this record type for log sources that report successful or unsuccessful authentication events.
AuthenticationPrivilegeEscalation Use this record type for authentication log messages that note a user has elevated their privileges.
Canary This is an internal CSE record type and should not be used.
Email Log sources containing email information such as email protection applications and services.
Endpoint Logs generated about endpoint behavior.
EndpointModuleLoad Use this record type for logs that indicate a process is loading one or more modules such as DLL files.
EndpointProcess Use this record type for logs that capture endpoint process auditing.
Network Use this record type for generic log sources that describe network events. Whenever possible, it is preferable to use one of these more specific network record types: NetworkDHCP, NetworkDNS, NetworkFlow, NetworkHTTP, NetworkProxy.
NetworkDHCP Use this record type for network logs that contain DHCP information.
NetworkDNS Use this record type for network logs containing Domain Name Services information
NetworkFlow Use this record type for network logs that contain flow information, for example, network bytes, packets, protocols, flow states and so on.
NetworkHTTP Use this record type for network logs that contain HTTP-specific information.
NetworkProxy This record type is very similar to NetworkFlow, but should be used when the log source is a network proxy and needs access to a wide array of other network fields.
Notification Use this record type for log sources that report  general notifications.
NotificationVulnerability Use this record type for log sources that report notifications about detected vulnerabilities.