You can set up a SIEM/PM integration from the Integrations screen.
Introduction to the Integrations Screen
The Integrations menu allows you to set up an integration with external Security Information and Event Management (SIEM) and Project Management (PM) software. You can then send user details and event triggers from Teramind to the integrated software.
The main Integrations screen shows you a list of current integrations. From here you can also create a new integration, change the settings of an integration or remove an integration when no longer needed.
Currently, the following built-in integration options are available:
SIEM:
Generic CEF Generic JSON
HP ArcSight
Splunk
Splunk CIM
IBM QRadar
McAfee
Project Management:
Jira
Redmine
Zendesk
API calls and/or custom integrations may be used to connect with platforms not listed here. Please contact [email protected] if you require such an integration.
Teramind exports event information with Syslog using the Common Event Format (CEF). Any SIEM should be able to consume that.
In the article, we have provided instructions for two SIEM integrations: Splunk and HP ArcSight. We have also provided instructions for two PM integrations: Zendesk and JIRA. This should help you understand how the integration works and enable you to integrate with other solutions. If you still need help, please contact [email protected].
Accessing the Integrations Menu
1. Click the Gear icon near the top-right corner of the Teramind Dashboard.
2. Click Integrations underneath the pop-up menu.
Setting Up a New SIEM Integration with Splunk
1. Click the Gear 
icon near the top-right corner of the dashboard, select Integrations. Then, click the SETUP NEW INTEGRATION button near the top-right corner of the Integrations screen. A setup wizard will pop-up:
2. Select SIEMs from the list of product types.
3. Choose Splunk or Splunk CIM from the list of products.
You can set up a Splunk integration either using the standard interface or through the CIM (Common Information Model). The CIM helps you to normalize your data to match a common standard, using the same field names and event tags for equivalent events from different sources or vendors. Both processes are similar to set up.
4. Click the NEXT STEP button to continue to Step 2:
5. Select a Transport protocol, for example TCP.
6. Provide a HOSTNAME and PORT where the SIEM product is located at.
7. Click the NEXT STEP button to continue to Step 3:
WEBSITE AUDIT event sends the System Logs to the SIEM.
For a list of the events and their description, please check out the Appendix: List of SIEM Events section below.
8. Click the YES/NO slider button to turn an event on/off. Events which are selected will be sent to the SIEM. By default, all events will be sent.
9. Optionally, you can specify the maximum field value length. The default value is 0 (unlimited).
10. Optionally, click on a Database 
icon for an event to configure its data mapping. A Data mapping window will pop-up:
11. Map what SIEM field will be used for the corresponding Teramind field. You can use the checkbox in front of a field to turn it on/off.
12. When data mapping is done, click the SAVE button to close the Data mapping window and return to the Step 3 window.
13. Click the LAUNCH INTEGRATION to save and launch the integration. Next, you will need to configure Splunk to accept the data sent to it from Teramind:
14. Login to your Splunk account dashboard as an administrator.
15. From the menu on top, select Settings > Source types.
16. Click the New Source Type button near the top-right corner. A pop-up window will open:
17. Give the source a Name. You can configure other options for the Source from this window. For this exercise, we just need the Name parameter.
18. Click the Save button when you are done with setting up the Source.
19. From the menu on top, select Settings > Data inputs.
20. From the list of local inputs, click the + Add new link next to the TCP row. You will be taken to the Add Data wizard screen:
21. On the first step, Select Source, enter the Port number you chose in Step 6 before. You can optionally set other parameters such as override source name, restrict connection to a specific host, etc. For this exercise, we only need the Port parameter.
22. Click the Next > button to go to the next step.
23. On the second step, Input Settings, click on the Select Source Type drop-down box and select the Source you created in Step 16 before (e.g., my_source). You can optionally set other parameters such as app context, method, index etc. For this exercise, we only need the Source Type parameter.
24. Click the Next > button to go to the next step.
25. On the third step, Review, review the configuration. Click the Submit > button to finish setting up the data input and go to next step.
26. On the final step, Done, click the Start Searching button to view the data coming from your Teramind integration:
27. To find the data easily, you can optionally specify parameters such as source and sourcetype in the Search field.
28. Optionally, you can specify the interval (e.g. 5 minute window) located right next to the search field.
For a list of the events and their description, please check out the Appendix: List of SIEM Events section below.
Setting Up a New SIEM Integration with HP ArcSight
1. Click the Gear 
icon near the top-right corner of the dashboard, select Integrations. Then, click the SETUP NEW INTEGRATION button near the top-right corner of the Integrations screen. A setup wizard will pop-up:
2. Select SIEMs from the list of product types.
3. Choose a SIEM product from the list of products. For example, HP ArcSight.
4. Click the NEXT STEP button to continue to Step 2.
5. Select the Transport protocol (UDP or TCP).
6. Provide a Hostname and Port where the SIEM product is located at.
7. Click the NEXT STEP button to continue to Step 3.
WEBSITE AUDIT event sends the System Logs to the SIEM.
For a list of the events and their description, please check out the Appendix: List of SIEM Events section below.
8. Click the YES/NO slider button to turn an event on/off. Events which are selected will be sent to the SIEM.
9. Click on a Database 
icon to configure its data mapping. A Data mapping window will pop-up.
10. Map what SIEM field will be used for the corresponding Teramind field. You can use the checkbox in front of a field to turn it on/off.
11. When data mapping is done, click the SAVE button to close the Data mapping window and return to the Step 3 window.
12. Click the LAUNCH INTEGRATION on the Step 3 window to save and launch the integration.
Setting Up a New SIEM Integration Using the Generic CEF Option
When creating a new SIEM integration, you will notice that there is a Generic CEF option on the SIEMs product list. CEF (Common Event Format) is a text-based, open messaging standard and log format developed by ArcSight™ and used by HP ArcSight™ products.
If you use this option, Teramind will output data over the Syslog protocol using CEF data format. This will help you integrate with various SIEM tools for which Teramind does not have a built-in option.
The integration process is very similar to HP ArcSight. See the Setting Up a New SIEM Integration with HP ArcSight for step-by-step instructions.
For a list of the events and their description, please check out the Appendix: List of SIEM Events section below.
Setting Up a New PM Integration with Zendesk
1. Click the Gear 
icon near the top-right corner of the dashboard, select Integrations. Then, click the SETUP NEW INTEGRATION button near the top-right corner of the Integrations screen. A setup wizard will pop-up:
2. Select Project management from the list of product types.
3. Choose Zendesk from the list of products.
4. Click the NEXT STEP button to continue. You will be taken to the Step 2 of 3 screen.
Before you continue to the next step, you will need to create an OAuth Client in Zendesk. To do so:
5. Access your Zendesk domain, go to Admin section.
6. Click API under the Channels section.
7. Click the OAuth Clients tab.
8. Click the + button to add a client.
9. Use the information from the Teramind’s integration wizard (Step 2 of 3 screen) to complete the form. You’ll need to fill up the Client Name, Company, Unique Identifier and Redirect URLs fields with the data provided by Teramind’s Step 2 of 3 screen.
10. Copy the data displayed on the Secret field. Go back to the Zendesk Step 2 of 3 screen on Teramind.
11. Paste the Secret key you copied from Zendesk on the CLIENT SECRET field.
12. Click I HAVE CREATED THE CLIENT IN ZENDESK, CONTINUE. A pop-up window will open:
13. Click the Allow button. Go back to the Teramind integration wizard.
14. On the Teramind integration wizard (Zendesk: Step 2 of 3 screen), click the NEXT STEP. You will be taken to the Step 3 of 3 screen.
15. Give your project a name.
16. Add the task statuses to work on.
17. Click the MAP USERS ASSIGNMENT button. You will be taken to the user mapping screen.
18. Map the employees and supervisors. Enter the Zendesk usernames in the INTEGRABLE USERNAME field and then select the corresponding Teramind username from the TERAMIND USERNAME pull-down menu.
19. Click the SAVE button when done. You will be taken back to the Step 3 of 3 screen.
20. Click the LAUNCH INTEGRATION button on the Step 3 of 3 screen to save and launch your integration.
Setting Up a New PM Integration with Jira
1. Click the Gear icon near the top-right corner of the dashboard, select Integrations. Then, click the SETUP NEW INTEGRATION button near the top-right corner of the Integrations screen. A setup wizard will pop-up:
2. Select Project management from the list of product types.
3. Choose Jira from the list of products.
4. Click the NEXT STEP button to continue. You will be taken to the Step 2 of 3 screen:
5. Note the instance / URL of your deployment (for example, https://arickteramin2.teramind.co). You will need it in Step 10.
6. Scroll down a little, note the CONSUMER KEY, CONSUMER NAME and the PUBLIC KEY values. You will need these three values in the Step 17 below. Keep this window open.
7. Log into your Jira dashboard. Click the Settings icon near the top-right corner.
8. Select Products from the drop-down menu. You will be taken to a new window:
9. Click the Application links from the left panel.
10. Enter the instance / URL of your deployment you copied from Step 5 above.
11. Click the Create new link button. You might see a pop-up window like the one below:
12. Just click the Continue button. You will see another pop-up window, Link applications:
13. Enter an Application Name, for example, Teramind.
14. Click the Continue button. Jira will process the configurations and after a while, you will see the Applications window and your application on the list:
15. Click the small Pencil icon next to your application. A configure window will pop-up:
16. Click the Incoming Authentication tab on the left panel.
17. Enter the Consumer Key, Consumer Name, and the Public Key values you copied in Step 6 above.
18. Scroll down and click the Save button to save your configurations. You will see a confirmation that your application is registered:
19. Click the Close button to close the window and return to the Applications page.
20. Copy the domain address / URL of your Jira deployment (for example, https://teramind-test.atlassian.net). You will need it in the next step, on the Teramind Dashboard:
21. Go back to your Teramind Dashboard. Enter the domain address / URL of your Jira deployment you copied in the previous step into the JIRA BASE URL field.
22. Click the I ADDED APPLICATION LINK TO JIRA, CONTINUE button. A Welcome to JIRA window will pop-up:
23. Click the Allow button to authenticate your application. The window will close and you will be back on the JIRA: Step 2 of 3 screen:
24. Wait a few seconds and then you will see an Auth success message.
25. Click the NEXT STEP button to continue to JIRA: Step 3 of 3 screen:
26. Select your PROJECTS, ALLOWED TASK STATUSES, and TEST STATUSES from the corresponding fields.
27. Click the USERS ASSIGNMENT button to set up user mappings:
28. You can map EMPLOYEES and TESTERS. Assign INTEGRABLE USERNAME with TERAMIND USERNAME, assign roles, etc.
29. Click the SAVE button when you are done with the user mapping. You will be taken back to the to JIRA: Step 3 of 3 screen:
30. Click the LAUNCH INTEGRATION button to save your integration and return to the External Integration screen where you will see your Jira integration:
31. You should now be able see and import your Jira projects and tasks from the TIME TRACKING > TASKS menu:
Editing / Deleting an Integration
From the main Integration screen, under the ACTIONS column:
1. Click the Settings icon to change the connection settings for a SIEM integration.
2. Click the Database icon to change the events mapping for a SIEM integration.
3. Click the Trash Can icon to delete/remove an integration.
4. Click the Pad Lock icon to edit the app link/authorization settings for a PM integration.
5. Click the Refresh icon to change the project name, task statuses and user mapping for a PM integration.
Appendix: List of SIEM Events
USER LOGS IN
Sends user login events.
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name | |
tmAgentIp | dvc | Agent IP |
|
tmClientVersion | cs1 | Agent Version |
|
tmOS | shost | Host OS |
|
tmComputer | sntdom | Computer Name |
|
tmServer | dst | Teramind Server Address |
|
tmServerVersion | cs2 | Teramind Server Version |
|
tmMessage | msg | Event Message |
|
tmTime | rt | Time Since User Logged In (milliseconds) |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
USER DISCONNECTS
Sends user logout events.
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name | |
tmAgentIp | dvc | Agent IP |
|
tmClientVersion | cs1 | Agent Version |
|
tmOS | shost | Host OS |
|
tmComputer | sntdom | Computer Name |
|
tmServer | dst | Teramind Server Address |
|
tmServerVersion | cs2 | Teramind Server Version |
|
tmMessage | msg | Event Message |
|
tmTime | rt | Time Since User Logged In (milliseconds) |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
EMAIL SENT
Sends outgoing email activities similar to the information displayed on the BI Reports > Emails and Monitoring > Emailing reports.
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name |
|
tmAgentIp | dvc | Agent IP |
|
tmClientVersion | cs1 | Agent Version |
|
tmOS | shost | Host OS |
|
tmComputer | sntdom | Computer Name |
|
tmServer | dst | Teramind Server Address |
|
tmServerVersion | cs2 | Teramind Server Version |
|
tmMessage | msg | Event Message |
|
tmTime | rt | Time Since User Logged In (milliseconds) |
|
tmEmailDirection | act | Email Direction |
|
tmEmailFrom | suser | Email From | |
tmEmailTo | duser | Email To | |
tmEmailCC | cs3 | Email CC | |
tmEmailSubject | cs4 | Email Subject |
|
tmEmailClient | cs5 | Email Client |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
EMAIL RECEIVED
Sends incoming email activities similar to the information displayed on the BI Reports > Emails and Monitoring > Emailing reports.
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name |
|
tmAgentIp | dvc | Agent IP |
|
tmClientVersion | cs1 | Agent Version |
|
tmOS | shost | Host OS |
|
tmComputer | sntdom | Computer Name |
|
tmServer | dst | Teramind Server Address |
|
tmServerVersion | cs2 | Teramind Server Version |
|
tmMessage | msg | Event Message |
|
tmTime | rt | Time Since User Logged In (milliseconds) |
|
tmEmailDirection | act | Email Direction |
|
tmEmailFrom | suser | Email From | |
tmEmailTo | duser | Email To |
|
tmEmailCC | cs3 | Email CC | |
tmEmailSubject | cs4 | Email Subject |
|
tmEmailClient | cs5 | Email Client |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
DOC PRINTED
Sends printing activities similar to the information displayed on the BI Reports > Printing and Monitoring > Printing reports.
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name | |
tmAgentIp | dvc | Agent IP |
|
tmClientVersion | cs1 | Agent Version |
|
tmOS | shost | Host OS |
|
tmComputer | sntdom | Computer Name |
|
tmServer | dst | Teramind Server Address |
|
tmServerVersion | cs2 | Teramind Server Version |
|
tmMessage | msg | Event Message |
|
tmTime | rt | Time Since User Logged In (milliseconds) |
|
tmFileName | filePath | App Name - File Name |
|
tmPrinterName | cs3 | Printer Name |
|
tmPrinterPages | cn1 | Number of Pages Printed |
|
tmPrinterCopies | fname | Number of Copies Printed |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
APP LAUNCHED
Sends application launch/run activities similar to the information displayed on the BI Reports > Applications & Websites and Monitoring > Web Pages & Applications reports.
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name | |
tmAgentIp | dvc | Agent IP |
|
tmClientVersion | cs1 | Agent Version |
|
tmOS | shost | Host OS |
|
tmComputer | sntdom | Computer Name |
|
tmServer | dst | Teramind Server Address |
|
tmServerVersion | cs2 | Teramind Server Version |
|
tmMessage | msg | Event Message |
|
tmATime | rt | Time Since User Logged In (milliseconds) |
|
tmActivityUid | cs3 | Activity Unique Identifier |
|
tmActivityName | sourceServiceName | Name of the App/Service |
|
tmStart | start | App Start Time (milliseconds) |
|
tmActivityAction | act | Action Type |
|
tmActivityTitle | cs4 | Title of the App Window – App Name |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
tmWindowsFormatStart | wStartTime | App Start Time |
|
APP CLOSED
Sends application exit/close activities similar to the information displayed on the BI Reports > Applications & Websites and Monitoring > Web Pages & Applications reports.
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name | |
tmAgentIp | dvc | Agent IP |
|
tmClientVersion | cs1 | Agent Version |
|
tmOS | shost | Host OS |
|
tmComputer | sntdom | Computer Name |
|
tmServer | dst | Teramind Server Address |
|
tmServerVersion | cs2 | Teramind Server Version |
|
tmMessage | msg | Event Message |
|
tmTime | rt | Time Since User Logged In (milliseconds) |
|
tmActivityUid | cs3 | Activity unique identifier |
|
tmActivityName | sourceServiceName | Name of the App/Service |
|
tmStart | start | App Start Time (milliseconds) |
|
tmEnd | end | App End Time (milliseconds) |
|
tmActivityAction | act | Action Type |
|
tmActivityTitle | cs4 | Title of the App Window – App Name |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
tmWindowsFormatStart | wStartTime | App Start Date & Time |
|
tmWindowsFormatEnd | wEndTime | App End Date & Time |
|
WEBSITE OPENED
Sends website visit activities similar to the information displayed on the BI Reports > Applications & Websites and Monitoring > Web Pages & Applications reports.
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name |
|
tmAgentIp | dvc | Agent IP |
|
tmClientVersion | cs1 | Agent Version |
|
tmOS | shost | Host OS |
|
tmComputer | sntdom | Computer Name |
|
tmServer | dst | Teramind Server Address |
|
tmServerVersion | cs2 | Teramind Server Version |
|
tmMessage | msg | Event Message |
|
tmTime | rt | Time Since User Logged In (milliseconds) |
|
tmActivityUid | cs3 | Activity Unique Identifier |
|
tmActivityName | sourceServiceName | Source Domain |
|
tmStart | start | Time When User Started Browsing the Webpage (milliseconds) |
|
tmActivityAction | act | Action Type |
|
tmWebUrl | request | Website URL |
|
tmWebTitle | cs4 | Webpage Title - Browser Name |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
tmWindowsFormatStart | wStartTime | Time When User Started Browsing the Webpage (OS standard time) |
|
WEBSITE CLOSED
Sends website close activities similar to the information displayed on the BI Reports > Applications & Websites and Monitoring > Web Pages & Applications reports.
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name |
|
tmAgentIp | dvc | Agent IP |
|
tmClientVersion | cs1 | Agent Version |
|
tmOS | shost | Host OS |
|
tmComputer | sntdom | Computer Name |
|
tmServer | dst | Teramind Server Address |
|
tmServerVersion | cs2 | Teramind Server Version |
|
tmMessage | msg | Event Message |
|
tmTime | rt | Time Since User Logged In (milliseconds) |
|
tmActivityUid | cs3 | Activity Unique Identifier |
|
tmActivityName | sourceServiceName | Source Domain |
|
tmStart | start | Time When User Started Browsing the Webpage (milliseconds) |
|
tmActivityAction | act | Action Type |
|
tmWebUrl | request | Website URL |
|
tmWebTitle | cs4 | Webpage Title - Browser Name |
|
tmEnd | End | Time When User Stopped Browsing the Webpage (milliseconds) |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
tmWindowsFormatStart | wStartTime | Time When User Started Browsing the Webpage (OS standard time) |
|
tmWindowsFormatEnd | wEndTime | Time When User Stopped Browsing the Webpage (OS standard time) |
|
SEARCH QUERY DETECTED
Sends user search queries (e.g., on Google Search) similar to the information displayed on the BI Reports > Searches and Monitoring > Searches reports.
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name |
|
tmAgentIp | dvc | Agent IP |
|
tmClientVersion | cs1 | Agent Version |
|
tmOS | shost | Host OS |
|
tmComputer | sntdom | Computer Name |
|
tmServer | dst | Teramind Server Address |
|
tmServerVersion | cs2 | Teramind Server Version |
|
tmMessage | msg | Event Message |
|
tmTime | rt | Time Since User Logged In (milliseconds) |
|
tmWebUrl | request | Search Engine Domain |
|
tmSearchPhrase | cs3 | Search Phrase |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
BEHAVIOR RULE VIOLATED
Sends the behavior rule violation events similar to the information displayed on the BI Reports > Behavior Alerts and Behavior > Alerts reports. The event comes with many fields but not all fields are used for a particular rule violation event. Only the fields relevant to a particular incident is sent to the SIEM. Some fields are generic and available across all the rules. For example, Rule ID (cs10), Rule Name (cs11), etc. Other fields might have common names but might capture different data.
General
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name |
|
tmAgentIp | dvc | Agent IP |
|
tmClientVersion | cs1 | Agent Version |
|
tmOS | shost | Host OS |
|
tmComputer | sntdom | Computer Name |
|
tmServer | dst | Teramind Server Address |
|
tmServerVersion | cs2 | Teramind Server Version |
|
tmMessage | msg | Event Message |
|
tmTime | rt | Time Since User Logged In (milliseconds) |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
tmBehaviorRuleId | cs10 | Rule ID |
|
tmBehaviorRuleName | cs11 | Rule Name |
|
tmBehaviorRuleNotificationType | type | Rule Type |
|
tmActivityName | sourceServiceName | Source App/ Process |
|
tmProcessName | processName | Process Name |
|
tmWebpageTitle | webpageTitle | Webpage Title |
|
tmSharedListId | cs12 | Deprecated / Not Used |
|
tmSharedListName | cs13 | Deprecated / Not Used |
|
tmSharedListValue | cs14 | Deprecated / Not Used |
|
tmSharedListItems | cs15 | Deprecated / Not Used |
|
tmCloudRoot | cloudRoot | Deprecated / Not Used |
|
tmFileSystemExt | fileSystemExt | Deprecated / Not Used |
|
tmApplyOnScreenUnlock | applyOnScreenUnlock | Deprecated / Not Used |
|
tmIdle | cn4 | Deprecated / Not Used |
|
Emails
Teramind Event | Default Field | Description | Sample Data |
tmBehaviorRuleNotificationType | type | Rule Type |
|
tmEmailDirection | act | Email Direction |
|
tmEmailFrom | suser | Email From | |
tmEmailTo | duser | Email To | |
tmEmailCC | cs3 | Email CC and BCC | |
tmEmailSubject | cs4 | Email Subject |
|
tmEmailBody | tmEmailBody | Email Body |
|
tmEmailClient | cs5 | Email Client |
|
tmEmailSize | emailSize | Email Size |
|
tmEmailHasAttachment | emailHasAttachment | Has Attachment? (only included if the rule is specifically using the Has attachment condition |
|
tmEmailAttachmentName | emailAttachmentName* | Attachment Name (only included if there's any attachment. Emails with multiple attachments are sent as separate event) |
|
tmUploadFileName | uploadFileName | Upload File Name (same as emailAttachmentName but included for Content Sharing rules) |
|
*On some email clients (e.g., Outlook Web), it shows multiple attachments as emailAttachmentName1, emailAttachmentName2, etc. On the other hand, in other email clients (e.g., Gmail Web), it sends separate event for each attachment.
Keystrokes
Teramind Event | Default Field | Description | Sample Data |
tmText | cs7 | Text Typed (if special keys are enter, it will contain only the special keys otherwise similar to textTyped) |
|
tmTextTyped | textTyped | Text Typed (all text typed excluding special keys) |
|
tmWordTyped | wordTyped | Word Typed (individual words) |
|
IM
Teramind Event | Default Field | Description | Sample Data |
tmConvSource | cs5 | IM App |
|
tmConvMessage | cs4 | Message |
|
tmConvDirection | act | Message Direction |
|
tmConvFrom | suser | Message From |
|
tmConvTo | duser | Message To |
|
Clipboard
Teramind Event | Default Field | Description | Sample Data |
tmClipboardOrigin | clipboardOrigin | Clipboard Origin (Copy) |
|
tmClipboardTarget | clipboardTarget | Clipboard Target (Paste) |
|
tmClipboardText | clipboardText | Copied Text |
|
tmContentOrigin | contentOrigin | Content Origin |
|
Applications & Webpages
Teramind Event | Default Field | Description | Sample Data |
tmIdleTime | idleTime | Time Idle (seconds) |
|
tmTimeActive | timeActive | Time Active (seconds) |
|
tmApplicationName | applicationName | Application Name (executable file) |
|
tmApplicationCaption | applicationCaption | Application Title |
|
tmLaunchedFromCli | launchedFromCli | Launched from Command Line (name of the app) |
|
tmWebUrl | request | Webpage URL |
|
tmWebTitle | cs6 | Webpage Title |
|
tmAppNotRunTime | appNotRunTime | Application Not Run Time (Not launch for rule condition – in seconds) |
|
Files
Teramind Event | Default Field | Description | Sample Data |
tmFileSystemOperation | fileSystemOperation | File Operation |
Other possible types are: |
tmNetworkRoot | networkRoot | Network Root (for network share) |
|
tmPath | filePath | Network Destination (for network share) |
|
tmDownloadFileName | downloadFileName | Download File Name |
|
tmUploadFileName | uploadFileName | Upload File Name |
|
tmDownloadUrl | downloadUrl | Download URL |
|
tmUploadFileSize | uploadFileSize | Uploaded File Size (Bytes) |
|
tmDownloadFileSize | downloadFileSize | Downloaded File Size (Bytes) |
|
tmUploadVia | uploadVia | Uploaded Via |
Other possible types are: |
Browser Plugin
Teramind Event | Default Field | Description | Sample Data |
tmBrowser | browser | Browser Name |
|
tmBrowserPlugin | browserPlugin | Plugin Name |
|
tmBrowserPluginPermissions | browserPluginPermissions | List of Plugin Permissions |
|
tmFileSystemPath | fileSystemPath | File Path |
|
Networking
Teramind Event | Default Field | Description | Sample Data |
tmRemoteHost | remoteHost | Remote Host |
|
tmRemotePort | remotePort | Remote Port |
|
tmBytesSent | bytesSent | Bytes Sent |
|
tmBytesRecv | bytesRecv | Bytes Received |
|
Printing
Teramind Event | Default Field | Description | Sample Data |
tmPrinterNumPages | printerNumPages | Number of Pages |
|
tmPrinterName | cs5 | Printer Name |
|
tmDocName | cs4 | Document Name |
|
FILE ACTIONS
Sends file activities similar to the information displayed on the BI Reports > File Events and Monitoring > File Transfers reports.
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name |
|
tmAgentIp | dvc | Agent IP |
|
tmClientVersion | cs1 | Agent Version |
|
tmOS | shost | Host OS |
|
tmComputer | sntdom | Computer Name |
|
tmServer | dst | Teramind Server Address |
|
tmServerVersion | cs2 | Teramind Server Version |
|
tmMessage | msg | Event Message |
|
tmTime | rt | Time Since User Logged In (milliseconds) |
|
tmFileAction | act | Action Type |
Other possible acts are: |
tmFileName | fname | File Name |
|
tmOldFileName | oldFileName | Old File Name (only available when the File Name changes - e.g., when renaming a file) |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
FLASHDISK ACTIONS
Sends external/USB disk activities.
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name |
|
tmAgentIp | dvc | Agent IP |
|
tmClientVersion | cs1 | Agent Version |
|
tmOS | shost | Host OS |
|
tmComputer | sntdom | Computer Name |
|
tmServer | dst | Teramind Server Address |
|
tmServerVersion | cs2 | Teramind Server Version |
|
tmMessage | msg | Event Message |
|
tmTime | rt | Time Since User Logged In (milliseconds) |
|
tmFlashdiskAction | act | Action Type |
Another possible act is: |
tmFlashdiskMount | fname | Drive (where the flash disk/USB drive is mounted) |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
TEXT COPIED
Sends the clipboard copy/paste events. The event gets triggered for both the copy and paste operations. However, they look exactly the same, i.e., all the fields have similar output. The only way to distinguish them is to look at the time stamps (wTime). Usually, the copy operation will take place before the paste operation.
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name |
|
tmAgentIp | dvc | Agent IP |
|
tmClientVersion | cs1 | Agent Version |
|
tmOS | shost | Host OS |
|
tmComputer | sntdom | Computer Name |
|
tmServer | dst | Teramind Server Address |
|
tmServerVersion | cs2 | Teramind Server Version |
|
tmMessage | msg | Event Message |
|
tmTime | rt | Time Since User Logged In (milliseconds) |
|
tmText | cs3 | Text Being Copied/Pasted |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
WEBSITE AUDIT
Captures administrator/privileged user activities on the Teramind Dashboard. Such as when an admin views certain report, creates a rule, edits an employee’s profile, etc. The events are similar to what’s displayed on the BI Reports > Audit or System > System Log reports.
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name |
|
tmAgentIp | dvc | Agent IP |
|
tmServer | dst | Teramind Server Address |
|
tmWebVersion | cs1 | Teramind Web UI Version |
|
tmMessage | msg | Event Message |
|
tmTime | rt | Time Since User Logged In (milliseconds) |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
tmAction | act | Action Type |
Other examples are: |
tmRoute | request | Type of Request |
In the above example, the Tracking > Employee Costs report is being accessed. Other examples are:
|
tmDetails | cs5 | Details (similar to the Description column on the BI Reports > Audit or System > System Log reports. Not all events have this field.) |
In the above example, a list item was added to a Shared List. Other examples are:
If the details contain multiple items, this field will contain a JSON structure containing details for each item. For example, modifying multiple settings on a settings screen or changing something on a BI report. Here’s a sample Details from the File Events BI Report: { |
tmObjType | cs2 | Object Type (this can be a page, dashboard, agent, etc.) |
In the above example, the object is any of the pages under the BI Reports menu. Other examples are:
|
tmObjId | cs3 | Object Id (note that not all events have this field) |
|
tmObjName | cs4 | Object Name (this can be the shot URL or name of a page/report, name of an item, etc.) |
The above example is the name of a report object (in this case, BI Reports > Printing report). Other examples are:
|
CONSOLE COMMANDS
Sends the commands used on Command Prompt/Terminal. The events are similar to what’s displayed on the BI Reports > Console Commands or Monitoring > Console Command reports.
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name |
|
tmAgentIp | dvc | Agent IP |
|
tmClientVersion | cs1 | Agent Version |
|
tmOS | shost | Host OS |
|
tmComputer | sntdom | Computer Name |
|
tmServer | dst | Teramind Server Address |
|
tmServerVersion | cs2 | Teramind Server Version |
|
tmMessage | msg | Event Message |
|
tmTime | rt | Time Since User Logged In (milliseconds) |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
tmCommand | cs3 | The command used |
Other examples are: |
tmUsername | suser | System Username |
|
tmPid | cn1 | Process ID |
|
tmDuration | cs4 | Duration of the command run time (seconds) |
|
OS SLEEP & LOCK STATE
Sends the OS state changes of users' computers such as Sleep, Lock, Screen Saver, etc.
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name |
|
tmAgentIp | dvc | Agent IP |
|
tmClientVersion | cs1 | Agent Version |
|
tmOS | shost | Host OS |
|
tmComputer | sntdom | Computer Name |
|
tmServer | dst | Teramind Server Address |
|
tmServerVersion | cs2 | Teramind Server Version |
|
tmMessage | msg | Event Message |
Other examples are: |
tmTime | rt | Time Since User Logged In (milliseconds) |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
tmOsSleepLockState | cs3 | The State of the OS |
Other examples are: |
BUSINESS PROCESS
Sends custom business process information, such as in-app field parsing data to the SIEM. Each business process can be unique to each customer. Custom event data is sent as JSON formatted text inside the tmEvent (event) field.
Teramind Event | Default Field | Description | Sample Data |
tmAgent | suid | User@Computer/Domain Name |
|
tmAgentIp | dvc | Agent IP |
|
tmClientVersion | cs1 | Agent Version |
|
tmOS | shost | Host OS |
|
tmComputer | sntdom | Computer Name |
|
tmServer | dst | Teramind Server Address |
|
tmServerVersion | cs2 | Teramind Server Version |
|
tmTime | rt | Time Since User Logged In (milliseconds) |
|
tmWindowsFormatTime | wTime | System Date & Time |
|
tmLocation | location | A custom, arbitrary ID to identify the location of a page/field/element, etc. |
|
tmEvent | event | Details of the custom business process event in JSON format | Here is a demo form related to a business process:  (click the image to enlarge)
Here's how it's captured on Splunk on different stages of interactions (e.g., clicking a field, changing a value, etc.) on the form:  (click the image to enlarge)
The events show the user clicking the form field(s), searching for a customer, etc. |