-
Notifications
You must be signed in to change notification settings - Fork 71
Standard Event Schema
Osmany Montero edited this page Jan 19, 2026
·
4 revisions
To ensure consistency and allow rules to work across different data sources, the EventProcessor uses a standardized event schema. All filters should aim to map extracted data to these standard fields.
The core event object consists of several top-level metadata fields and three main namespaces: log, origin, and target.
Metadata fields that describe the event itself.
| Field | Description |
|---|---|
id |
Unique identifier for the event (UUID). |
@timestamp |
The time the event was processed by the engine in ISO8601 format. |
deviceTime |
The original timestamp from the source device. If missing, it defaults to @timestamp. |
dataType |
The category of the log (e.g., syslog, wineventlog, linux, firewall-fortigate-traffic). |
dataSource |
The specific source or integration name (e.g., o365-tenant-01). |
tenantId |
Unique ID of the organization the event belongs to. |
tenantName |
Human-readable name of the tenant. |
action |
The activity performed (e.g., login, file_create, connection). |
actionResult |
The outcome of the action (success, failure, denied). |
protocol |
Network protocol used (e.g., tcp, udp, http). |
connectionStatus |
Status of the connection (e.g., established, closed). |
statusCode |
Numerical status if applicable (e.g., HTTP 404). |
severity |
Event importance (debug, info, warning, error, critical). |
raw |
The original, unmodified log message. Read-only. |
compliance |
A map of regulatory tags (e.g., hipaa, pci, gdpr) with their associated values. |
errors |
A list of string descriptions for any issues encountered during processing. |
The log namespace is a dictionary used for storing any field that does not fit into the standard categories below.
-
Usage:
log.my_custom_field,log.parsing_status.
Used to describe the "Who" and "Whom" of an event. Both namespaces support the same set of attributes.
| Field | Description |
|---|---|
ip |
IPv4 or IPv6 address. |
host |
Hostname of the system. |
domain |
Domain name or FQDN. |
port |
Network port (integer). |
mac |
MAC address. |
url |
Full URL if applicable. |
cidr |
Classless Inter-Domain Routing notation. |
bytesSent / bytesReceived
|
Volume of data transferred. |
packagesSent / packagesReceived
|
Number of network packets. |
| Field | Description |
|---|---|
certificateFingerprint |
Hash of the SSL/TLS certificate. |
ja3Fingerprint |
TLS client fingerprint. |
jarmFingerprint |
Active TLS server fingerprint. |
sshBanner / sshFingerprint
|
SSH service identification. |
| Field | Description |
|---|---|
user |
Username or account identifier. |
group |
Security group or role. |
email / emailAddress
|
Email address. |
emailSubject / emailBody
|
Email content metadata. |
emailDisplayName / emailXMailer
|
Email client metadata. |
emailThreadIndex |
Position of the email in a conversation thread. |
dkim / dkimSignature
|
Email authentication data. |
jabberId / cookie
|
Chat or Web session identifiers. |
| Field | Description |
|---|---|
whoisRegistrant |
The person or entity that registered the domain. |
whoisRegistrar |
The company that manages the registration of the domain. |
| Field | Description |
|---|---|
process |
Name of the executable. |
processState |
Current state of the process. |
command |
Full command line executed. |
windowsServiceName |
Logical name of the service. |
windowsServiceDisplayName |
Display name of the service. |
windowsScheduledTask |
Name of the scheduled task. |
file / filename
|
Base filename. |
path |
Full directory path to the file. |
sizeInBytes |
File size in bytes. |
mimeType |
File MIME type. |
| Field | Description |
|---|---|
hash |
Generic hash (usually SHA256). |
md5 / sha1 / sha224 / sha256
|
Specific cryptographic hashes. |
sha384 / sha512 / sha512224 / sha512256
|
SHA-2 and variations. |
sha3224 / sha3256 / sha3384 / sha3512
|
SHA-3 variants. |
authentihash / cdhash
|
Code signing and OS specific hashes. |
hex / base64
|
Encoded representations. |
| Field | Description |
|---|---|
operatingSystem |
OS name and version. |
chromeExtension |
Browser extension ID. |
mobileAppId |
Application ID for mobile platforms. |
windowsServiceName |
Name of the Windows service. |
windowsScheduledTask |
Name of the scheduled task. |
| Field | Description |
|---|---|
cve |
Common Vulnerabilities and Exposures ID. |
cpe |
Common Platform Enumeration. |
malware / malwareFamily
|
Name or family of detected malware. |
malwareType |
Type of malware (e.g., ransomware, trojan). |
| Field | Description |
|---|---|
connections |
Count of active connections (uint64). |
usedCpuPercent |
CPU usage percentage (0-100). |
usedMemPercent |
Memory usage percentage (0-100). |
totalCpuUnits |
Total CPU capacity/units. |
totalMem |
Total physical memory in bytes. |
disks |
List of disk objects (name, totalSpace, usedPercent). |
| Field | Description |
|---|---|
country / countryCode
|
Country name and ISO code. |
city |
City name. |
latitude / longitude
|
Geographic coordinates. |
asn / aso
|
Autonomous System Number and Organization. |
accuracy |
Geolocation accuracy radius. |
-
Always Map IPs: If your log contains IP addresses, map them to
origin.ipandtarget.ip. -
Normalize Actions: Use a consistent set of actions (e.g.,
login,logout,file_create). - Enrich Early: Apply geolocation and threat intel (feeds) as soon as the core fields are mapped.
-
Compliance Mapping: Use the
compliancefield for tagging logs with regulatory requirements (HIPAA, PCI-DSS, GDPR). -
Audit Integrity: The
rawfield is protected and contains the original log message. It cannot be deleted by parsing steps, ensuring a verifiable audit trail for every event.