# general purpose source/destination communication field that captures the sender/receiver of the network exchange interface Communications { #'Date/time when the event originated. # # This is the date/time extracted from the event, typically representing when # the event was generated by the source. # # If the event source has no original timestamp, this value is typically populated # by the first time the event was received by the pipeline. # # Required field for all events.' timestamp : Time! #'Custom key/value pairs. # # Can be used to add meta information to events. Should not contain nested objects. # All values are stored as keyword. # # Example: '{"application": "foo-bar", "env": "production"}' labels : JSON # 'For log events the message field contains the log message, optimized # for viewing in a log viewer. # # For structured logs without an original message field, other fields can be # concatenated to form a human-readable summary of the event. # # If multiple messages exist, they can be combined into one message.' message: String # List of keywords used to tag each event. tags: [String] # Key-Value pairs representing vendor specific properties attributes: JSON description:String # Destination network address address:String # Bytes sent from the destination to the source. bytes:Long #The domain name of the destination system. domain:String #The ip address of the destination system. ip:IP #The mac address of the destination system. mac:String # Translated IP of source based NAT sessions (e.g. internal client to internet) natIpp:IP # port of the client port:Long # Translated port of source based NAT sessions natPort:Long # Packets sent from the destination to the source. packets:Long # The highest registered client domain, stripped of the subdomain. registeredDomain:String # The subdomain portion of a fully qualified domain name includes # all of the names except the host name under the registered_domain subdomain:String # he effective top level domain (eTLD), also known as the domain # suffix, is the last part of the domain name. topLevelDomain:String #Fields describing an Autonomous System (Internet routing prefix). as:AutonomousSystem # Fields describing a location. geo:Geo #Fields to describe the user relevant to the event. user:User @relation(mappingType:"foreign") } #Destination fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. #Destination fields are usually populated in conjunction with source fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. type Destination implements Communications{ #'Date/time when the event originated. # # This is the date/time extracted from the event, typically representing when # the event was generated by the source. # # If the event source has no original timestamp, this value is typically populated # by the first time the event was received by the pipeline. # # Required field for all events.' timestamp : Time! #'Custom key/value pairs. # # Can be used to add meta information to events. Should not contain nested objects. # All values are stored as keyword. # # Example: '{"application": "foo-bar", "env": "production"}' labels : JSON # 'For log events the message field contains the log message, optimized # for viewing in a log viewer. # # For structured logs without an original message field, other fields can be # concatenated to form a human-readable summary of the event. # # If multiple messages exist, they can be combined into one message.' message: String # List of keywords used to tag each event. tags: [String] # Key-Value pairs representing vendor specific properties attributes: JSON description:String # Destination network address address:String # Bytes sent from the destination to the source. bytes:Long #The domain name of the destination system. domain:String #The ip address of the destination system. ip:IP #The mac address of the destination system. mac:String # Translated IP of source based NAT sessions (e.g. internal client to internet) natIpp:IP # port of the client port:Long # Translated port of source based NAT sessions natPort:Long # Packets sent from the destination to the source. packets:Long # The highest registered client domain, stripped of the subdomain. registeredDomain:String # The subdomain portion of a fully qualified domain name includes # all of the names except the host name under the registered_domain subdomain:String # he effective top level domain (eTLD), also known as the domain # suffix, is the last part of the domain name. topLevelDomain:String #Fields describing an Autonomous System (Internet routing prefix). as:AutonomousSystem # Fields describing a location. geo:Geo #Fields to describe the user relevant to the event. user:User @relation(mappingType:"foreign") } #Source fields capture details about the receiver of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. #Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. type Source implements Communications{ #'Date/time when the event originated. # # This is the date/time extracted from the event, typically representing when # the event was generated by the source. # # If the event source has no original timestamp, this value is typically populated # by the first time the event was received by the pipeline. # # Required field for all events.' timestamp : Time! #'Custom key/value pairs. # # Can be used to add meta information to events. Should not contain nested objects. # All values are stored as keyword. # # Example: '{"application": "foo-bar", "env": "production"}' labels : JSON # 'For log events the message field contains the log message, optimized # for viewing in a log viewer. # # For structured logs without an original message field, other fields can be # concatenated to form a human-readable summary of the event. # # If multiple messages exist, they can be combined into one message.' message: String # List of keywords used to tag each event. tags: [String] # Key-Value pairs representing vendor specific properties attributes: JSON description:String # Destination network address address:String # Bytes sent from the destination to the source. bytes:Long #The domain name of the destination system. domain:String #The ip address of the destination system. ip:IP #The mac address of the destination system. mac:String # Translated IP of source based NAT sessions (e.g. internal client to internet) natIpp:IP # port of the client port:Long # Translated port of source based NAT sessions natPort:Long # Packets sent from the destination to the source. packets:Long # The highest registered client domain, stripped of the subdomain. registeredDomain:String # The subdomain portion of a fully qualified domain name includes # all of the names except the host name under the registered_domain subdomain:String # he effective top level domain (eTLD), also known as the domain # suffix, is the last part of the domain name. topLevelDomain:String #Fields describing an Autonomous System (Internet routing prefix). as:AutonomousSystem # Fields describing a location. geo:Geo #Fields to describe the user relevant to the event. user:User @relation(mappingType:"foreign") } # common fields used by both client/server entities interface ClientServer { #'Date/time when the event originated. # # This is the date/time extracted from the event, typically representing when # the event was generated by the source. # # If the event source has no original timestamp, this value is typically populated # by the first time the event was received by the pipeline. # # Required field for all events.' timestamp : Time! #'Custom key/value pairs. # # Can be used to add meta information to events. Should not contain nested objects. # All values are stored as keyword. # # Example: '{"application": "foo-bar", "env": "production"}' labels : JSON # 'For log events the message field contains the log message, optimized # for viewing in a log viewer. # # For structured logs without an original message field, other fields can be # concatenated to form a human-readable summary of the event. # # If multiple messages exist, they can be combined into one message.' message: String # List of keywords used to tag each event. tags: [String] # Key-Value pairs representing vendor specific properties attributes: JSON description:String # Client network address address: String # The domain name of the client system. domain:String # Bytes sent from the client to the server bytes:Long # Translated IP of source based NAT sessions (e.g. internal client to internet) natIp:IP # IP address of the client (IPv4 or IPv6). ip:IP # mac address of the client mac:String # port of the client port:Long # Translated port of source based NAT sessions natPort:Long # Packets sent from the client to the server packets:Long # The highest registered client domain, stripped of the subdomain. registeredDomain:String # The subdomain portion of a fully qualified domain name includes # all of the names except the host name under the registered_domain subdomain:String # he effective top level domain (eTLD), also known as the domain # suffix, is the last part of the domain name. topLevelDomain:String # geographic related fields deriving from client's location geo:Geo # Fields describing an Autonomous System (Internet routing prefix). as:AutonomousSystem @relation(mappingType: "embedded") # Fields about the client side of a network connection, used with server user:User @relation(mappingType: "foreign") } #A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. # #For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. # #Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. type Server implements ClientServer @model { #'Date/time when the event originated. # # This is the date/time extracted from the event, typically representing when # the event was generated by the source. # # If the event source has no original timestamp, this value is typically populated # by the first time the event was received by the pipeline. # # Required field for all events.' timestamp : Time! #'Custom key/value pairs. # # Can be used to add meta information to events. Should not contain nested objects. # All values are stored as keyword. # # Example: '{"application": "foo-bar", "env": "production"}' labels : JSON # 'For log events the message field contains the log message, optimized # for viewing in a log viewer. # # For structured logs without an original message field, other fields can be # concatenated to form a human-readable summary of the event. # # If multiple messages exist, they can be combined into one message.' message: String # List of keywords used to tag each event. tags: [String] # Key-Value pairs representing vendor specific properties attributes: JSON # Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. # Then it should be duplicated to .ip or .domain, depending on which one it is. address:String # Bytes sent from the server to the clien bytes:Long # The domain name of the server system. # This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. domain:String # IP address of the server (IPv4 or IPv6). ip:IP # Translated ip of destination based NAT sessions (e.g. internet to private DMZ) natIp:IP # mac address of the server mac:String # port of the server port:Long # Translated port of source based NAT sessions natPort:Long # Packets sent from the server to the server packets:Long # The highest registered server domain, stripped of the subdomain. registeredDomain:String # The subdomain portion of a fully qualified domain name includes # all of the names except the host name under the registered_domain subdomain:String # he effective top level domain (eTLD), also known as the domain # suffix, is the last part of the domain name. topLevelDomain:String description:String # geographic related fields deriving location geo:Geo # Fields describing an Autonomous System (Internet routing prefix). as:AutonomousSystem # Fields about the client side of a network connection, used with server user:User @relation(mappingType: "foreign") } #A client is defined as the initiator of a network connection for events # regarding sessions, connections, or bidirectional flow records. # # For TCP events, the client is the initiator of the TCP connection that sends the # SYN packet(s). For other protocols, the client is generally the initiator or requestor # in the network transaction. Some systems use the term "originator" to refer the # client in TCP connections. The client fields describe details about the system # acting as the client in the network event. Client fields are usually populated # in conjunction with server fields. Client fields are generally not populated for # packet-level events. # # Client / server representations can add semantic context to an exchange, which # is helpful to visualize the data in certain situations. If your context falls # in that category, you should still ensure that source and destination are filled # appropriately. type Client implements ClientServer @model{ #'Date/time when the event originated. # # This is the date/time extracted from the event, typically representing when # the event was generated by the source. # # If the event source has no original timestamp, this value is typically populated # by the first time the event was received by the pipeline. # # Required field for all events.' timestamp : Time! #'Custom key/value pairs. # # Can be used to add meta information to events. Should not contain nested objects. # All values are stored as keyword. # # Example: '{"application": "foo-bar", "env": "production"}' labels : JSON # 'For log events the message field contains the log message, optimized # for viewing in a log viewer. # # For structured logs without an original message field, other fields can be # concatenated to form a human-readable summary of the event. # # If multiple messages exist, they can be combined into one message.' message: String # List of keywords used to tag each event. tags: [String] # Key-Value pairs representing vendor specific properties attributes: JSON description:String # Client network address address: String # The domain name of the client system. domain:String # Bytes sent from the client to the server bytes:Long # Translated IP of source based NAT sessions (e.g. internal client to internet) natIp:IP # IP address of the client (IPv4 or IPv6). ip:IP # mac address of the client mac:String # port of the client port:Long # Translated port of source based NAT sessions natPort:Long # Packets sent from the client to the server packets:Long # The highest registered client domain, stripped of the subdomain. registeredDomain:String # The subdomain portion of a fully qualified domain name includes # all of the names except the host name under the registered_domain subdomain:String # he effective top level domain (eTLD), also known as the domain # suffix, is the last part of the domain name. topLevelDomain:String # geographic related fields deriving from client's location geo:Geo # Fields describing an Autonomous System (Internet routing prefix). as:AutonomousSystem @relation(mappingType: "embedded") # Fields about the client side of a network connection, used with server user:User @relation(mappingType: "foreign") }