#The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated.
type Interface {
    #    Interface ID as reported by an observer (typically SNMP interface ID).
    id:ID
    #    Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
    alias:String
    #Interface name as reported by the system
    name:String

}

#An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.
#
#This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers.
# The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers
type Observer implements BaseRecord @model{
    #'Date/time when the event originated.
    #
    #        This is the date/time extracted from the event, typically representing when
    #        the event was generated by the source.
    #
    #        If the event source has no original timestamp, this value is typically populated
    #        by the first time the event was received by the pipeline.
    #
    #        Required field for all events.'
    timestamp : Time!
    #'Custom key/value pairs.
    #
    #        Can be used to add meta information to events. Should not contain nested objects.
    #        All values are stored as keyword.
    #
    #        Example: '{"application": "foo-bar", "env": "production"}'
    labels : JSON
    # 'For log events the message field contains the log message, optimized
    #        for viewing in a log viewer.
    #
    #        For structured logs without an original message field, other fields can be
    #        concatenated to form a human-readable summary of the event.
    #
    #        If multiple messages exist, they can be combined into one message.'
    message: String
    # List of keywords used to tag each event.
    tags: [String]
    # Key-Value pairs representing vendor specific properties
    attributes: JSON

    #    Custom name of the observer.
    #This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.
    name:String
    #    Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
    egress:JSON
    #    Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
    #    flattened egress.zone
    egressZone:String
    #    Hostname of the observer.
    hostname:String
    #    Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
    ingress:JSON
    #Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
    #    flattened ingress.zone
    ingressZone:String
    #IP addresses of the observer.
    ip:IP
    #mac addresses of the observer.
    mac:String
    #    The product name of the observer.
    product:String
    #    The observer's' SN
    serialNumber:String
    #    The type of the observer the data is coming from.
    #There is no predefined list of observer types. Some examples are forwarder, firewall, ids, ips, proxy, poller, sensor, APM server.
    type:String
    #    Vendor name of the observer.
    vendor:String
    #OS fields contain information about the operating system.
    os:OS
    #    Observer version.
    version:String
    #Fields describing the observer's location.
    geo:Geo
    #Fields to describe observer interface information.
    egressInterface:Interface
    #    Fields to describe observed VLAN information.
    egressVlan:Vlan
}