JSON Lines Formatted Output

The reporting channels under Logging > Report Channels support JSON Lines formatted output.

Note

JSON Lines is a collection of newline-separated JSON objects. The internal format follows the Elastic Common Schema 1.4.

The following events are generated. The name of an event is also the value of the event.action field.

The flow tracking generates:

  • flow-update at regular intervals with updated information about a flow.

  • flow-deleted when a flow is destroyed.

Threats are reported by:

  • ips-hit when an IPS rule matches.

  • ioc-hit when an IOC match is found.

  • policy-hit when a rule with the policy hit flag in the logging action is triggered.

The policy engine also emits events of the type:

  • policy-log for matched policy rules with enabled logging.

The asset database emits:

  • asset-created - a single asset was created

  • asset-modified - an asset was updated

  • asset-deleted - an asset was removed

  • asset-auto-created - a new asset was created by auto-tracking

  • assetdb-loaded - the whole asset database was loaded and replaced with a new one

The following fields are present in all messages:

  • @timestamp

  • ecs.version="1.4"

  • observer.hostname

  • observer.vendor="Genua"

  • observer.product="TD"

  • observer.type="ips"

  • event.action

  • event.category

  • event.kind

  • event.type

Messages of the types flow-update, flow-deleted, ips-hit, ioc-hit, policy-hit, and policy-log additionally contain the following fields:

  • network.transport

  • network.type

  • network.protocol

  • network.app

  • network.flow_id - custom field

  • network.vlan_tag - custom field

  • {client, server}.packets

  • {client, server}.bytes

  • {client, server}.port

  • {client, server}.ip

  • {client, server}.mac

  • {client, server}.geo.country_iso_code

  • {client, server}.asset.id - custom field, optional

  • {client, server}.asset.name - custom field, optional

Messages of the types policy-hit and policy-log additionally contain the following fields:

  • rule.id

  • rule.name

  • rule.rulesetid - ID of the scenario

  • rule.ruleset - name of the scenario

  • rule.action - this field can be continue, allowed, blocked, or teardown

Messages of the type ips-hit additionally contain the following fields:

  • ips.id - integer, identifier of the matched IPS rule

  • ips.rev - integer, revision number of the IPS rule signature

  • ips.description - string, description of the IPS rule signature

  • ips.plain - string, the IPS rule signature itself

  • ips.updated_at - string, timestamp signaling when the IPS rule signature was updated

  • ips.references - array of objects, the object key indicates the reference type and the object value contains the actual reference string

  • ips.tags - array of strings, information about the classification of IPS rules

Messages of the type ioc-hit additionally contain the following fields:

  • ioc.kind - the type of detected IoC, either ipv4, domain, or uri

  • ioc.value - the actual IoC found

Messages of the types ips-hit, policy-hit, and policy-log additionally contain:

  • event.severity, where

    • 1 = info,

    • 2 = notice,

    • 3 = warning,

    • 4 = critical

Messages where event.action="asset-*" contain the fields:

  • asset.id

  • asset.name