JSON Lines Formatted Output
The reporting channels under Logging > Report Channels support JSON Lines formatted output.
Note
JSON Lines is a collection of newline-separated JSON objects. The internal format follows the Elastic Common Schema 1.4.
The following events are generated. The name of an event is also the value of the event.action
field.
The flow tracking generates:
flow-update
at regular intervals with updated information about a flow.flow-deleted
when a flow is destroyed.
Threats are reported by:
ips-hit
when an IPS rule matches.ioc-hit
when an IOC match is found.policy-hit
when a rule with the policy hit flag in the logging action is triggered.
The policy engine also emits events of the type:
policy-log
for matched policy rules with enabled logging.
The asset database emits:
asset-created
- a single asset was createdasset-modified
- an asset was updatedasset-deleted
- an asset was removedasset-auto-created
- a new asset was created by auto-trackingassetdb-loaded
- the whole asset database was loaded and replaced with a new one
The following fields are present in all messages:
@timestamp
ecs.version="1.4"
observer.hostname
observer.vendor="Genua"
observer.product="TD"
observer.type="ips"
event.action
event.category
event.kind
event.type
Messages of the types flow-update
, flow-deleted
, ips-hit
, ioc-hit
, policy-hit
, and policy-log
additionally contain the following fields:
network.transport
network.type
network.protocol
network.app
network.flow_id
- custom fieldnetwork.vlan_tag
- custom field{client, server}.packets
{client, server}.bytes
{client, server}.port
{client, server}.ip
{client, server}.mac
{client, server}.geo.country_iso_code
{client, server}.asset.id
- custom field, optional{client, server}.asset.name
- custom field, optional
Messages of the types policy-hit
and policy-log
additionally contain the following fields:
rule.id
rule.name
rule.rulesetid
- ID of the scenariorule.ruleset
- name of the scenariorule.action
- this field can becontinue
,allowed
,blocked
, orteardown
Messages of the type ips-hit
additionally contain the following fields:
ips.id
- integer, identifier of the matched IPS ruleips.rev
- integer, revision number of the IPS rule signatureips.description
- string, description of the IPS rule signatureips.plain
- string, the IPS rule signature itselfips.updated_at
- string, timestamp signaling when the IPS rule signature was updatedips.references
- array of objects, the object key indicates the reference type and the object value contains the actual reference stringips.tags
- array of strings, information about the classification of IPS rules
Messages of the type ioc-hit
additionally contain the following fields:
ioc.kind
- the type of detected IoC, eitheripv4
,domain
, oruri
ioc.value
- the actual IoC found
Messages of the types ips-hit
, policy-hit
, and policy-log
additionally contain:
event.severity
, where1
= info,2
= notice,3
= warning,4
= critical
Messages where event.action="asset-*"
contain the fields:
asset.id
asset.name