JSON Lines Formatted Output

The reporting channels under Logging > Report Channels support JSON Lines formatted output.

Note

JSON Lines is a collection of newline-separated JSON objects. The internal format follows the Elastic Common Schema 1.4.

The individual events are differentiated by the event.action field.

The flow tracking generates the following:

  • flow-created

  • flow-deleted

  • flow-update

The log and delayed log actions result in:

  • policy-rule-hit

  • alert-delayed

The asset database emits:

  • asset-created - a single asset was created

  • asset-modified - an asset was updated

  • asset-deleted - an asset was removed

  • asset-autocreated - a new asset was created by auto-tracking

  • assetdb-loaded - the whole asset database was loaded and replaced with a new one

The following fields are present in all messages:

  • @timestamp

  • ecs.version="1.4"

  • observer.hostname

  • observer.vendor="Genua"

  • observer.product="TD"

  • observer.type="ips"

  • event.action

  • event.category

  • event.kind

  • event.severity, where

    • 0 = no severity specified,

    • 1 = info,

    • 2 = notice,

    • 3 = warning,

    • 4 = critical

  • event.type

Messages where event.action is either flow-*, policy-rule-hit, or alert-delayed contain the following additional fields:

  • network.transport

  • network.type

  • network.protocol

  • network.app

  • network.flow_id - custom field

  • network.vlan_tag - custom field

  • {client, server}.packets

  • {client, server}.bytes

  • {client, server}.port

  • {client, server}.ip

  • {client, server}.mac

  • {client, server}.geo.country_iso_code

  • {client, server}.asset.id - custom field, optional

  • {client, server}.asset.name - custom field, optional

Messages where event.action is policy-rule-hit or alert-delayed also contain:

  • rule.id

  • rule.name

  • rule.rulesetid - ID of the scenario

  • rule.ruleset - name of the scenario

  • rule.action - this field can be continue, allowed, blocked, or teardown

In addition, messages of the type policy-rule-hit or alert-delayed may contain the following optional fields:

  • ioc.kind - the type of detected IoC, either ipv4, domain, or uri

  • ioc.value - the actual IoC found

  • ips.id - integer, identifier of the matched IPS rule

  • ips.rev - integer, revision number of the IPS rule signature

  • ips.description - string, description of the IPS rule signature

  • ips.plain - string, the IPS rule signature itself

  • ips.updated_at - string, timestamp signaling when the IPS rule signature was updated

  • ips.references - array of objects, the object key indicates the reference type and the object value contains the actual reference string

  • ips.tags - array of strings, information about the classification of IPS rules

Messages where event.action="asset-*" contain the fields:

  • asset.id

  • asset.name