- Published on
Complete JSON Schemas for All SIEM/MDR/DLP Tools
- Authors
Modern SIEM, MDR, and DLP platforms ingest massive volumes of security telemetry from diverse sources. Each platform defines its own schema, field naming conventions, and normalization logic, making cross-tool integrations complex and error-prone.
This document provides a centralized reference of JSON schemas used by leading SIEM, MDR, and DLP tools. It consolidates vendor-published schema definitions into a single, structured format to help security engineers, SOC teams, and platform developers design consistent, interoperable security data pipelines.
Purpose & Goals
The primary goals of this reference are to:
- Act as a single source of truth for common SIEM/MDR/DLP schemas
- Simplify log normalization and schema mapping across vendors
- Support the design of vendor-agnostic ingestion pipelines
- Provide a practical reference for schema validation and parsing
Intended Audience
This document is intended for:
- Security engineers and SOC analysts
- SIEM, MDR, and DLP platform developers
- Detection engineers and threat hunters
- DevOps and platform teams handling security telemetry
- Architects designing multi-vendor security ecosystems
Scope of This Reference
Included
- Authentication, network, endpoint, and alert schemas
- Normalized event fields from major SIEM platforms
- Vendor-published JSON field structures
- Common metadata such as timestamps, severity, and identity context
Out of Scope
- Detection or correlation logic
- Vendor-specific enrichment or scoring mechanisms
- Storage, indexing, or query optimization strategies
- UI-level representations and dashboards
Schema Representation & Conventions
To maintain consistency across vendors, the following conventions are applied:
- Schemas are represented in JSON format
- Vendor schema versions are explicitly mentioned
- Field names and structures follow vendor definitions unless noted
- Example values are illustrative and non-production
- Optional and vendor-specific fields are not removed or altered
Standards & Interoperability
Where applicable, the schemas in this document align or map cleanly to widely adopted security standards, including:
- Elastic Common Schema (ECS)
- Open Cybersecurity Schema Framework (OCSF)
- OpenTelemetry semantic conventions
This makes the reference suitable for schema normalization layers and SIEM/MDR migrations.
Versioning & Maintenance
This reference is designed to evolve alongside vendor schema updates.
Schema versions are clearly indicated, and future updates will document additions, deprecations, and breaking changes where applicable.
How to Use This Reference
You can use these schemas to:
- Validate incoming security events
- Normalize logs from multiple security tools
- Build ingestion and forwarding pipelines
- Design schema-aware APIs and contracts
- Compare and map fields across SIEM/MDR platforms
The following sections provide detailed JSON schema references for each SIEM, MDR, and DLP platform, organized by vendor and data model.
TABLE OF CONTENTS
- Splunk CIM - Common Information Model
- Microsoft Sentinel ASIM - Authentication Schema
- IBM QRadar - Normalized Event Properties
- Elastic Common Schema (ECS) - Field Reference
- Suricata EVE - Alert & Event Schemas
- Additional Tools (Wazuh, OpenSearch, Zeek)
1. SPLUNK CIM - COMMON INFORMATION MODEL
1.1 Authentication Data Model Fields
{
"data_model": "Authentication",
"version": "6.3",
"description": "Authentication events including logon, logoff, elevation",
"root_dataset": "Authentication",
"child_datasets": ["Successful_Authentication", "Failed_Authentication", "Elevated_Privileges"],
"fields": {
"_time": {
"type": "timestamp",
"description": "Event timestamp",
"required": true,
"examples": ["2025-12-24T14:30:00Z"]
},
"host": {
"type": "string",
"description": "System hostname",
"required": true
},
"source": {
"type": "string",
"description": "Log source",
"required": true
},
"sourcetype": {
"type": "string",
"description": "Source type (WinEventLog, syslog, etc)",
"required": true
},
"src": {
"type": "string",
"description": "Source IP address",
"alias_of": "src_ip"
},
"src_ip": {
"type": "ip",
"description": "Source IP address",
"expected_values": ["192.168.1.1", "10.0.0.5"]
},
"src_port": {
"type": "integer",
"description": "Source port",
"expected_values": [53312, 12345]
},
"src_host": {
"type": "string",
"description": "Source hostname",
"alias_of": "src_dns"
},
"src_user": {
"type": "string",
"description": "Source username",
"alias_of": ["src_user_id", "src_login"]
},
"src_user_id": {
"type": "string",
"description": "Source user ID (SID, UID)",
"examples": ["S-1-5-21-123-456-789"]
},
"src_nt_domain": {
"type": "string",
"description": "Source Windows domain",
"expected_values": ["CONTOSO"]
},
"dest": {
"type": "string",
"description": "Destination IP address",
"alias_of": "dest_ip"
},
"dest_ip": {
"type": "ip",
"description": "Destination IP address"
},
"dest_port": {
"type": "integer",
"description": "Destination port"
},
"dest_host": {
"type": "string",
"description": "Destination hostname",
"alias_of": "dest_dns"
},
"dest_user": {
"type": "string",
"description": "Destination username",
"alias_of": ["user", "dest_user_id"]
},
"dest_nt_domain": {
"type": "string",
"description": "Destination Windows domain"
},
"user": {
"type": "string",
"description": "User (alias to dest_user)",
"required": true,
"expected_values": ["CONTOSO\\\\administrator", "root"]
},
"action": {
"type": "string",
"description": "Authentication action",
"expected_values": ["success", "failure", "allowed", "denied"]
},
"result": {
"type": "string",
"description": "Result status",
"expected_values": ["success", "failure", "unknown"]
},
"status": {
"type": "string",
"description": "Status field",
"expected_values": ["success", "failure"]
},
"signature": {
"type": "string",
"description": "Event signature/name",
"examples": ["Failed user account login"]
},
"signature_id": {
"type": "string",
"description": "Event signature ID",
"examples": ["4625"]
},
"category": {
"type": "string",
"description": "Event category (tag)",
"required": true,
"expected_values": ["authentication"],
"ta_relevant": true
},
"tag": {
"type": "string",
"description": "Tags applied",
"required": true,
"expected_values": ["authenticate"],
"ta_relevant": false
},
"severity": {
"type": "integer",
"description": "Event severity (0-10)",
"expected_values": [1, 2, 3, 4, 5]
},
"severity_id": {
"type": "integer",
"description": "Severity numeric",
"expected_values": [1, 2, 3]
},
"app": {
"type": "string",
"description": "Application",
"examples": ["sshd", "Windows Logon"]
},
"auth_type": {
"type": "string",
"description": "Authentication type",
"expected_values": ["password", "mfa", "certificate", "ntlm"]
},
"authentication_method": {
"type": "string",
"description": "Authentication method",
"expected_values": ["NTLM", "Kerberos", "LDAP"]
},
"change_type": {
"type": "string",
"description": "Type of change"
},
"event_id": {
"type": "string",
"description": "Windows Event ID",
"examples": ["4624", "4625", "4720"]
},
"failure_reason": {
"type": "string",
"description": "Reason for failure",
"expected_values": ["Invalid user name or password", "Account locked out", "Password expired"]
},
"logon_id": {
"type": "string",
"description": "Windows Logon ID",
"examples": ["0x1a4e3ab"]
},
"logon_type": {
"type": "integer",
"description": "Windows logon type",
"expected_values": [2, 3, 4, 5, 7, 8, 9, 10, 11]
},
"priority": {
"type": "integer",
"description": "Priority level"
},
"session_id": {
"type": "string",
"description": "Session ID"
},
"user_priority": {
"type": "string",
"description": "User priority/criticality",
"expected_values": ["critical", "high", "medium", "low"]
},
"vendor_product": {
"type": "string",
"description": "Vendor product name",
"examples": ["Windows Security", "OpenSSH", "FortiGate"]
}
},
"child_dataset_unique_fields": {
"Successful_Authentication": {
"return_code": "integer",
"return_code_description": "string"
},
"Failed_Authentication": {
"failure_reason": "string"
},
"Elevated_Privileges": {
"command": "string",
"parent_process": "string"
}
}
}
1.2 Network Traffic Data Model Fields
{
"data_model": "Network_Traffic",
"version": "6.3",
"description": "Network session and traffic events",
"root_dataset": "Traffic",
"child_datasets": ["Allowed_Traffic", "Denied_Traffic"],
"fields": {
"src": {"type": "ip", "description": "Source IP"},
"src_ip": {"type": "ip", "description": "Source IP"},
"src_port": {"type": "integer", "description": "Source port"},
"src_host": {"type": "string", "description": "Source hostname"},
"src_user": {"type": "string", "description": "Source user"},
"src_nt_domain": {"type": "string", "description": "Source domain"},
"dest": {"type": "ip", "description": "Destination IP"},
"dest_ip": {"type": "ip", "description": "Destination IP"},
"dest_port": {"type": "integer", "description": "Destination port"},
"dest_host": {"type": "string", "description": "Destination hostname"},
"dest_user": {"type": "string", "description": "Destination user"},
"protocol": {"type": "string", "description": "Protocol", "expected_values": ["tcp", "udp", "icmp", "ip"]},
"action": {"type": "string", "description": "Action taken", "expected_values": ["allowed", "denied", "blocked", "dropped"]},
"app": {"type": "string", "description": "Application", "examples": ["http", "https", "ssh", "dns"]},
"bytes": {"type": "integer", "description": "Total bytes"},
"bytes_in": {"type": "integer", "description": "Bytes inbound"},
"bytes_out": {"type": "integer", "description": "Bytes outbound"},
"duration": {"type": "integer", "description": "Connection duration (seconds)"},
"packets": {"type": "integer", "description": "Total packets"},
"packets_in": {"type": "integer", "description": "Packets inbound"},
"packets_out": {"type": "integer", "description": "Packets outbound"},
"vendor_product": {"type": "string", "description": "Vendor product"},
"vendor_action": {"type": "string", "description": "Vendor-specific action"},
"rule": {"type": "string", "description": "Rule name"},
"rule_id": {"type": "string", "description": "Rule ID"},
"severity": {"type": "integer", "description": "Severity level"}
}
}
1.3 Endpoint Protection Data Model Fields
{
"data_model": "Endpoint",
"version": "6.3",
"description": "Endpoint activity including processes, files, registry",
"child_datasets": ["Processes", "File_Activity", "Registry_Activity", "Service_Activity"],
"process_fields": {
"process": {"type": "string", "description": "Process name", "examples": ["svchost.exe", "cmd.exe"]},
"process_name": {"type": "string", "description": "Process name"},
"process_id": {"type": "integer", "description": "Process ID (PID)"},
"process_guid": {"type": "string", "description": "Process GUID"},
"process_hash": {"type": "string", "description": "Process file hash (MD5/SHA256)"},
"parent_process": {"type": "string", "description": "Parent process name"},
"parent_process_id": {"type": "integer", "description": "Parent PID"},
"process_exec_time": {"type": "timestamp", "description": "Process execution time"},
"command_line": {"type": "string", "description": "Full command line"},
"user": {"type": "string", "description": "User running process"},
"integrity_level": {"type": "string", "description": "Integrity level", "expected_values": ["Low", "Medium", "High", "System"]},
"dest_user": {"type": "string", "description": "Destination user"},
"dest_host": {"type": "string", "description": "Destination host"}
},
"file_fields": {
"file_name": {"type": "string", "description": "File name", "examples": ["malware.exe", "config.txt"]},
"file_path": {"type": "string", "description": "Full file path"},
"file_hash": {"type": "string", "description": "File hash (MD5/SHA256)"},
"file_size": {"type": "integer", "description": "File size in bytes"},
"file_acl": {"type": "string", "description": "File ACL"},
"dest_file_name": {"type": "string", "description": "Destination file name"},
"dest_file_path": {"type": "string", "description": "Destination file path"},
"src_file_name": {"type": "string", "description": "Source file name"},
"src_file_path": {"type": "string", "description": "Source file path"},
"action": {"type": "string", "description": "File action", "expected_values": ["created", "modified", "deleted", "accessed", "renamed"]},
"user": {"type": "string", "description": "User accessing file"},
"change_type": {"type": "string", "description": "Type of change"}
},
"registry_fields": {
"registry_path": {"type": "string", "description": "Registry path"},
"registry_key_name": {"type": "string", "description": "Registry key name"},
"registry_value_name": {"type": "string", "description": "Registry value name"},
"registry_value_data": {"type": "string", "description": "Registry value data"},
"registry_value_type": {"type": "string", "description": "Registry value type", "expected_values": ["REG_SZ", "REG_DWORD", "REG_BINARY"]},
"action": {"type": "string", "description": "Registry action", "expected_values": ["created", "modified", "deleted"]},
"user": {"type": "string", "description": "User modifying registry"}
}
}
1.4 Data Loss Prevention (DLP) Data Model Fields
{
"data_model": "Data_Loss_Prevention",
"version": "6.3",
"description": "DLP policy violations and detections",
"fields": {
"dlp_type": {"type": "string", "description": "DLP type", "expected_values": ["Email", "Web", "Endpoint", "Application"]},
"category": {"type": "string", "description": "Content category"},
"action": {"type": "string", "description": "DLP action", "expected_values": ["block", "allow", "quarantine", "log", "notify"]},
"severity": {"type": "string", "description": "Severity", "expected_values": ["High", "Medium", "Low"]},
"policy_name": {"type": "string", "description": "DLP policy name"},
"policy_id": {"type": "string", "description": "Policy ID"},
"rule_name": {"type": "string", "description": "Rule name"},
"rule_id": {"type": "string", "description": "Rule ID"},
"user": {"type": "string", "description": "User"},
"src_user": {"type": "string", "description": "Source user"},
"dest_user": {"type": "string", "description": "Destination user"},
"src_ip": {"type": "ip", "description": "Source IP"},
"dest_ip": {"type": "ip", "description": "Destination IP"},
"src_host": {"type": "string", "description": "Source host"},
"dest_host": {"type": "string", "description": "Destination host"},
"file_name": {"type": "string", "description": "File name"},
"file_size": {"type": "integer", "description": "File size"},
"file_hash": {"type": "string", "description": "File hash"},
"event_id": {"type": "string", "description": "Event ID"},
"content_type": {"type": "string", "description": "Content type", "expected_values": ["PII", "PCI", "SourceCode", "SSN", "CreditCard"]},
"match_count": {"type": "integer", "description": "Number of matches"},
"data_classification": {"type": "string", "description": "Data classification", "expected_values": ["Confidential", "Internal", "Public"]},
"vendor_product": {"type": "string", "description": "Vendor product"},
"protocol": {"type": "string", "description": "Protocol/Channel"}
}
}
2. MICROSOFT SENTINEL ASIM - AUTHENTICATION SCHEMA
2.1 Complete Authentication Schema (v0.1.4)
{
"schema_name": "ASimAuthentication",
"version": "0.1.4",
"description": "Microsoft Sentinel Authentication Normalization Schema",
"mandatory_fields": {
"EventCount": {
"type": "int",
"description": "The number of events described by the record",
"field_class": "Mandatory"
},
"EventStartTime": {
"type": "datetime",
"description": "The date and time in UTC in which the event started. If the source reports only date without time, this field contains 00:00:00.000 in the time portion.",
"format": "ISO 8601"
},
"EventEndTime": {
"type": "datetime",
"description": "The date and time in UTC in which the event ended. If the source reports only the date without time, this field contains 23:59:59.999 in the time portion.",
"format": "ISO 8601"
},
"EventType": {
"type": "string (enumerated)",
"description": "The operation reported by the record",
"allowed_values": ["Logon", "Logoff", "Elevate"],
"field_class": "Mandatory"
},
"EventResult": {
"type": "string (enumerated)",
"description": "The result of the authentication event",
"allowed_values": ["Success", "Failure", "Partial", "Unknown"],
"field_class": "Mandatory"
},
"EventProduct": {
"type": "string",
"description": "The product generating the event",
"examples": ["Azure AD", "Windows Server", "Okta"],
"field_class": "Mandatory"
},
"EventVendor": {
"type": "string",
"description": "The vendor of the product generating the event",
"examples": ["Microsoft", "Okta", "Google"],
"field_class": "Mandatory"
},
"EventSchema": {
"type": "string",
"description": "The schema name",
"value": "Authentication",
"field_class": "Mandatory"
},
"EventSchemaVersion": {
"type": "string",
"description": "The version of the schema",
"value": "0.1.4",
"field_class": "Mandatory"
},
"Dvc": {
"type": "string",
"description": "The device reporting the event",
"field_class": "Mandatory"
}
},
"recommended_fields": {
"EventResultDetails": {
"type": "string",
"description": "The details associated with the event result",
"allowed_values": [
"No such user or password",
"No such user",
"Incorrect password",
"Incorrect key",
"Account expired",
"Password expired",
"User locked",
"User disabled",
"Logon violates policy",
"Session expired",
"Other"
],
"field_class": "Recommended"
},
"EventSeverity": {
"type": "string (enumerated)",
"description": "The severity of the event",
"allowed_values": ["Informational", "Low", "Medium", "High"],
"field_class": "Recommended"
},
"EventUid": {
"type": "string",
"description": "A unique identifier for the event",
"field_class": "Recommended"
},
"DvcIpAddr": {
"type": "ip",
"description": "IP address of the device reporting the event",
"field_class": "Recommended"
},
"DvcHostname": {
"type": "string",
"description": "Hostname of the device reporting the event",
"field_class": "Recommended"
},
"DvcDomain": {
"type": "string",
"description": "Domain of the device reporting the event",
"field_class": "Recommended"
},
"DvcFQDN": {
"type": "string",
"description": "FQDN of the device reporting the event",
"field_class": "Recommended"
},
"DvcId": {
"type": "string",
"description": "The ID of the device reporting the event",
"field_class": "Recommended"
},
"DvcAction": {
"type": "string",
"description": "The action taken by the device",
"field_class": "Recommended"
}
},
"actor_fields": {
"ActorUserId": {
"type": "string",
"description": "A machine-readable, alphanumeric, unique representation of the Actor",
"examples": ["S-1-12-1-4141952679-1282074057-627758481-2916039507"],
"field_class": "Optional"
},
"ActorUsername": {
"type": "string",
"description": "The Actor's username, including domain information when available",
"examples": ["AlbertE", "CONTOSO\\\\alice"],
"field_class": "Optional"
},
"ActorUsernameType": {
"type": "string (enumerated)",
"description": "The type of the user name",
"allowed_values": ["Windows", "UPN", "DN", "Email", "LDAP", "Simple"],
"field_class": "Conditional"
},
"ActorUserType": {
"type": "string (enumerated)",
"description": "The type of the Actor",
"allowed_values": ["Member", "Guest", "Application", "Service"],
"field_class": "Optional"
},
"ActorOriginalUserType": {
"type": "string",
"description": "The user type as reported by the reporting device",
"field_class": "Optional"
},
"ActorSessionId": {
"type": "string",
"description": "The unique ID of the sign-in session of the Actor",
"examples": ["102pTUgC3p8RIqHvzxLCHnFlg"],
"field_class": "Optional"
},
"ActorScope": {
"type": "string",
"description": "The scope in which ActorUserId and ActorUsername are defined",
"examples": ["Contoso", "Microsoft Entra"],
"field_class": "Optional"
},
"ActorScopeId": {
"type": "string",
"description": "The scope ID, such as Microsoft Entra Directory ID",
"field_class": "Optional"
}
},
"target_user_fields": {
"TargetUserId": {
"type": "string",
"description": "A machine-readable, alphanumeric, unique representation of the target user",
"examples": ["00urjk4znu3BcncfY0h7"],
"field_class": "Optional"
},
"TargetUsername": {
"type": "string",
"description": "The target user username, including domain information when available",
"examples": ["MarieC", "CONTOSO\\\\bob"],
"field_class": "Optional"
},
"TargetUsernameType": {
"type": "string (enumerated)",
"description": "The type of the username",
"allowed_values": ["Windows", "UPN", "DN", "Email", "LDAP", "Simple"],
"field_class": "Conditional"
},
"TargetUserType": {
"type": "string (enumerated)",
"description": "The type of the Target user",
"allowed_values": ["Member", "Guest", "Application", "Service"],
"field_class": "Optional"
},
"TargetUserScope": {
"type": "string",
"description": "The scope in which TargetUserId and TargetUsername are defined",
"field_class": "Optional"
},
"TargetUserScopeId": {
"type": "string",
"description": "The scope ID of the target user",
"field_class": "Optional"
},
"TargetSessionId": {
"type": "string",
"description": "The sign-in session identifier of the TargetUser on the source device",
"field_class": "Optional"
}
},
"source_system_fields": {
"SrcIpAddr": {
"type": "ip",
"description": "The IP address of the source device",
"examples": ["2.2.2.2"],
"field_class": "Optional"
},
"SrcPortNumber": {
"type": "integer",
"description": "The IP port from which the connection originated",
"examples": [2335],
"field_class": "Optional"
},
"SrcHostname": {
"type": "string",
"description": "The source device hostname, excluding domain information",
"examples": ["DESKTOP-1282V4D"],
"field_class": "Recommended"
},
"SrcDomain": {
"type": "string",
"description": "The domain of the source device",
"examples": ["Contoso"],
"field_class": "Recommended"
},
"SrcFQDN": {
"type": "string",
"description": "The source device hostname, including domain information",
"examples": ["Contoso\\\\DESKTOP-1282V4D"],
"field_class": "Optional"
},
"SrcDvcId": {
"type": "string",
"description": "The ID of the source device",
"examples": ["ac7e9755-8eae-4ffc-8a02-50ed7a2216c3"],
"field_class": "Optional"
},
"SrcGeoCountry": {
"type": "string",
"description": "The country/region associated with the source IP address",
"examples": ["Canada"],
"field_class": "Optional"
},
"SrcGeoCity": {
"type": "string",
"description": "The city associated with the source IP address",
"examples": ["Montreal"],
"field_class": "Optional"
},
"SrcRiskLevel": {
"type": "integer",
"description": "The risk level associated with the source (0-100)",
"examples": [90],
"field_class": "Optional"
}
},
"target_system_fields": {
"TargetHostname": {
"type": "string",
"description": "The target device hostname, excluding domain information",
"examples": ["DESKTOP-1282V4D"],
"field_class": "Recommended"
},
"TargetDomain": {
"type": "string",
"description": "The domain of the target device",
"examples": ["Contoso"],
"field_class": "Recommended"
},
"TargetFQDN": {
"type": "string",
"description": "The target device hostname, including domain information",
"examples": ["Contoso\\\\DESKTOP-1282V4D"],
"field_class": "Optional"
},
"TargetDvcId": {
"type": "string",
"description": "The ID of the target device",
"field_class": "Optional"
},
"TargetIpAddr": {
"type": "ip",
"description": "The IP address of the target device",
"examples": ["2.2.2.2"],
"field_class": "Optional"
},
"TargetDvcOs": {
"type": "string",
"description": "The OS of the target device",
"examples": ["Windows 10"],
"field_class": "Optional"
},
"TargetGeoCountry": {
"type": "string",
"description": "The country/region associated with the target IP address",
"examples": ["USA"],
"field_class": "Optional"
}
},
"acting_app_fields": {
"ActingAppId": {
"type": "string",
"description": "The ID of the application authorizing on behalf of the actor",
"examples": ["0x12ae8"],
"field_class": "Optional"
},
"ActingAppName": {
"type": "string",
"description": "The name of the application authorizing on behalf of the actor",
"examples": ["C:\\\\Windows\\\\System32\\\\svchost.exe"],
"field_class": "Optional"
},
"ActingAppType": {
"type": "string",
"description": "The type of acting application",
"field_class": "Optional"
},
"HttpUserAgent": {
"type": "string",
"description": "User agent string when authentication is performed over HTTP",
"examples": ["Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X)"],
"field_class": "Optional"
}
},
"target_app_fields": {
"TargetAppId": {
"type": "string",
"description": "The ID of the application to which the authorization is required",
"examples": ["89162"],
"field_class": "Optional"
},
"TargetAppName": {
"type": "string",
"description": "The name of the application to which the authorization is required",
"examples": ["Salesforce"],
"field_class": "Optional"
},
"TargetUrl": {
"type": "url",
"description": "The URL associated with the target application",
"field_class": "Optional"
}
},
"threat_fields": {
"ThreatId": {
"type": "string",
"description": "The ID of the threat or malware",
"field_class": "Optional"
},
"ThreatName": {
"type": "string",
"description": "The name of the threat or malware",
"field_class": "Optional"
},
"ThreatCategory": {
"type": "string",
"description": "The category of the threat or malware",
"field_class": "Optional"
},
"ThreatRiskLevel": {
"type": "integer",
"description": "The risk level associated with the identified threat (0-100)",
"field_class": "Optional"
},
"ThreatConfidence": {
"type": "integer",
"description": "The confidence level of the threat (0-100)",
"field_class": "Optional"
}
},
"optional_fields": {
"EventMessage": {"type": "string", "description": "Event message"},
"EventSubType": {
"type": "string",
"description": "The sign-in type",
"allowed_values": ["System", "Interactive", "RemoteInteractive", "Service", "RemoteService", "Remote", "AssumeRole"]
},
"LogonMethod": {"type": "string", "description": "Method used for authentication", "examples": ["Username & Password", "PKI"]},
"LogonProtocol": {"type": "string", "description": "Protocol used", "examples": ["NTLM", "Kerberos"]},
"AdditionalFields": {"type": "dynamic", "description": "JSON bag for additional fields"},
"RuleName": {"type": "string", "description": "Rule name"},
"RuleNumber": {"type": "integer", "description": "Rule number"}
}
}
3. IBM QRADAR - NORMALIZED EVENT PROPERTIES
3.1 Complete QRadar Event Schema
{
"platform": "IBM QRadar SIEM",
"version": "7.5.x",
"description": "QRadar Normalized Event Properties and Custom Properties",
"event_unique_identification": {
"sourceIP": {
"type": "ip",
"description": "Source IP address",
"required": true,
"notes": "Primary key component"
},
"destinationIP": {
"type": "ip",
"description": "Destination IP address",
"required": true,
"notes": "Primary key component"
},
"destinationPort": {
"type": "integer",
"description": "Destination port",
"required": true,
"notes": "Primary key component"
},
"protocol": {
"type": "string",
"description": "Network protocol",
"required": true,
"allowed_values": ["TCP", "UDP", "ICMP", "IGMP"],
"notes": "Primary key component"
},
"username": {
"type": "string",
"description": "Username associated with event",
"notes": "Primary key component"
},
"logSourceId": {
"type": "integer",
"description": "Log source ID or Event ID",
"required": true,
"notes": "Primary key component"
}
},
"normalized_event_properties": {
"eventId": {
"type": "integer",
"description": "Event ID (QID - QRadar Intelligence ID)",
"examples": [1234, 5678],
"category": "Event Identification"
},
"eventName": {
"type": "string",
"description": "Name of the event",
"examples": ["User login failure", "Firewall Allow"],
"category": "Event Identification"
},
"eventCategory": {
"type": "string",
"description": "Category of the event",
"examples": ["Authentication", "Firewall", "Malware", "Policy"],
"category": "Event Classification"
},
"eventType": {
"type": "string",
"description": "Type of the event",
"category": "Event Classification"
},
"sourceIP": {
"type": "ip",
"description": "Source IP address",
"category": "Source Properties"
},
"sourcePort": {
"type": "integer",
"description": "Source port",
"category": "Source Properties"
},
"sourceHostname": {
"type": "string",
"description": "Source hostname",
"category": "Source Properties"
},
"sourceUsername": {
"type": "string",
"description": "Source username",
"category": "Source Properties"
},
"sourceUserId": {
"type": "string",
"description": "Source user ID",
"category": "Source Properties"
},
"destinationIP": {
"type": "ip",
"description": "Destination IP address",
"category": "Destination Properties"
},
"destinationPort": {
"type": "integer",
"description": "Destination port",
"category": "Destination Properties"
},
"destinationHostname": {
"type": "string",
"description": "Destination hostname",
"category": "Destination Properties"
},
"targetUsername": {
"type": "string",
"description": "Target/Destination username",
"category": "Destination Properties"
},
"protocol": {
"type": "string",
"description": "Network protocol",
"category": "Network Properties"
},
"severity": {
"type": "integer",
"description": "Severity level",
"range": "1-15",
"category": "Risk Assessment"
},
"magnitude": {
"type": "integer",
"description": "Magnitude score",
"range": "1-5",
"category": "Risk Assessment"
},
"confidence": {
"type": "integer",
"description": "Confidence level",
"range": "0-100",
"category": "Risk Assessment"
},
"eventStartTime": {
"type": "datetime",
"description": "Event start timestamp (Curator receive time)",
"category": "Timing"
},
"eventLogSourceTime": {
"type": "datetime",
"description": "Log source timestamp",
"category": "Timing"
},
"eventCuratorTime": {
"type": "datetime",
"description": "Curator processing time",
"category": "Timing"
},
"userName": {
"type": "string",
"description": "Username (generalized)",
"category": "User Information"
},
"userId": {
"type": "string",
"description": "User ID",
"category": "User Information"
},
"userType": {
"type": "string",
"description": "Type of user",
"category": "User Information"
},
"domain": {
"type": "string",
"description": "Domain",
"category": "User Information"
},
"deviceProduct": {
"type": "string",
"description": "Product name",
"examples": ["Windows Security", "Palo Alto Networks"],
"category": "Device Information"
},
"deviceVendor": {
"type": "string",
"description": "Vendor name",
"examples": ["Microsoft", "Palo Alto Networks"],
"category": "Device Information"
},
"processName": {
"type": "string",
"description": "Process name",
"category": "Process Information"
},
"processId": {
"type": "integer",
"description": "Process ID",
"category": "Process Information"
},
"filePath": {
"type": "string",
"description": "File path",
"category": "File Information"
},
"fileName": {
"type": "string",
"description": "File name",
"category": "File Information"
},
"fileHash": {
"type": "string",
"description": "File hash",
"category": "File Information"
},
"url": {
"type": "string",
"description": "URL",
"category": "HTTP/Web"
},
"userAgent": {
"type": "string",
"description": "HTTP User-Agent",
"category": "HTTP/Web"
},
"httpMethod": {
"type": "string",
"description": "HTTP method",
"examples": ["GET", "POST"],
"category": "HTTP/Web"
},
"responseCode": {
"type": "integer",
"description": "HTTP response code",
"examples": [200, 404, 403],
"category": "HTTP/Web"
},
"dns_question": {
"type": "string",
"description": "DNS query",
"category": "DNS"
},
"dns_answer": {
"type": "string",
"description": "DNS answer",
"category": "DNS"
},
"recordType": {
"type": "string",
"description": "DNS record type",
"examples": ["A", "AAAA", "MX", "CNAME"],
"category": "DNS"
},
"certificateSubject": {
"type": "string",
"description": "TLS certificate subject",
"category": "TLS/SSL"
},
"certificateIssuer": {
"type": "string",
"description": "TLS certificate issuer",
"category": "TLS/SSL"
},
"threatName": {
"type": "string",
"description": "Threat name",
"category": "Threat Intelligence"
},
"threatCategory": {
"type": "string",
"description": "Threat category",
"category": "Threat Intelligence"
},
"policyName": {
"type": "string",
"description": "Policy name",
"category": "Policy/Rules"
},
"ruleName": {
"type": "string",
"description": "Rule name",
"category": "Policy/Rules"
},
"ruleId": {
"type": "integer",
"description": "Rule ID",
"category": "Policy/Rules"
},
"offenseId": {
"type": "integer",
"description": "Offense ID",
"category": "Offense Tracking"
},
"offenseStatus": {
"type": "string",
"description": "Offense status",
"allowed_values": ["New", "In Progress", "Resolved", "Closed"],
"category": "Offense Tracking"
},
"correlationId": {
"type": "integer",
"description": "Correlation rule ID",
"category": "Correlation"
},
"payload": {
"type": "string",
"description": "Raw event payload/message",
"category": "Raw Data"
},
"rawEvent": {
"type": "string",
"description": "Original event line",
"category": "Raw Data"
},
"logSourceName": {
"type": "string",
"description": "Log source name",
"category": "Source Identification"
}
},
"custom_event_properties": {
"property_types": [
"Regex-Based",
"JSON-Based",
"CEF-Based",
"LEEF-Based",
"Payload Test",
"Payload Index",
"Payload Length"
],
"examples": {
"custom_field_1": {
"name": "Application_Name",
"type": "Regex-Based",
"description": "Extract application name from log",
"regex_pattern": "app=([^\\s]+)",
"examples": ["custom_prop_1_example"]
},
"custom_field_2": {
"name": "Customer_ID",
"type": "JSON-Based",
"description": "Extract from JSON payload",
"json_path": "$.customer.id",
"examples": ["custom_prop_2_example"]
},
"custom_field_3": {
"name": "Alert_Status",
"type": "Payload Index",
"description": "Status from payload position",
"start_position": 100,
"end_position": 120,
"examples": ["custom_prop_3_example"]
}
}
},
"flow_properties": {
"sourceIP": {"type": "ip"},
"destinationIP": {"type": "ip"},
"sourcePort": {"type": "integer"},
"destinationPort": {"type": "integer"},
"protocol": {"type": "string"},
"flowStartTime": {"type": "datetime"},
"flowEndTime": {"type": "datetime"},
"flowDuration": {"type": "integer", "unit": "milliseconds"},
"bytesTransferred": {"type": "integer"},
"packetsTransferred": {"type": "integer"},
"flowAction": {"type": "string", "allowed_values": ["Allow", "Deny", "Drop"]},
"flowName": {"type": "string"}
},
"offense_properties": {
"offenseId": {"type": "integer", "description": "Unique offense identifier"},
"offenseName": {"type": "string", "description": "Name of the offense"},
"offenseStatus": {
"type": "string",
"description": "Current status of the offense",
"allowed_values": ["New", "In Progress", "Resolved", "Closed"]
},
"offenseSeverity": {"type": "integer", "description": "Severity level"},
"offenseStartTime": {"type": "datetime", "description": "When offense started"},
"offenseLastUpdateTime": {"type": "datetime", "description": "Last update timestamp"},
"offenseEventCount": {"type": "integer", "description": "Number of events"},
"offenseSourceCount": {"type": "integer", "description": "Unique sources"},
"offenseDestinationCount": {"type": "integer", "description": "Unique destinations"},
"offenseCategoryName": {"type": "string", "description": "Offense category"},
"offenseDescription": {"type": "string", "description": "Detailed description"},
"closingReason": {"type": "string", "description": "Reason for closure"}
}
}
4. ELASTIC COMMON SCHEMA (ECS) - FIELD REFERENCE
4.1 Complete ECS v9.2.0 Schema
{
"schema_name": "Elastic Common Schema",
"version": "9.2.0",
"description": "Open source specification for Elasticsearch event data normalization",
"root_timestamp": "@timestamp",
"base_fields": {
"@timestamp": {
"type": "date",
"description": "Date/time when the event originated",
"format": "ISO 8601",
"required": true
},
"message": {
"type": "text",
"description": "For log events: the original message"
},
"tags": {
"type": "keyword",
"description": "List of tags associated with the event",
"examples": ["production", "security", "network"]
},
"labels": {
"type": "object",
"description": "User-defined key-value pairs"
}
},
"source_fieldset": {
"source.ip": {
"type": "ip",
"description": "IP address of the source",
"examples": ["192.0.2.1"]
},
"source.port": {
"type": "long",
"description": "Port of the source"
},
"source.hostname": {
"type": "keyword",
"description": "Hostname of the source"
},
"source.domain": {
"type": "keyword",
"description": "Domain name of the source"
},
"source.fqdn": {
"type": "keyword",
"description": "FQDN of the source"
},
"source.mac": {
"type": "keyword",
"description": "MAC address of the source"
},
"source.user.name": {
"type": "keyword",
"description": "Short name or login of the source user"
},
"source.user.id": {
"type": "keyword",
"description": "Unique identifier of the source user"
},
"source.user.email": {
"type": "keyword",
"description": "Email address of the source user"
},
"source.user.domain": {
"type": "keyword",
"description": "Name of the directory the user is a member of"
},
"source.user.roles": {
"type": "keyword",
"description": "Array of user roles"
},
"source.geo.country_iso_code": {
"type": "keyword",
"description": "ISO 3166-1 country code"
},
"source.geo.city_name": {
"type": "keyword",
"description": "City name"
},
"source.geo.latitude": {
"type": "geo_point",
"description": "Latitude"
},
"source.geo.longitude": {
"type": "geo_point",
"description": "Longitude"
}
},
"destination_fieldset": {
"destination.ip": {
"type": "ip",
"description": "IP address of the destination"
},
"destination.port": {
"type": "long",
"description": "Port of the destination"
},
"destination.hostname": {
"type": "keyword",
"description": "Hostname of the destination"
},
"destination.domain": {
"type": "keyword",
"description": "Domain name of the destination"
},
"destination.fqdn": {
"type": "keyword",
"description": "FQDN of the destination"
},
"destination.mac": {
"type": "keyword",
"description": "MAC address of the destination"
},
"destination.user.name": {
"type": "keyword",
"description": "Short name or login of the destination user"
},
"destination.user.id": {
"type": "keyword",
"description": "Unique identifier of the destination user"
},
"destination.geo.country_iso_code": {
"type": "keyword",
"description": "ISO 3166-1 country code"
}
},
"network_fieldset": {
"network.protocol": {
"type": "keyword",
"description": "Protocol name",
"examples": ["tcp", "udp", "icmp", "dns", "http", "https"]
},
"network.direction": {
"type": "keyword",
"description": "Direction of the traffic",
"allowed_values": ["inbound", "outbound", "internal", "external", "unknown"]
},
"network.bytes": {
"type": "long",
"description": "Total bytes transferred in both directions"
},
"network.packets": {
"type": "long",
"description": "Total packets transferred in both directions"
},
"network.transport": {
"type": "keyword",
"description": "Transport layer protocol"
},
"network.type": {
"type": "keyword",
"description": "Type of network medium",
"examples": ["ethernet", "wifi"]
},
"network.vlan.id": {
"type": "keyword",
"description": "VLAN ID"
},
"network.vlan.name": {
"type": "keyword",
"description": "VLAN name"
}
},
"event_fieldset": {
"event.id": {
"type": "keyword",
"description": "Unique identifier for this event"
},
"event.category": {
"type": "keyword",
"description": "Event categorization (may be multi-valued)",
"allowed_values": [
"authentication",
"configuration",
"database",
"driver",
"email",
"file",
"host",
"iam",
"intrusion_detection",
"malware",
"network",
"package",
"process",
"registry",
"session",
"threat",
"vulnerability",
"web"
]
},
"event.type": {
"type": "keyword",
"description": "Event type (may be multi-valued)",
"allowed_values": [
"access",
"admin",
"allowed",
"change",
"connection",
"creation",
"deletion",
"denied",
"end",
"error",
"info",
"installation",
"protocol",
"removal",
"start",
"user"
]
},
"event.action": {
"type": "keyword",
"description": "Specific action described by this event",
"examples": ["user-password-change", "log-in", "ssh-login"]
},
"event.outcome": {
"type": "keyword",
"description": "Outcome of the event",
"allowed_values": ["success", "failure", "unknown"]
},
"event.severity": {
"type": "long",
"description": "Severity level (numeric)"
},
"event.risk_score": {
"type": "long",
"description": "Risk score associated with the event"
},
"event.duration": {
"type": "long",
"description": "Duration in nanoseconds"
},
"event.start": {
"type": "date",
"description": "Event start timestamp"
},
"event.end": {
"type": "date",
"description": "Event end timestamp"
},
"event.created": {
"type": "date",
"description": "Event creation timestamp"
},
"event.timezone": {
"type": "keyword",
"description": "Timezone"
},
"event.code": {
"type": "keyword",
"description": "Event code (e.g., Windows Event ID)"
},
"event.module": {
"type": "keyword",
"description": "Name of the module/component"
},
"event.dataset": {
"type": "keyword",
"description": "Name of the dataset"
},
"event.provider": {
"type": "keyword",
"description": "Source of the event"
},
"event.reason": {
"type": "keyword",
"description": "Reason why this event happened"
},
"event.reference": {
"type": "keyword",
"description": "Reference to related event"
},
"event.sequence": {
"type": "long",
"description": "Sequence number of this event"
},
"event.url": {
"type": "keyword",
"description": "Event URL"
}
},
"http_fieldset": {
"http.version": {
"type": "keyword",
"description": "HTTP version",
"examples": ["1.0", "1.1", "2.0", "3.0"]
},
"http.method": {
"type": "keyword",
"description": "HTTP method",
"examples": ["GET", "POST", "PUT", "DELETE", "HEAD", "PATCH"]
},
"http.status_code": {
"type": "long",
"description": "HTTP response code",
"examples": [200, 404, 403, 500]
},
"http.request.method": {
"type": "keyword",
"description": "HTTP request method"
},
"http.request.body.content": {
"type": "text",
"description": "HTTP request body content"
},
"http.request.body.bytes": {
"type": "long",
"description": "HTTP request body size in bytes"
},
"http.request.bytes": {
"type": "long",
"description": "Total size of HTTP request in bytes"
},
"http.request.referrer": {
"type": "keyword",
"description": "HTTP referrer header"
},
"http.response.body.content": {
"type": "text",
"description": "HTTP response body content"
},
"http.response.body.bytes": {
"type": "long",
"description": "HTTP response body size in bytes"
},
"http.response.bytes": {
"type": "long",
"description": "Total size of HTTP response in bytes"
},
"http.response.status_code": {
"type": "long",
"description": "HTTP response status code"
}
},
"dns_fieldset": {
"dns.question.name": {
"type": "keyword",
"description": "DNS query name"
},
"dns.question.type": {
"type": "keyword",
"description": "DNS query type",
"examples": ["A", "AAAA", "MX", "NS", "CNAME", "TXT", "SOA"]
},
"dns.question.class": {
"type": "keyword",
"description": "DNS query class",
"examples": ["IN", "CH", "HS"]
},
"dns.response_code": {
"type": "keyword",
"description": "DNS response code",
"examples": ["NOERROR", "NXDOMAIN", "REFUSED"]
},
"dns.answers.type": {
"type": "keyword",
"description": "DNS answer type"
},
"dns.answers.data": {
"type": "keyword",
"description": "DNS answer data"
},
"dns.answers.class": {
"type": "keyword",
"description": "DNS answer class"
},
"dns.answers.ttl": {
"type": "long",
"description": "DNS answer TTL"
},
"dns.rrtype": {
"type": "keyword",
"description": "DNS record type"
}
},
"file_fieldset": {
"file.name": {
"type": "keyword",
"description": "File name"
},
"file.path": {
"type": "keyword",
"description": "Full file path"
},
"file.extension": {
"type": "keyword",
"description": "File extension"
},
"file.size": {
"type": "long",
"description": "File size in bytes"
},
"file.mime_type": {
"type": "keyword",
"description": "MIME type of the file"
},
"file.hash.md5": {
"type": "keyword",
"description": "MD5 hash of the file"
},
"file.hash.sha1": {
"type": "keyword",
"description": "SHA1 hash of the file"
},
"file.hash.sha256": {
"type": "keyword",
"description": "SHA256 hash of the file"
},
"file.hash.sha512": {
"type": "keyword",
"description": "SHA512 hash of the file"
},
"file.created": {
"type": "date",
"description": "File creation time"
},
"file.modified": {
"type": "date",
"description": "File modification time"
},
"file.accessed": {
"type": "date",
"description": "File access time"
},
"file.owner": {
"type": "keyword",
"description": "File owner"
},
"file.group": {
"type": "keyword",
"description": "File group"
},
"file.mode": {
"type": "keyword",
"description": "File permissions (octal)"
}
},
"process_fieldset": {
"process.name": {
"type": "keyword",
"description": "Process name"
},
"process.pid": {
"type": "long",
"description": "Process ID"
},
"process.ppid": {
"type": "long",
"description": "Parent process ID"
},
"process.command_line": {
"type": "text",
"description": "Full command line"
},
"process.executable": {
"type": "keyword",
"description": "Full path to executable"
},
"process.working_directory": {
"type": "keyword",
"description": "Current working directory"
},
"process.title": {
"type": "text",
"description": "Process title"
},
"process.start": {
"type": "date",
"description": "Process start time"
},
"process.uptime": {
"type": "long",
"description": "Process uptime in milliseconds"
},
"process.args": {
"type": "keyword",
"description": "Array of process arguments"
},
"process.hash.md5": {
"type": "keyword",
"description": "Hash of the executable"
},
"process.hash.sha1": {
"type": "keyword",
"description": "Hash of the executable"
},
"process.hash.sha256": {
"type": "keyword",
"description": "Hash of the executable"
},
"process.user.name": {
"type": "keyword",
"description": "User running the process"
},
"process.user.id": {
"type": "keyword",
"description": "UID running the process"
},
"process.group.name": {
"type": "keyword",
"description": "Group name running the process"
},
"process.group.id": {
"type": "keyword",
"description": "Group ID running the process"
},
"process.parent.name": {
"type": "keyword",
"description": "Parent process name"
},
"process.parent.pid": {
"type": "long",
"description": "Parent process ID"
},
"process.parent.executable": {
"type": "keyword",
"description": "Parent process executable"
},
"process.parent.args": {
"type": "keyword",
"description": "Parent process arguments"
},
"process.parent.command_line": {
"type": "text",
"description": "Parent process command line"
}
},
"tls_fieldset": {
"tls.version": {
"type": "keyword",
"description": "TLS version",
"examples": ["1.0", "1.1", "1.2", "1.3"]
},
"tls.cipher": {
"type": "keyword",
"description": "Cipher suite used"
},
"tls.established": {
"type": "boolean",
"description": "TLS handshake succeeded"
},
"tls.client.subject": {
"type": "keyword",
"description": "Subject of the client certificate"
},
"tls.client.issuer": {
"type": "keyword",
"description": "Issuer of the client certificate"
},
"tls.client.certificate_chain": {
"type": "keyword",
"description": "Certificate chain provided by client"
},
"tls.client.ja3": {
"type": "keyword",
"description": "JA3 fingerprint of the client"
},
"tls.server.subject": {
"type": "keyword",
"description": "Subject of the server certificate"
},
"tls.server.issuer": {
"type": "keyword",
"description": "Issuer of the server certificate"
},
"tls.server.name_indication": {
"type": "keyword",
"description": "Server name indicated by client (SNI)"
},
"tls.server.certificate": {
"type": "keyword",
"description": "PEM-encoded server certificate"
},
"tls.server.certificate_chain": {
"type": "keyword",
"description": "Certificate chain provided by server"
},
"tls.server.ja3s": {
"type": "keyword",
"description": "JA3S fingerprint of the server"
},
"tls.server.ja4": {
"type": "keyword",
"description": "JA4 fingerprint of server"
}
},
"threat_fieldset": {
"threat.name": {
"type": "keyword",
"description": "Name of the threat"
},
"threat.category": {
"type": "keyword",
"description": "Category of the threat"
},
"threat.confidence": {
"type": "keyword",
"description": "Confidence level"
},
"threat.severity": {
"type": "keyword",
"description": "Threat severity"
},
"threat.indicator.type": {
"type": "keyword",
"description": "Type of threat indicator"
},
"threat.indicator.description": {
"type": "text",
"description": "Threat indicator description"
},
"threat.indicator.confidence": {
"type": "keyword",
"description": "Confidence of the indicator"
},
"threat.enrichments": {
"type": "nested",
"description": "Threat enrichment data"
},
"threat.group.name": {
"type": "keyword",
"description": "Name of the threat group"
},
"threat.group.id": {
"type": "keyword",
"description": "ID of the threat group"
},
"threat.tactic.name": {
"type": "keyword",
"description": "MITRE ATT&CK tactic name"
},
"threat.tactic.id": {
"type": "keyword",
"description": "MITRE ATT&CK tactic ID"
},
"threat.technique.name": {
"type": "keyword",
"description": "MITRE ATT&CK technique name"
},
"threat.technique.id": {
"type": "keyword",
"description": "MITRE ATT&CK technique ID"
},
"threat.software.name": {
"type": "keyword",
"description": "Malware/tool name"
},
"threat.software.id": {
"type": "keyword",
"description": "Malware/tool ID"
},
"threat.software.platforms": {
"type": "keyword",
"description": "Platforms affected"
}
},
"user_fieldset": {
"user.name": {
"type": "keyword",
"description": "Username"
},
"user.id": {
"type": "keyword",
"description": "User ID"
},
"user.email": {
"type": "keyword",
"description": "Email address"
},
"user.full_name": {
"type": "text",
"description": "Full name of the user"
},
"user.hash": {
"type": "keyword",
"description": "Hash of the user"
},
"user.domain": {
"type": "keyword",
"description": "Domain or realm"
},
"user.roles": {
"type": "keyword",
"description": "Array of user roles"
},
"user.changes.domain": {
"type": "keyword",
"description": "Domain/realm changed"
},
"user.changes.name": {
"type": "keyword",
"description": "Name changed"
}
},
"rule_fieldset": {
"rule.id": {
"type": "keyword",
"description": "Rule ID"
},
"rule.name": {
"type": "keyword",
"description": "Rule name"
},
"rule.version": {
"type": "keyword",
"description": "Rule version"
},
"rule.description": {
"type": "text",
"description": "Rule description"
},
"rule.category": {
"type": "keyword",
"description": "Rule category"
},
"rule.reference": {
"type": "keyword",
"description": "Reference URL"
},
"rule.license": {
"type": "keyword",
"description": "Rule license"
},
"rule.ruleset": {
"type": "keyword",
"description": "Ruleset name"
},
"rule.tags": {
"type": "keyword",
"description": "Rule tags"
},
"rule.uuid": {
"type": "keyword",
"description": "Rule UUID"
}
}
}
5. SURICATA EVE - ALERT & EVENT SCHEMAS
5.1 Complete Suricata EVE JSON Schema
{
"platform": "Suricata",
"format": "EVE JSON",
"version": "Latest",
"description": "Extensible Event Format - JSON output for alerts and events",
"base_event_fields": {
"timestamp": {
"type": "string (ISO 8601)",
"description": "Timestamp of the event",
"format": "2025-12-24T14:30:00.123456+0000",
"required": true
},
"flow_id": {
"type": "integer",
"description": "Unique flow identifier",
"required": true
},
"event_type": {
"type": "string",
"description": "Type of the event",
"required": true,
"allowed_values": [
"alert",
"http",
"dns",
"tls",
"files",
"flow",
"drop",
"netflow",
"anomaly",
"stats",
"stream",
"mqtt",
"ssh",
"dhcp",
"rdp",
"smb",
"ftp",
"tftp",
"nfs",
"snmp",
"ike",
"dcerpc",
"krb5",
"bittorrent_dht"
]
},
"src": {
"type": "object",
"description": "Source information",
"fields": {
"ip": {"type": "string (IP address)", "description": "Source IP"},
"port": {"type": "integer", "description": "Source port"}
}
},
"dest": {
"type": "object",
"description": "Destination information",
"fields": {
"ip": {"type": "string (IP address)", "description": "Destination IP"},
"port": {"type": "integer", "description": "Destination port"}
}
},
"proto": {
"type": "string",
"description": "Protocol",
"allowed_values": ["tcp", "udp", "icmp", "ip"]
},
"pcap_cnt": {
"type": "integer",
"description": "PCAP packet counter"
},
"community_id": {
"type": "string",
"description": "Community Flow ID for correlation with other tools (e.g., Zeek)"
},
"app_proto": {
"type": "string",
"description": "Application layer protocol"
}
},
"alert_event": {
"type": "object",
"description": "Alert event type",
"fields": {
"alert": {
"type": "object",
"fields": {
"action": {
"type": "string",
"description": "Action taken",
"allowed_values": ["allowed", "blocked"]
},
"gid": {
"type": "integer",
"description": "Group ID (generator ID)"
},
"signature_id": {
"type": "integer",
"description": "Signature ID (SID)",
"examples": [1001, 2001, 3001]
},
"rev": {
"type": "integer",
"description": "Rule revision number"
},
"signature": {
"type": "string",
"description": "Signature/rule message",
"examples": ["ET MALWARE Win32/Conficker.C Worm Outbound Connection"]
},
"category": {
"type": "string",
"description": "Rule category",
"examples": ["Potentially Bad Traffic", "Malware", "Trojan Activity"]
},
"severity": {
"type": "integer",
"description": "Severity level",
"range": "1-3",
"1": "High",
"2": "Medium",
"3": "Low"
},
"metadata": {
"type": "object",
"description": "Rule metadata",
"examples": {
"policy": ["balanced-ips", "security-ips"],
"rule-type": ["trojan"],
"affected-systems": ["Windows"],
"malware-type": ["Trojan.Win32.Conficker"]
}
},
"tx_id": {
"type": "integer",
"description": "Application layer transaction ID"
},
"tx_guessed": {
"type": "boolean",
"description": "Whether transaction was guessed"
}
},
"required": ["action", "gid", "signature_id", "signature", "category", "severity"]
},
"payload": {
"type": "string (Base64)",
"description": "Packet payload (Base64 encoded)"
},
"payload-printable": {
"type": "string",
"description": "Packet payload (printable format, lossy)"
},
"packet": {
"type": "string (Base64)",
"description": "Packet data without stream segments"
}
}
},
"http_event": {
"type": "object",
"description": "HTTP transaction event",
"fields": {
"http": {
"type": "object",
"fields": {
"hostname": {
"type": "string",
"description": "Hostname from HTTP header"
},
"url": {
"type": "string",
"description": "Full URL"
},
"uri": {
"type": "string",
"description": "URI path"
},
"http_method": {
"type": "string",
"description": "HTTP method",
"examples": ["GET", "POST", "PUT", "DELETE", "HEAD"]
},
"protocol": {
"type": "string",
"description": "HTTP protocol version",
"examples": ["HTTP/1.0", "HTTP/1.1", "HTTP/2.0"]
},
"status": {
"type": "integer",
"description": "HTTP response status code",
"examples": [200, 404, 403, 500]
},
"length": {
"type": "integer",
"description": "Content length"
},
"http_user_agent": {
"type": "string",
"description": "User-Agent header"
},
"http_content_type": {
"type": "string",
"description": "Content-Type header"
},
"http_refer": {
"type": "string",
"description": "Referer header"
},
"xff": {
"type": "string",
"description": "X-Forwarded-For header"
},
"http_headers": {
"type": "array",
"description": "HTTP headers (if enabled)"
}
}
}
}
},
"dns_event": {
"type": "object",
"description": "DNS transaction event",
"fields": {
"dns": {
"type": "object",
"fields": {
"version": {
"type": "integer",
"description": "DNS message version",
"value": 2
},
"type": {
"type": "string",
"description": "DNS message type",
"allowed_values": ["query", "answer"]
},
"id": {
"type": "integer",
"description": "DNS transaction ID"
},
"rrname": {
"type": "string",
"description": "DNS record name"
},
"rrtype": {
"type": "string",
"description": "DNS record type",
"examples": ["A", "AAAA", "CNAME", "MX", "NS", "PTR", "TXT", "SOA"]
},
"rclass": {
"type": "string",
"description": "DNS record class",
"examples": ["IN"]
},
"rdata": {
"type": "string",
"description": "DNS response data"
},
"ttl": {
"type": "integer",
"description": "Time to Live"
},
"answers": {
"type": "array",
"description": "DNS answers (detailed format)",
"items": {
"rrname": "string",
"rrtype": "string",
"ttl": "integer",
"rdata": "string"
}
},
"query": {
"type": "object",
"description": "DNS query information",
"fields": {
"type": {"type": "string"},
"name": {"type": "string"}
}
},
"grouped_answers": {
"type": "array",
"description": "Grouped DNS answers by type"
}
}
}
}
},
"tls_event": {
"type": "object",
"description": "TLS/SSL transaction event",
"fields": {
"tls": {
"type": "object",
"fields": {
"version": {
"type": "string",
"description": "TLS version",
"examples": ["TLSV1", "TLSV1.1", "TLSV1.2", "TLSV1.3"]
},
"cipher": {
"type": "string",
"description": "Cipher suite used"
},
"ja3": {
"type": "string",
"description": "JA3 fingerprint (client)"
},
"ja3s": {
"type": "string",
"description": "JA3S fingerprint (server)"
},
"ja4": {
"type": "string",
"description": "JA4 fingerprint (client)"
},
"sni": {
"type": "string",
"description": "Server Name Indication"
},
"fingerprint": {
"type": "string",
"description": "TLS certificate fingerprint (SHA-1)"
},
"issuer": {
"type": "string",
"description": "Certificate issuer"
},
"subject": {
"type": "string",
"description": "Certificate subject"
},
"not_before": {
"type": "string",
"description": "Certificate valid from date"
},
"not_after": {
"type": "string",
"description": "Certificate valid until date"
},
"serial": {
"type": "string",
"description": "Certificate serial number"
},
"certificate": {
"type": "string",
"description": "PEM-encoded certificate"
},
"chain": {
"type": "array",
"description": "Certificate chain"
},
"session_resumed": {
"type": "boolean",
"description": "Whether session was resumed"
},
"client": {
"type": "object",
"description": "Client certificate details"
},
"server": {
"type": "object",
"description": "Server details"
}
}
}
}
},
"files_event": {
"type": "object",
"description": "File extraction event",
"fields": {
"files": {
"type": "array",
"items": {
"filename": {
"type": "string",
"description": "Name of the file"
},
"magic": {
"type": "string",
"description": "File magic/type"
},
"size": {
"type": "integer",
"description": "File size"
},
"stored": {
"type": "boolean",
"description": "Whether file was stored"
},
"file_id": {
"type": "integer",
"description": "File ID"
},
"tx_id": {
"type": "array",
"description": "Transaction IDs associated with file"
},
"md5": {
"type": "string",
"description": "MD5 hash"
},
"sha1": {
"type": "string",
"description": "SHA1 hash"
},
"sha256": {
"type": "string",
"description": "SHA256 hash"
},
"ssdeep": {
"type": "string",
"description": "SSDEEP fuzzy hash"
}
}
}
}
},
"flow_event": {
"type": "object",
"description": "Network flow event",
"fields": {
"flow": {
"type": "object",
"fields": {
"pkts_toserver": {
"type": "integer",
"description": "Packets sent to server"
},
"pkts_toclient": {
"type": "integer",
"description": "Packets sent to client"
},
"bytes_toserver": {
"type": "integer",
"description": "Bytes sent to server"
},
"bytes_toclient": {
"type": "integer",
"description": "Bytes sent to client"
},
"start": {
"type": "string (ISO 8601)",
"description": "Flow start time"
},
"end": {
"type": "string (ISO 8601)",
"description": "Flow end time"
},
"age": {
"type": "integer",
"description": "Flow age in seconds"
},
"state": {
"type": "string",
"description": "Flow state",
"allowed_values": ["new", "established", "closed", "closed_timeout"]
},
"reason": {
"type": "string",
"description": "Reason for flow closure"
},
"alerted": {
"type": "boolean",
"description": "Whether flow generated an alert"
},
"bypassed": {
"type": "boolean",
"description": "Whether flow was bypassed"
}
}
}
}
},
"drop_event": {
"type": "object",
"description": "Packet drop event",
"fields": {
"drop": {
"type": "object",
"fields": {
"reason": {
"type": "string",
"description": "Reason for drop",
"examples": ["IPS", "Drop Rule", "Packet Filter"]
}
}
}
}
},
"anomaly_event": {
"type": "object",
"description": "Anomaly detection event",
"fields": {
"anomaly": {
"type": "object",
"fields": {
"type": {
"type": "string",
"description": "Anomaly type",
"allowed_values": ["decode", "stream", "applayer"]
},
"code": {
"type": "integer",
"description": "Anomaly code"
},
"desc": {
"type": "string",
"description": "Anomaly description"
}
}
}
}
},
"metadata_event": {
"type": "object",
"description": "Metadata event (pktvar, flowvar, flowbits, flowints)",
"fields": {
"pktvar": {"type": "object", "description": "Packet variables"},
"flowvar": {"type": "object", "description": "Flow variables"},
"flowbits": {"type": "object", "description": "Flow bits"},
"flowints": {"type": "object", "description": "Flow integers"}
}
}
}
6. ADDITIONAL TOOLS
6.1 Wazuh Alert Schema
{
"platform": "Wazuh",
"format": "Alert JSON",
"description": "Wazuh alert event structure",
"alert_fields": {
"timestamp": {"type": "timestamp", "description": "Alert timestamp"},
"rule": {
"id": "integer",
"level": "integer (3-15)",
"description": "string",
"group": "string array",
"pci_dss": "string array",
"hipaa": "string array",
"gdpr": "string array",
"mitre": {
"tactic": "string array",
"technique": "string array"
}
},
"agent": {
"id": "string",
"name": "string",
"ip": "ip address"
},
"manager": {
"name": "string"
},
"data": {
"title": "string",
"path": "string",
"srcip": "ip",
"srcport": "integer",
"dstip": "ip",
"dstport": "integer",
"username": "string",
"command": "string"
},
"decoder": {
"name": "string",
"parent": "string"
}
}
}
6.2 OpenSearch Security Analytics Schema
{
"platform": "OpenSearch Security Analytics",
"description": "Security Analytics detector and findings schema",
"base_format": "ECS (Elastic Common Schema)",
"detector_fields": {
"detector_type": ["Firewall", "Windows", "Authentication", "Custom"],
"detector_name": "string",
"detector_input": {
"log_type": "string",
"description": "string"
}
},
"finding_fields": {
"findings": {
"finding_id": "string",
"detection_type": "string",
"rule_name": "string",
"rule_id": "string",
"severity": "string (Critical, High, Medium, Low)",
"timestamp": "timestamp",
"status": "string (New, Acknowledged, Closed)"
}
}
}
6.3 Zeek (formerly Bro) JSON Schema
{
"platform": "Zeek",
"description": "Zeek network protocol analysis JSON output",
"log_types": [
"conn",
"dns",
"http",
"ssl",
"tls",
"ssh",
"ftp",
"smtp",
"x509",
"files",
"syslog"
],
"base_fields": {
"ts": "timestamp",
"uid": "string (connection UID)",
"id.orig_h": "ip (originator IP)",
"id.orig_p": "integer (originator port)",
"id.resp_h": "ip (responder IP)",
"id.resp_p": "integer (responder port)",
"proto": "string (tcp, udp, icmp)"
},
"connection_log_fields": {
"service": "string",
"duration": "number (seconds)",
"orig_bytes": "integer",
"resp_bytes": "integer",
"conn_state": "string",
"missed_bytes": "integer",
"history": "string"
},
"dns_log_fields": {
"proto": "string",
"query": "string",
"qclass": "integer",
"qclass_name": "string",
"qtype": "integer",
"qtype_name": "string",
"rcode": "integer",
"rcode_name": "string",
"answers": "string array",
"ttls": "number array"
},
"http_log_fields": {
"trans_depth": "integer",
"method": "string",
"uri": "string",
"referrer": "string",
"version": "string",
"user_agent": "string",
"request_body_len": "integer",
"response_body_len": "integer",
"status_code": "integer",
"status_msg": "string",
"info_code": "integer",
"info_msg": "string",
"tags": "string array"
},
"ssl_log_fields": {
"version": "string",
"cipher": "string",
"cipher_alg": "string",
"mac_alg": "string",
"enc_alg": "string",
"pfs_alg": "string",
"server_name": "string",
"session_id": "string",
"subject": "string",
"issuer": "string",
"client_subject": "string",
"client_issuer": "string"
}
}
SCHEMA COMPARISON SUMMARY
| Aspect | Splunk CIM | Sentinel ASIM | QRadar | ECS | Suricata |
|---|---|---|---|---|---|
| Structure | Flat + tags | Hierarchical (dot notation) | Property-based | Hierarchical | Event-type driven |
| Field Count | 400+ | 150+/schema | 100+ normalized | 300+ | 50-100/type |
| Versioning | Ongoing | Explicit (0.1.4) | Continuous | Semantic (9.2.0) | Release-based |
| Flexibility | Very High | Medium | Very High | High | Medium |
| Primary Key | Category + tags | EventSchema | src_ip, dst_ip, port, user | @timestamp | flow_id |
| DLP Support | Native | Via extension | Custom properties | Custom fields | No |
| MDR/Alert | Via tags | Native fields | Offense model | Via threat schema | Via alert type |
| MITRE ATT&CK | Via tags | Native | Via threat model | Via threat schema | Via alert fields |
| Cloud Support | Via tags | Native (Dvc fields) | Via custom props | Via cloud fieldset | Minimal |
| Correlation | Splunk UID | EventUid | offenseId | event.id | community_id |
END OF SCHEMA DOCUMENTATION
Document prepared for comprehensive schema analysis across leading SIEM, MDR, and DLP platforms. For detailed field definitions, consult official documentation of each platform.