{ "$schema" : "https://json-schema.org/draft/2020-12/schema", "type" : "object", "properties" : { "timestamp" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "The timestamp when the event originally occurred" }, "observation_count" : { "type" : "string", "x-isAttributed" : false, "description" : "The number of documents that matched this one within the deduplication time window.\nThe value will be 1 when this event was unique in the time window", "pattern" : "\\d+" }, "asset" : { "type" : "string", "x-isAttributed" : true, "description" : "Asset name, if available" }, "user" : { "type" : "string", "x-isAttributed" : true, "description" : "Username, if available" }, "user_domain" : { "type" : "string", "x-isAttributed" : true, "format" : "hostname", "description" : "User domain name, if available" }, "source_address" : { "type" : "string", "x-isAttributed" : false, "description" : "The address of the device that made the DNS query", "oneOf" : [ { "format" : "ipv4" }, { "format" : "ipv6" }, { "format" : "hostname" } ] }, "source_port" : { "type" : "string", "x-isAttributed" : false, "description" : "The network port on the source side that was used to establish the connection", "pattern" : "\\d+" }, "query" : { "type" : "string", "x-isAttributed" : false, "format" : "hostname", "description" : "The domain name being queried" }, "public_suffix" : { "type" : "string", "x-isAttributed" : false, "description" : "Public suffix of the domain name being queried", "format" : "hostname" }, "top_private_domain" : { "type" : "string", "x-isAttributed" : false, "description" : "Top private domain of the domain name being queried", "format" : "hostname" }, "query_type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of DNS query. Refer to\nhttps://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4\nfor details" }, "query_class" : { "type" : "string", "x-isAttributed" : false, "description" : "The class of DNS query. Refer to\nhttps://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-2\nfor details" }, "query_blocked" : { "type" : "string", "x-isAttributed" : false, "description" : "Indicates whether the DNS query was blocked by a network appliance", "pattern" : "true|false" }, "dns_server_address" : { "type" : "string", "x-isAttributed" : false, "description" : "The IP or hostname of the DNS server", "oneOf" : [ { "format" : "ipv4" }, { "format" : "ipv6" }, { "format" : "hostname" } ] }, "dns_server_port" : { "type" : "string", "x-isAttributed" : false, "description" : "The DNS server port used to perform the query", "pattern" : "\\d+" }, "first_observed_time" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "The document time of the earliest observed matching document within the deduplication time window" }, "last_observed_time" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "The document time of the latest observed matching document within the deduplication time window" }, "source_json" : { "type" : "object", "x-isAttributed" : false, "description" : "The data that was received or collected by our collector or endpoint agent, formatted as JSON" }, "source_data" : { "type" : "string", "x-isAttributed" : false, "description" : "The unparsed, original log line as received from the collector" }, "custom_data" : { "type" : "object", "x-isAttributed" : false, "description" : "JSON string produced by applying one or more user-defined custom parsers to the original data" }, "r7_context" : { "type" : "object", "properties" : { "user" : { "type" : "object", "properties" : { "domain" : { "type" : "string", "x-isAttributed" : false, "format" : "hostname", "description" : "The domain of the user" }, "name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the r7context resource" }, "rrn" : { "type" : "string", "x-isAttributed" : false, "description" : "The RRN (Rapid7 Resource Name) of the r7context resource", "pattern" : "rrn(_[^\\s:]+)?:[^\\s:]+:[^\\s:]*:[^\\s:]*(:[^\\s:]+)+" }, "type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of r7context field", "const" : "user" } }, "required" : [ "name", "rrn", "type" ], "x-isAttributed" : true }, "asset" : { "type" : "object", "properties" : { "name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the r7context resource" }, "rrn" : { "type" : "string", "x-isAttributed" : false, "description" : "The RRN (Rapid7 Resource Name) of the r7context resource", "pattern" : "rrn(_[^\\s:]+)?:[^\\s:]+:[^\\s:]*:[^\\s:]*(:[^\\s:]+)+" }, "type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of r7context field", "const" : "asset" } }, "required" : [ "name", "rrn", "type" ], "x-isAttributed" : true } }, "x-isAttributed" : true, "description" : "R7_context includes attributed information related to the entry, with references to Rapid7-specific RRNs" }, "entry_id" : { "type" : "string", "x-isAttributed" : false, "description" : "Unique Entry ID assigned to each document or log entry" } }, "required" : [ "timestamp", "source_address", "query" ], "description" : "DNS Query for a specific domain name, made from a specific source device" }