{ "$schema" : "https://json-schema.org/draft/2020-12/schema", "type" : "object", "properties" : { "timestamp" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "The timestamp when the event originally occurred" }, "description" : { "type" : "string", "x-isAttributed" : false, "description" : "Textual description of the event or signature" }, "category" : { "type" : "string", "x-isAttributed" : false, "description" : "Category of the event (for example, attempted-admin, attempted-user, etc.)" }, "severity" : { "type" : "string", "x-isAttributed" : false, "description" : "Severity level of the event (for example, low, medium, high)" }, "asset" : { "type" : "string", "x-isAttributed" : true, "description" : "The asset involved in the event (for example, server or workstation name)" }, "user" : { "type" : "string", "x-isAttributed" : true, "description" : "Username associated with the event, if available" }, "user_domain" : { "type" : "string", "x-isAttributed" : true, "description" : "Domain of the user (typically from systems like Active Directory)" }, "source_ip" : { "type" : "string", "x-isAttributed" : false, "description" : "Source IP address where the suspicious traffic originated", "oneOf" : [ { "format" : "ipv4" }, { "format" : "ipv6" } ] }, "source_port" : { "type" : "string", "x-isAttributed" : false, "description" : "The source port used to initiate the traffic", "pattern" : "\\d+" }, "destination_ip" : { "type" : "string", "x-isAttributed" : false, "description" : "The destination IP address where the traffic was directed", "oneOf" : [ { "format" : "ipv4" }, { "format" : "ipv6" } ] }, "destination_port" : { "type" : "string", "x-isAttributed" : false, "description" : "The port on the destination machine", "pattern" : "\\d+" }, "geoip_city" : { "type" : "string", "x-isAttributed" : false, "description" : "The city name of the source IP address" }, "geoip_country_code" : { "type" : "string", "x-isAttributed" : false, "pattern" : "[A-Z]{2}", "description" : "Two-character ISO 3166-1 country code for the source IP address" }, "geoip_country_name" : { "type" : "string", "x-isAttributed" : false, "description" : "The country name of the source IP address" }, "geoip_organization" : { "type" : "string", "x-isAttributed" : false, "description" : "The organization name attributed from source IP address" }, "geoip_region" : { "type" : "string", "x-isAttributed" : false, "description" : "The region name of the source IP address" }, "signature" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the signature that triggered the IDS alert" }, "signature_revision" : { "type" : "string", "x-isAttributed" : false, "description" : "Revision or version number of the signature" }, "protocol" : { "type" : "string", "x-isAttributed" : false, "description" : "Transport layer protocol (for example, TCP, UDP, ICMP)" }, "ids_app_protocol" : { "type" : "string", "x-isAttributed" : false, "description" : "Application-layer protocol identified by the IDS (for example, HTTP, DNS)" }, "ids_app_protocol_info" : { "type" : "object", "properties" : { "this_is" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of provider" } }, "description" : "Additional app protocol value-specific information", "x-isAttributed" : false }, "community_id" : { "type" : "string", "x-isAttributed" : false, "description" : "Flow identifier used to correlate traffic across systems" }, "total_bytes" : { "type" : "string", "x-isAttributed" : false, "description" : "Total number of bytes transferred during the flow", "pattern" : "\\d+" }, "total_packet_count" : { "type" : "string", "x-isAttributed" : false, "description" : "Total number of packets observed in the flow", "pattern" : "\\d+" }, "source_bytes" : { "type" : "string", "x-isAttributed" : false, "description" : "Number of bytes sent from the source to the destination", "pattern" : "\\d+" }, "source_packet_count" : { "type" : "string", "x-isAttributed" : false, "description" : "Number of packets sent to the destination", "pattern" : "\\d+" }, "destination_bytes" : { "type" : "string", "x-isAttributed" : false, "description" : "Number of bytes sent from the destination to the source", "pattern" : "\\d+" }, "destination_packet_count" : { "type" : "string", "x-isAttributed" : false, "description" : "Number of packets received by the destination", "pattern" : "\\d+" }, "ids_flow_initiated" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "Timestamp indicating when the related network flow began" }, "generator_id" : { "type" : "string", "x-isAttributed" : false, "description" : "Identifier of the IDS component or subsystem that generated the alert" }, "source_json" : { "type" : "object", "x-isAttributed" : false, "description" : "The data that was received or collected by our collector or endpoint agent, formatted as JSON" }, "source_data" : { "type" : "string", "x-isAttributed" : false, "description" : "The unparsed, original log line as received from the collector" }, "custom_data" : { "type" : "object", "x-isAttributed" : false, "description" : "JSON string produced by applying one or more user-defined custom parsers to the original data" }, "r7_context" : { "type" : "object", "properties" : { "user" : { "type" : "object", "properties" : { "domain" : { "type" : "string", "x-isAttributed" : false, "format" : "hostname", "description" : "The domain of the user" }, "name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the r7context resource" }, "rrn" : { "type" : "string", "x-isAttributed" : false, "description" : "The RRN (Rapid7 Resource Name) of the r7context resource", "pattern" : "rrn(_[^\\s:]+)?:[^\\s:]+:[^\\s:]*:[^\\s:]*(:[^\\s:]+)+" }, "type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of r7context field", "const" : "user" } }, "required" : [ "name", "rrn", "type" ], "x-isAttributed" : true }, "asset" : { "type" : "object", "properties" : { "name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the r7context resource" }, "rrn" : { "type" : "string", "x-isAttributed" : false, "description" : "The RRN (Rapid7 Resource Name) of the r7context resource", "pattern" : "rrn(_[^\\s:]+)?:[^\\s:]+:[^\\s:]*:[^\\s:]*(:[^\\s:]+)+" }, "type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of r7context field", "const" : "asset" } }, "required" : [ "name", "rrn", "type" ], "x-isAttributed" : true } }, "x-isAttributed" : true, "description" : "R7_context includes attributed information related to the entry, with references to Rapid7-specific RRNs" }, "entry_id" : { "type" : "string", "x-isAttributed" : false, "description" : "Unique Entry ID assigned to each document or log entry" } }, "required" : [ "timestamp", "source_ip", "destination_ip", "signature" ], "description" : "IDS document" }