{
  "$schema" : "https://json-schema.org/draft/2020-12/schema",
  "type" : "object",
  "properties" : {
    "timestamp" : {
      "type" : "string",
      "format" : "date-time",
      "x-isAttributed" : false,
      "description" : "The timestamp when the event originally occurred"
    },
    "is_blocked" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "Indicates whether the Web Application Firewall (WAF) blocked the HTTP request",
      "pattern" : "true|false"
    },
    "rule" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "Name or description of the rule that flagged the activity"
    },
    "mapped_severity" : {
      "type" : "string",
      "enum" : [ "HIGH", "MEDIUM", "LOW", "CRITICAL", "UNKNOWN" ],
      "x-isAttributed" : false,
      "description" : "Normalized threat level associated with the request or event"
    },
    "product_severity" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "Non-normalized severity value specified by the product log"
    },
    "source_address" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "The IP address of the client making the request",
      "oneOf" : [ {
        "format" : "ipv4"
      }, {
        "format" : "ipv6"
      } ]
    },
    "source_port" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "The port used by the client making the request",
      "pattern" : "\\d+"
    },
    "geoip_city" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "The city name of the source IP address"
    },
    "geoip_country_code" : {
      "type" : "string",
      "x-isAttributed" : false,
      "pattern" : "[A-Z]{2}",
      "description" : "Two-character ISO 3166-1 country code for the source IP address"
    },
    "geoip_country_name" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "The country name of the source IP address"
    },
    "geoip_organization" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "The organization name attributed from source IP address"
    },
    "geoip_region" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "The region name of the source IP address"
    },
    "server_address" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "IP address of the server or resource being accessed",
      "oneOf" : [ {
        "format" : "ipv4"
      }, {
        "format" : "ipv6"
      } ]
    },
    "url_host" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "The hostname present in the HTTP request",
      "format" : "hostname"
    },
    "http_method" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "The method specified in the HTTP request"
    },
    "url_path" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "The path specified in the HTTP request"
    },
    "url_query" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "The query parameters specified in the HTTP request"
    },
    "destination_port" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "The server port requested in the HTTP request",
      "pattern" : "\\d+"
    },
    "incoming_bytes" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "The size of the HTTP request that was sent by the client, in bytes",
      "pattern" : "\\d+"
    },
    "outgoing_bytes" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "The size of the HTTP response that was returned to the client, in bytes",
      "pattern" : "\\d+"
    },
    "user_agent" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "The user agent value from the HTTP request headers"
    },
    "referer" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "The referer value from the HTTP request headers"
    },
    "forwarded_for" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "List of IP addresses identifying the trace of the request from the client to web server,\nthrough any intermediate proxies"
    },
    "auth_user" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "The username of the currently authenticated client requesting the web page"
    },
    "source_json" : {
      "type" : "object",
      "x-isAttributed" : false,
      "description" : "The data that was received or collected by our collector or endpoint agent, formatted as JSON"
    },
    "source_data" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "The unparsed, original log line as received from the collector"
    },
    "custom_data" : {
      "type" : "object",
      "x-isAttributed" : false,
      "description" : "JSON string produced by applying one or more user-defined custom parsers to the original data"
    },
    "entry_id" : {
      "type" : "string",
      "x-isAttributed" : false,
      "description" : "Unique Entry ID assigned to each document or log entry"
    }
  },
  "required" : [ "timestamp", "is_blocked", "source_address", "http_method" ],
  "description" : "Web application firewall (WAF) events, such as blocked requests or detected attacks"
}