Skip to content

Standard Event Schema

Jump to bottom
Osmany Montero edited this page Jan 19, 2026 · 4 revisions

Standard Event Schema

To ensure consistency and allow rules to work across different data sources, the EventProcessor uses a standardized event schema. All filters should aim to map extracted data to these standard fields.

Event Structure

The core event object consists of several top-level metadata fields and three main namespaces: log, origin, and target.

Top-Level Metadata

Metadata fields that describe the event itself.

Field Description
id Unique identifier for the event (UUID).
@timestamp The time the event was processed in ISO8601 format.
deviceTime The original timestamp from the source device.
dataType The category of the log (e.g., syslog, wineventlog, linux, firewall-fortigate-traffic).
dataSource The specific source or integration name (e.g., o365-tenant-01).
tenantId Unique ID of the organization the event belongs to.
action The activity performed (e.g., login, file_create, connection).
actionResult The outcome of the action (success, failure, denied).
protocol Network protocol used (e.g., tcp, udp, http).
statusCode Numerical status if applicable (e.g., HTTP 404).
severity Event importance (debug, info, warning, error, critical).

Namespaces

1. log.* (Custom Data)

The log namespace is a dictionary used for storing any field that does not fit into the standard categories below.

  • Usage: log.my_custom_field, log.parsing_status.

2. origin.* and target.* (Sides)

Used to describe the "Who" and "Whom" of an event. Both namespaces support the same set of attributes.

Network Attributes

Field Description
ip IPv4 or IPv6 address.
host Hostname of the system.
domain Domain name or FQDN.
port Network port (integer).
mac MAC address.
url Full URL if applicable.

Identity Attributes

Field Description
user Username or account identifier.
group Security group or role.
email Email address associated with the side.

Process & File Attributes

Field Description
process Name of the executable.
command Full command line executed.
file Base filename.
path Full directory path to the file.
hash Generic hash (usually SHA256).
md5 / sha256 Specific cryptographic hashes.

Geolocation (Nested under origin.geolocation.* or target.geolocation.*)

Field Description
country Country name.
countryCode Two-letter ISO country code.
city City name.
asn Autonomous System Number.
aso Autonomous System Organization.

Best Practices for Filtering

  1. Always Map IPs: If your log contains IP addresses, map them to origin.ip and target.ip. This is critical for correlation and geolocation plugins.
  2. Normalize Actions: Use a consistent set of actions (e.g., login instead of logon or signin) to make rules more effective across different log types.
  3. Use the Raw Field: Keep the original log in the raw field during the first steps of parsing, then delete it at the end of the pipeline to save storage space.
  4. Case Sensitivity: By default, field names are case-sensitive. It is recommended to use camelCase for custom log fields.

Clone this wiki locally