Apache Spot Schema

This document is to centralize a place where users can read information about Proxy, DNS and flow schema. From this document users with their own ingest can implement a module without using spot-ingest, or they can compare them. User can do that creating a data set with the expected columns by pipeline.

Proxy

The table shows the list of attributes used in proxy. The columns indicated with field (:white_check_mark:) are used by the pipeline.

Spot Field NameTypeDescriptionOriginal Field NameFormatSpot-ingestSpot-mlSpot-oaSpot-ui
p_datestringDate for the connectiondateyyyy-mm-dd:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
p_timestringTime for the connectiontimehh:MM:SS:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
clientipstringIP address of the client sending the requestc-ipip address:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
hoststringHostname from the client's request URLcs-hosttext:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
reqmethodstringRequest method used from client to appliance (HTTP Method - GET, POST, CONNECT)cs-methodtext:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
useragentstringBrowser Typecs(User-Agent)quoted text:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
resconttypestringContent-type (Ex. text/html, image/xml)rs(Content-Type) text:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
durationintDuration of the connectiontime-takennumerical:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
usernamestringClient Usernamecs-usernametext:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
authgroupstringClient Authentication Groupcs-auth-group text:white_check_mark:---
exceptionidstringIdentifier of the exception resolved (empty if the transaction has not been terminated)x-exception-id text:white_check_mark:---
filterresultstringContent filtering result: Denied, Proxied or Observedsc-filter-resulttext:white_check_mark:---
webcatstringAll content categories of the request URLcs-categories quoted text:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
refererstringRequest header: Referer %S s-sitename The service type used tocs(Referer)url:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
respcodestringProtocol status code from appliance to client (HTTP Response Codes)sc-statusnumerical:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
actionstringWhat type of action did the Appliance take to process this request; possible values include ALLOWED, DENIED, FAILED, SERVER_ERRORs-actiontext:white_check_mark:---
urischemestringScheme of the original URL requestedcs-uri-scheme text:white_check_mark:---
uriportstringPort from the original URL requestedcs-uri-port numerical:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
uripathstringPath of the original URL requested without querycs-uri-path text:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
uriquerystringQuery from the original URL requestedcs-uri-querytext:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
uriextensionstringDocument extension from the original URL requestedcs-uri-extensiontext:white_check_mark:---
serveripstringIP address of the appliance on which the client established its connections-ip ip address:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
scbytesintNumber of bytes sent from appliance to clientsc-bytes numerical:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
csbytesintNumber of bytes sent from client to appliancecs-bytes numerical:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
virusidstringx-virus-id x-virus-id text:white_check_mark:---
bcappnamestringx-bluecoat-application-name x-bluecoat-application-namequoted text:white_check_mark:---
bcappoperstringx-bluecoat-application-operationx-bluecoat-application-operationquoted text:white_check_mark:---
fulluristringFull URI concatenated from cs-host, cs-uri-path, cs-uri-query fieldsit does not exist, it is calculated during ingesttext:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
wordstring-----:white_check_mark:-
ml_scorefloat-----:white_check_mark:-
respcode_namestringIANA translation for the response code column----:white_check_mark::white_check_mark:
uri_repstringReputation value according to Threat intelligence services----:white_check_mark::white_check_mark:
network_contextstringUser defined value----:white_check_mark::white_check_mark:

Flow (spot-nfdump)

The table shows the list of attributes used in flow. The columns indicated with field (:white_check_mark:) are used by the pipeline.

Spot Field NameTypeDescriptionOriginal NFDUMP Field NameFormatSpot-ingestSpot-mlSpot-oaSpot-ui
treceivedstringTime the flow was received by the collectortrYYYY-mm-DD HH:MM:SS:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
unix_tstampbiginttreceived epoch timeit is calculated by ingest hql scriptnumber (1471431305):white_check_mark:---
tryearinttreceived yearit is calculated by spot-nfdumpnumerical:white_check_mark::white_check_mark:--
trmonthinttreceived monthit is calculated by spot-nfdumpnumerical:white_check_mark::white_check_mark:--
trdayinttreceived dayit is calculated by spot-nfdumpnumerical:white_check_mark::white_check_mark:--
trhourinttreceived hourit is calculated by spot-nfdumpnumerical:white_check_mark::white_check_mark:--
trminuteinttreceived minuteit is calculated by spot-nfdumpnumerical:white_check_mark::white_check_mark:--
trsecinttreceived secondsit is calculated by spot-nfdumpnumerical:white_check_mark::white_check_mark:--
tdurfloatDurationtdxx.xx (18.04400062561035):white_check_mark::white_check_mark:--
sipstringSource IP Addresssaip address dotted decimal:white_check_mark::white_check_mark:--
dipstringDestination IP Addressdaip address dotted decimal:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
sportintSource Portsapnumerical:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
dportintDestination Portdapnumerical:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
protostringProtocolprtext (UDP, TCP, etc):white_check_mark::white_check_mark::white_check_mark::white_check_mark:
flagstringTCP Flagsflgdotted flag representation (.A....):white_check_mark:-:white_check_mark::white_check_mark:
fwdintForwarding Statusfwdnumerical:white_check_mark:---
stosintSource Tos (DSCP)stosnumerical:white_check_mark:-:white_check_mark::white_check_mark:
ipktbigintInput Packetsipktnumerical:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
ibytbigintInput Bytesibytnumerical:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
opktbigintOutput Packetsopktnumerical:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
obytbigintOutput Bytesobytnumerical:white_check_mark::white_check_mark::white_check_mark::white_check_mark:
inputintInput interface SNMP numberinnumerical:white_check_mark:-:white_check_mark::white_check_mark:
outputintOutput interface SNMP numberoutnumerical:white_check_mark:-:white_check_mark::white_check_mark:
sasintSource AS numbersasnumerical:white_check_mark:---
dasintDestination AS numberdasnumerical:white_check_mark:---
dtosintDestination Tos (DSCP)dtosnumerical:white_check_mark:---
dirintdirectiondirnumerical (0,1):white_check_mark:---
ripstringRouter IPraip address dotted decimal:white_check_mark:-:white_check_mark::white_check_mark:
ML_scorefloatScore assigned by ML - Produced by MLnumerical:white_check_mark:
rankintRank number based on the order of ML_score values - Produced by OAnumerical--:white_check_mark:
srcip_internalintBoolean value to identify an internal source IP - Produced by OA---:white_check_mark:
dstip_internalintBoolean value to identify an internal destination IP - Produced by OA---:white_check_mark:
src_geolocstringLat & Long values of the source IP - Produced by OA---:white_check_mark:
dst_geolocstringLat & Long values of the destination IP - Produced by OA---:white_check_mark:
src_domainstringDomain assigned to the source IP - Produced by OA---:white_check_mark:
dst_domainstringDomain assigned to the destination IP - Produced by OA---:white_check_mark:
src_repstringCollection of reputation values assigned to the source IP from different TI services - Produced by OA---:white_check_mark:
dst_repstringCollection of reputation values assigned to the destination IP from different TI services - Produced by OA---:white_check_mark:

DNS

The table shows the list of attributes used in DNS. The columns indicated with field (:white_check_mark:) are used by the pipeline.

Spot Field NameTypeDescriptionOriginal NFDUMP Field NameFormatSpot-ingestSpot-mlSpot-oaSpot-ui
frame_timestringTshark Frame Time receivedframe.timeEx. Jan 4 2017 04:41:06.337519000 UTC:white_check_mark::white_check_mark::white_check_mark:-
unix_tstampbigintTshark Frame Time received epoch formatframe.time_epochnumerical (1483504866):white_check_mark::white_check_mark::white_check_mark:-
frame_lenintTshark Frame Lengthframe.lennumerical:white_check_mark::white_check_mark::white_check_mark:-
ip_dststringTshark IP destination (Client IP)ip.dstip address dotted decimal:white_check_mark::white_check_mark::white_check_mark:-
ip_srcstringTshark IP source (DNS Server IP)ip.srcip address dotted decimal--:white_check_mark:-
dns_qry_namestringTshark DNS Query Namedns.qry.nametext:white_check_mark::white_check_mark::white_check_mark:-
dns_qry_classstringTshark DNS Query Classdns.qry.classhexadecimal (0x00000001):white_check_mark::white_check_mark::white_check_mark:-
dns_qry_typeintTshark DNS Query Typedns.qry.typenumerical:white_check_mark::white_check_mark::white_check_mark:-
dns_qry_rcodeintTshark DNS Query Response Codedns.flags.rcodenumerical:white_check_mark::white_check_mark::white_check_mark:-
dns_astringTshark DNS Query A Recorddns.a text---:white_check_mark:
ML_scorefloatProduced by ML--:white_check_mark::white_check_mark:
tldstringTop level domain obtained from query name column - Produced by OA---:white_check_mark:
query_repstringCollection of reputation values assigned to the destination IP from different TI services - Produced by OA---:white_check_mark:
hhintObtained from frame time column - Produced by OA---:white_check_mark:
dns_qry_class_namestringTranslation for the query class code - Produced by OA---:white_check_mark:
dns_qry_type_namestringTranslation for the query type code - Produced by OA---:white_check_mark:
dns_qry_rcode_namestringTranslation for the query response code - Produced by OA---:white_check_mark:
network_contextstringValue to identify the destination IP as internal to the network - Produced by OA---:white_check_mark:

Proxy Schema for spot-ingest

The table shows proxy schema attributes and the rules used specifically for ingest.

Spot field nameRulesComments
p_date--
p_time--
clientip--
host--
reqmethod--
useragent--
resconttype--
duration--
username--
authgroup--
exceptionid--
filterresult--
webcat--
referer--
respcode--
action--
urischeme--
uriport--
uripath--
uriquery--
uriextension--
serverip--
scbytes--
csbytes--
virusid--
bcappname--
bcappoper--
fulluri-produced by ingest

Proxy Schema for spot-ml

The table shows proxy schema attributes and the rules used specifically for machine learning (ml).

Spot field nameRulesComments
p_dateCan't be null-
p_timeCan't be null-
clientipCan't be null-
hostCan't be null-
reqmethod--
useragent-Null will be replaced with “-”
resconttype-Null will be replaced with “-”
duration--
username--
webcat--
referer--
respcode--
uriport--
uripath--
uriquery--
serverip--
scbytes--
csbytes--
fulluriCan't be null-

Proxy Schema for spot-oa

The table shows proxy schema attributes and the rules used specifically for operation analytics (oa).

Spot field nameRulesComments
p_date--
p_time--
clientip--
host--
reqmethod--
useragent--
resconttype--
duration--
username--
webcat--
referer--
respcode--
uriport--
uripath--
uriquery--
serverip--
scbytes--
csbytes--
fulluri--
word--
ml_score--
respcode_name-Produced by OA
uri_rep-Produced by OA
network_context-Produced by OA

Proxy Schema for spot-ui

The table shows proxy schema attributes and the rules used specifically for user interface (ui).

Spot field nameRulesComments
p_date--
p_time--
clientip--
host--
reqmethod--
useragent--
resconttype--
duration--
username--
webcat--
referer--
respcode--
uriport--
uripath--
uriquery--
serverip--
scbytes--
csbytes--
fulluri--
respcode_name-Optional
uri_rep-Optional
network_context-Optional

Flow Schema for spot-ingest

The table shows flow schema attributes and the rules used specifically for ingest.

Spot field nameRulesComments
treceived--
unix_tstamp-produced by ingest
tryear-produced by spot-nfdump
trmonth-produced by spot-nfdump
trday-produced by spot-nfdump
trhour-produced by spot-nfdump
trminute-produced by spot-nfdump
trsec-produced by spot-nfdump
tdur--
sip--
dip--
sport--
dport--
proto--
flag--
fwd--
stos--
ipkt--
ibyt--
opkt--
obyt--
input--
output--
sas--
das--
dtos--
dir--
rip--

Flow Schema for spot-ml

The table shows flow schema attributes and the rules used specifically for machine learning (ml).

Spot field nameRulesComments
treceivedCan't be null-
tryear--
trmonth--
trday--
trhourShould be a number between 0 and 23-
trminuteShould be a number between 0 and 59-
trsecShould be a number between 0 and 59-
tdur--
sipCan't be null-
dipCan't be null-
sportshlould be grater or equal to 0-
dportshlould be grater or equal to 0-
proto--
ipktshlould be grater or equal to 0-
ibytshlould be grater or equal to 0-
opkt--
obyt--

Flow Schema for spot-oa

The table shows flow schema attributes and the rules used specifically for operation analytics (oa).

Spot field nameRulesComments
treceived--
sip--
dip--
sport--
dport--
proto--
flag--
stos--
ipkt--
ibyt--
opkt--
obyt--
input--
output--
rip--
ML_score--

Flow Schema for spot-ui

The table shows flow schema attributes and the rules used specifically for user interface (ui).

Spot field nameRulesComments
treceived--
sip--
dip--
sport--
dport--
proto--
flag--
stos--
ipkt--
ibyt--
opkt--
obyt--
input--
output--
rip--
rank--
srcip_internal--
dstip_internal--
src_geoloc--
dst_geoloc--
src_domain--
dst_domain--
src_rep--
dst_rep--

DNS Schema for spot-ingest

The table shows DNS schema attributes and the rules used specifically for ingest.

Spot field nameRulesComments
frame_time--
unix_tstamp--
frame_len--
ip_dst--
ip_src--
dns_qry_name--
dns_qry_class--
dns_qry_type--
dns_qry_rcode--
dns_a--

DNS Schema for spot-ml

The table shows DNS schema attributes and the rules used specifically for machine learning (ml).

Spot field nameRulesComments
frame_timeCan't be null, empty string or “-”-
unix_tstampShould be a number equal or greater than 0-
frame_lenShould be a number equal or greater than 0-
ip_dstCan't be null, neither empty string or “-”-
dns_qry_nameCan't be null, neither empty string or “-”-
dns_qry_classIf dns_qry_type and dns_qry_rcode are null, this one can't be null-
dns_qry_typeIf dns_qry_class and dns_qry_rcode are null, this can't be null-
dns_qry_rcodeIf dns_qry_class and dns_qry_type are null, this can't be null-

DNS Schema for spot-oa

The table shows DNS schema attributes and the rules used specifically for operation analytics (oa).

Spot field nameRulesComments
frame_time--
unix_tstamp--
frame_len--
ip_dst--
ip_src--
dns_qry_name--
dns_qry_class--
dns_qry_type--
dns_qry_rcode--
ML_score--

DNS Schema for spot-ui

The table shows DNS schema attributes and the rules used specifically for user interface (ui).

Spot field nameRulesComments
dns_a--
ML_score--
tld--
query_rep--
hh--
dns_qry_class_name--
dns_qry_type_name--
dns_qry_rcode_name--
network_context--