Google Git
Sign in
apache / incubator-spot / a885e01699224c1b09b41f7eac79f7f7f9eaf1f2 / . / spot-setup / odm / event.avsc
blob: 7765d6712cfec7f21fffcd23ce1bc92a4692fbe8 [file] [log] [blame]
{
"namespace":"org.apache.spot",
"name":"event",
"type": "record",
"fields": [
{"name":"event_time","type":["null","long"],"doc":"timestamp of event (UTC)", "default": null},
{"name":"begin_time","type":["null","long"],"doc":"timestamp of event (UTC)", "default": null},
{"name":"end_time","type":["null","long"],"doc":"timestamp of event (UTC)", "default": null},
{"name":"event_insert_time","type":["null","long"],"doc":"timestamp of event (UTC)", "default": null},
{"name":"last_update_time","type":["null","long"],"doc":"timestamp of event (UTC)", "default": null},
{"name":"duration", "type":["null","float"],"doc":"Time duration (milliseconds)", "default": null},
{"name":"event_id", "type":["null","string"],"doc":"Unique identifier for event", "default": null},
{"name":"name", "type":["null","string"],"doc":"Name of event", "default": null},
{"name":"org", "type":["null","string"],"doc":"Organization", "default": null},
{"name":"type", "type":["null","string"],"doc":"Type information", "default": null},
{"name":"n_proto", "type":["null","string"],"doc":"Network protocol of event", "default": null},
{"name":"a_proto", "type":["null","string"],"doc":"Application protocol of event", "default": null},
{"name":"msg", "type":["null","string"],"doc":"Message (details of action taken on object)", "default": null},
{"name":"mac", "type":["null","string"],"doc":"MAC address", "default": null},
{"name":"severity", "type":["null","string"],"doc":"Severity of event", "default": null},
{"name":"raw", "type":["null","string"],"doc":"Raw text message of entire event", "default": null},
{"name":"risk", "type":["null","float"],"doc":"Risk score", "default": null},
{"name":"code", "type":["null","string"],"doc":"Response or error code", "default": null},
{"name":"category", "type":["null","string"],"doc":"Event category", "default": null},
{"name":"query", "type":["null","string"],"doc":"Query (DNS query, URI query, SQL query, etc.)", "default": null},
{"name":"service", "type":["null","string"],"doc":"(i.e. service name, type of service)", "default": null},
{"name":"state", "type":["null","string"],"doc":"State of object", "default": null},
{"name":"in_bytes", "type":["null","long"],"doc":"Bytes in", "default": null},
{"name":"out_bytes", "type":["null","long"],"doc":"Bytes out", "default": null},
{"name":"xref", "type":["null","string"],"doc":"External reference to public description", "default": null},
{"name":"version", "type":["null","string"],"doc":"Version", "default": null},
{"name":"api", "type":["null","string"],"doc":"API label", "default": null},
{"name":"parameter", "type":["null","string"],"doc":"Parameter label", "default": null},
{"name":"action", "type":["null","string"],"doc":"Action label", "default": null},
{"name":"proc", "type":["null","string"],"doc":"Process label", "default": null},
{"name":"app", "type":["null","string"],"doc":"Application label", "default": null},
{"name":"disposition", "type":["null","string"],"doc":"Disposition label", "default": null},
{"name":"prevalence", "type":["null","string"],"doc":"Prevalence label", "default": null},
{"name":"confidence", "type":["null","string"],"doc":"Confidence label", "default": null},
{"name":"sensitivity", "type":["null","string"],"doc":"Sensitivity label", "default": null},
{"name":"count", "type":["null","int"],"doc":"Generic count", "default": null},
{"name":"company", "type":["null","string"],"doc":"Company label", "default": null},
{"name":"additional_attrs","type":["null", {"type": "map", "values": "string"}],"default":null, "doc":"Additional attributes of the event"},
{"name":"totrust", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"fromtrust", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"rule", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"threat", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"pcap_id", "type":["null","int"],"doc":"TBD", "default": null},
{"name":"dvc_time", "type":["null","long"],"doc":"UTC timestamp from device where event/alert originates or is received", "default": null},
{"name":"dvc_ip4", "type":["null","long"],"doc":"IP address of device", "default": null},
{"name":"dvc_ip4_str", "type":["null","string"],"doc":"IP address of device", "default": null},
{"name":"dvc_ip6", "type":["null","long"],"doc":"IP address of device", "default": null},
{"name":"dvc_ip6_str", "type":["null","string"],"doc":"IP address of device", "default": null},
{"name":"dvc_host", "type":["null","string"],"doc":"Hostname of device", "default": null},
{"name":"dvc_domain", "type":["null","string"],"doc":"Domain of device", "default": null},
{"name":"dvc_type", "type":["null","string"],"doc":"Device type that generated the log", "default": null},
{"name":"dvc_vendor", "type":["null","string"],"doc":"Vendor", "default": null},
{"name":"dvc_fwd_ip4", "type":["null","long"],"doc":"Forwarded from device", "default": null},
{"name":"dvc_fwd_ip4_str", "type":["null","string"],"doc":"Forwarded from device", "default": null},
{"name":"dvc_fwd_ip6", "type":["null","long"],"doc":"Forwarded from device", "default": null},
{"name":"dvc_fwd_ip6_str", "type":["null","string"],"doc":"Forwarded from device", "default": null},
{"name":"dvc_version", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"src_ip4", "type":["null","long"],"doc":"Source ip address of event", "default": null},
{"name":"src_ip4_str", "type":["null","string"],"doc":"Source ip address of event", "default": null},
{"name":"src_ip6", "type":["null","long"],"doc":"Source ip address of event", "default": null},
{"name":"src_ip6_str", "type":["null","string"],"doc":"Source ip address of event", "default": null},
{"name":"src_host", "type":["null","string"],"doc":"Source FQDN of event", "default": null},
{"name":"src_domain", "type":["null","string"],"doc":"Domain name of source address", "default": null},
{"name":"src_port", "type":["null","int"],"doc":"Source port of event", "default": null},
{"name":"src_country_code", "type":["null","string"],"doc":"Source country code", "default": null},
{"name":"src_country_name", "type":["null","string"],"doc":"Source country name", "default": null},
{"name":"src_region", "type":["null","string"],"doc":"Source region", "default": null},
{"name":"src_city", "type":["null","string"],"doc":"Source city", "default": null},
{"name":"src_lat", "type":["null","int"],"doc":"Source latitude", "default": null},
{"name":"src_long", "type":["null","int"],"doc":"Source longitude", "default": null},
{"name":"dst_ip4", "type":["null","long"],"doc":"Destination ip address of event", "default": null},
{"name":"dst_ip4_str", "type":["null","string"],"doc":"Destination ip address of event", "default": null},
{"name":"dst_ip6", "type":["null","long"],"doc":"Destination ip address of event", "default": null},
{"name":"dst_ip6_str", "type":["null","string"],"doc":"Destination ip address of event", "default": null},
{"name":"dst_host", "type":["null","string"],"doc":"Destination FQDN of event", "default": null},
{"name":"dst_domain", "type":["null","string"],"doc":"Domain name of destination address", "default": null},
{"name":"dst_port", "type":["null","int"],"doc":"Destination port of event", "default": null},
{"name":"dst_country_code", "type":["null","string"],"doc":"Source country code", "default": null},
{"name":"dst_country_name", "type":["null","string"],"doc":"Source country name", "default": null},
{"name":"dst_region", "type":["null","string"],"doc":"Source region", "default": null},
{"name":"dst_city", "type":["null","string"],"doc":"Source city", "default": null},
{"name":"dst_lat", "type":["null","int"],"doc":"Source latitude", "default": null},
{"name":"dst_long", "type":["null","int"],"doc":"Source longitude", "default": null},
{"name":"src_asn", "type":["null","int"],"doc":"Autonomous system number", "default": null},
{"name":"dst_asn", "type":["null","int"],"doc":"Autonomous system number", "default": null},
{"name":"net_direction", "type":["null","string"],"doc":"Direction", "default": null},
{"name":"net_flags", "type":["null","string"],"doc":"TCP flags", "default": null},
{"name":"file_name", "type":["null","string"],"doc":"Filename from event", "default": null},
{"name":"file_path", "type":["null","string"],"doc":"File path", "default": null},
{"name":"file_atime", "type":["null","long"],"doc":"Timestamp (UTC) of file access", "default": null},
{"name":"file_acls", "type":["null","string"],"doc":"File permissions", "default": null},
{"name":"file_type", "type":["null","string"],"doc":"Type of file", "default": null},
{"name":"file_size", "type":["null","int"],"doc":"Size of file in bytes", "default": null},
{"name":"file_desc", "type":["null","string"],"doc":"Description of file", "default": null},
{"name":"file_hash", "type":["null","string"],"doc":"Hash of file", "default": null},
{"name":"file_hash_type", "type":["null","string"],"doc":"Type of hash", "default": null},
{"name":"end_object", "type":["null","string"],"doc":"File/Process/ Registry", "default": null},
{"name":"end_action", "type":["null","string"],"doc":"Action taken on object (open/delete/ edit)", "default": null},
{"name":"end_msg", "type":["null","string"],"doc":"Message (details of action taken on object)", "default": null},
{"name":"end_app", "type":["null","string"],"doc":"Application", "default": null},
{"name":"end_location", "type":["null","string"],"doc":"Location", "default": null},
{"name":"end_proc", "type":["null","string"],"doc":"Process", "default": null},
{"name":"user_name", "type":["null","string"],"doc":"username from event", "default": null},
{"name":"src_user_name", "type":["null","string"],"doc":"username from event", "default": null},
{"name":"dst_user_name", "type":["null","string"],"doc":"username from event", "default": null},
{"name":"user_email", "type":["null","string"],"doc":"Email address", "default": null},
{"name":"user_id", "type":["null","string"],"doc":"userid", "default": null},
{"name":"user_loc", "type":["null","string"],"doc":"location", "default": null},
{"name":"user_desc", "type":["null","string"],"doc":"Description of user", "default": null},
{"name":"dns_class", "type":["null","string"],"doc":"DNS class", "default": null},
{"name":"dns_len", "type":["null","int"],"doc":"DNS frame length", "default": null},
{"name":"dns_query", "type":["null","string"],"doc":"Requested DNS query", "default": null},
{"name":"dns_response_code", "type":["null","string"],"doc":"Response code", "default": null},
{"name":"dns_answers", "type":["null","string"],"doc":"Response to DNS Query", "default": null},
{"name":"dns_type", "type":["null","int"],"doc":"TBD", "default": null},
{"name":"prx_category", "type":["null","string"],"doc":"Event category", "default": null},
{"name":"prx_browser", "type":["null","string"],"doc":"Web browser", "default": null},
{"name":"prx_code", "type":["null","string"],"doc":"Error or response code", "default": null},
{"name":"prx_referrer", "type":["null","string"],"doc":"Referrer", "default": null},
{"name":"prx_host", "type":["null","string"],"doc":"Requested URI", "default": null},
{"name":"prx_filter_rule", "type":["null","string"],"doc":"Applied filter or rule", "default": null},
{"name":"prx_filter_result", "type":["null","string"],"doc":"Result of applied filter or rule", "default": null},
{"name":"prx_query", "type":["null","string"],"doc":"URI query", "default": null},
{"name":"prx_action", "type":["null","string"],"doc":"Action taken on object", "default": null},
{"name":"prx_method", "type":["null","string"],"doc":"HTTP method", "default": null},
{"name":"prx_type", "type":["null","string"],"doc":"Type of request", "default": null},
{"name":"http_request_method", "type":["null","string"],"doc":"HTTP method", "default": null},
{"name":"http_request_uri", "type":["null","string"],"doc":"Requested URI", "default": null},
{"name":"http_request_body_len", "type":["null","int"],"doc":"Length of request body", "default": null},
{"name":"http_request_user_name", "type":["null","string"],"doc":"username from event", "default": null},
{"name":"http_request_password", "type":["null","string"],"doc":"Password from event", "default": null},
{"name":"http_request_proxied", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"http_request_headers", "type":["null","string"],"default":null,"doc":"HTTP request headers"},
{"name":"http_response_status_code", "type":["null","int"],"doc":"HTTP response status code", "default": null},
{"name":"http_response_status_msg", "type":["null","string"],"doc":"HTTP response status message", "default": null},
{"name":"http_response_body_len", "type":["null","int"],"doc":"Length of response body", "default": null},
{"name":"http_response_info_code", "type":["null","int"],"doc":"HTTP response info code", "default": null},
{"name":"http_response_info_msg", "type":["null","string"],"doc":"HTTP response info message", "default": null},
{"name":"http_response_resp_fuids", "type":["null","string"],"doc":"Response FUIDS", "default": null},
{"name":"http_response_mime_types", "type":["null","string"],"doc":"Mime types", "default": null},
{"name":"http_response_headers", "type":["null","string"],"default":null,"doc":"Response headers"},
{"name":"smtp_trans_depth", "type":["null","int"],"doc":"Depth of email into SMTP exchange", "default": null},
{"name":"smtp_headers_helo", "type":["null","string"],"doc":"Helo header", "default": null},
{"name":"smtp_headers_mailfrom", "type":["null","string"],"doc":"Mailfrom header", "default": null},
{"name":"smtp_headers_rcptto", "type":["null","string"],"doc":"Rcptto header", "default": null},
{"name":"smtp_headers_date", "type":["null","string"],"doc":"Header date", "default": null},
{"name":"smtp_headers_from", "type":["null","string"],"doc":"From header", "default": null},
{"name":"smtp_headers_to", "type":["null","string"],"doc":"To header", "default": null},
{"name":"smtp_headers_reply_to", "type":["null","string"],"doc":"Reply to header", "default": null},
{"name":"smtp_headers_msg_id", "type":["null","string"],"doc":"Message ID", "default": null},
{"name":"smtp_headers_in_reply_to", "type":["null","string"],"doc":"In reply to header", "default": null},
{"name":"smtp_headers_subject", "type":["null","string"],"doc":"Subject", "default": null},
{"name":"smtp_headers_x_originating_ip4", "type":["null","long"],"doc":"Originating IP address", "default": null},
{"name":"smtp_headers_x_originating_ip4_str", "type":["null","string"],"doc":"Originating IP address", "default": null},
{"name":"smtp_headers_first_received", "type":["null","string"],"doc":"First to receive message", "default": null},
{"name":"smtp_headers_second_received", "type":["null","string"],"doc":"Second to receive message", "default": null},
{"name":"smtp_last_reply", "type":["null","string"],"doc":"Last reply in message chain", "default": null},
{"name":"smtp_path", "type":["null","string"],"doc":"Path of message", "default": null},
{"name":"smtp_user_agent", "type":["null","string"],"doc":"User agent", "default": null},
{"name":"smtp_tls", "type":["null","boolean"],"doc":"Indication of TLS use", "default": null},
{"name":"smtp_is_webmail", "type":["null","boolean"],"doc":"Indication of webmail", "default": null},
{"name":"ftp_user_name", "type":["null","string"],"doc":"Username", "default": null},
{"name":"ftp_password", "type":["null","string"],"doc":"Password", "default": null},
{"name":"ftp_command", "type":["null","string"],"doc":"FTP command", "default": null},
{"name":"ftp_arg", "type":["null","string"],"doc":"Argument", "default": null},
{"name":"ftp_mime_type", "type":["null","string"],"doc":"Mime type", "default": null},
{"name":"ftp_file_size", "type":["null","int"],"doc":"File size", "default": null},
{"name":"ftp_reply_code", "type":["null","int"],"doc":"Reply code", "default": null},
{"name":"ftp_reply_msg", "type":["null","string"],"doc":"Reply message", "default": null},
{"name":"ftp_data_channel_passive", "type":["null","boolean"],"doc":"Passive data channel?", "default": null},
{"name":"ftp_data_channel_rsp_p", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"ftp_cwd", "type":["null","string"],"doc":"Current working directory", "default": null},
{"name":"ftp_cmdarg_ts", "type":["null","float"],"doc":"TBD", "default": null},
{"name":"ftp_cmdarg_cmd", "type":["null","string"],"doc":"Command", "default": null},
{"name":"ftp_cmdarg_arg", "type":["null","string"],"doc":"Command argument", "default": null},
{"name":"ftp_cmdarg_seq", "type":["null","int"],"doc":"Sequence", "default": null},
{"name":"ftp_pending_commands", "type":["null","string"],"doc":"Pending commands", "default": null},
{"name":"ftp_is_passive", "type":["null","boolean"],"doc":"Passive mode enabled", "default": null},
{"name":"ftp_fuid", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"ftp_last_auth_requested", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"snmp_version", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"snmp_community", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"snmp_get_requests", "type":["null","int"],"doc":"TBD", "default": null},
{"name":"snmp_get_bulk_requests", "type":["null","int"],"doc":"TBD", "default": null},
{"name":"snmp_get_responses", "type":["null","int"],"doc":"TBD", "default": null},
{"name":"snmp_set_requests", "type":["null","int"],"doc":"TBD", "default": null},
{"name":"snmp_display_string", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"snmp_up_since", "type":["null","float"],"doc":"TBD", "default": null},
{"name":"tls_version", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"tls_cipher", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"tls_curve", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"tls_server_name", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"tls_resumed", "type":["null","boolean"],"doc":"TBD", "default": null},
{"name":"tls_next_protocol", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"tls_established", "type":["null","boolean"],"doc":"TBD", "default": null},
{"name":"tls_cert_chain_fuids", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"tls_client_cert_chain_fuids", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"tls_subject", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"tls_issuer", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"ssh_version", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"ssh_auth_success", "type":["null","boolean"],"doc":"TBD", "default": null},
{"name":"ssh_client", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"ssh_server", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"ssh_cipher_algorithm", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"ssh_mac_algorithm", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"ssh_compression_algorithm", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"ssh_key_exchange_algorithm", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"ssh_host_key_algorithm", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"dhcp_assigned_ip4", "type":["null","long"],"doc":"TBD", "default": null},
{"name":"dhcp_assigned_ip4_str", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"dhcp_mac", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"dhcp_lease_time", "type":["null","double"],"doc":"TBD", "default": null},
{"name":"irc_user", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"irc_nickname", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"irc_command", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"irc_value", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"irc_additional_data", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"flow_in_packets", "type":["null","long"],"doc":"TBD", "default": null},
{"name":"flow_out_packets", "type":["null","long"],"doc":"TBD", "default": null},
{"name":"flow_conn_state", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"flow_history", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"flow_src_dscp", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"flow_dst_dscp", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"flow_input", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"flow_output", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"vuln_id", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"vuln_type", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"vuln_status", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"vuln_severity", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"av_riskname", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"av_actualaction", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"av_requestedaction", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"av_secondaryaction", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"av_downloadsite", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"av_downloadedby", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"av_tracking_status", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"av_firstseen", "type":["null","long"],"doc":"TBD", "default": null},
{"name":"application_hash", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"application_hash_type", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"application_name", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"application_version", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"application_type", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"av_categoryset", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"av_categorytype", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"av_threat_count", "type":["null","int"],"doc":"TBD", "default": null},
{"name":"av_infected_count", "type":["null","int"],"doc":"TBD", "default": null},
{"name":"av_omitted_count", "type":["null","int"],"doc":"TBD", "default": null},
{"name":"av_scanid", "type":["null","int"],"doc":"TBD", "default": null},
{"name":"av_startmessage", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"av_stopmessage", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"av_totalfiles", "type":["null","int"],"doc":"TBD", "default": null},
{"name":"av_signatureid", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"av_signaturestring", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"av_signaturesubid", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"av_intrusionurl", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"av_intrusionpayloadurl", "type":["null","string"],"doc":"TBD", "default": null},
{"name":"objectname", "type":["null","string"],"doc":"TBD", "default": null}
],
"doc": "A view schema for storing Apache Spot Event data."
}