FIREWALL
The firewall data model provided below aligns with the most commonly used firewalls and their log formats. Read more about how to use the DNIF Data Model
$Fields | Possible Values | Description |
---|---|---|
$App | Name of the application/service | |
$AppService | Type of service running on the device | |
$AtkDesc | A brief overview of the type of attack detected\n | |
$AtkMsg | The name of the malware infection detected on the client (destination device), such as Trojan.FakeAV, Spyware.Keylogger, and W32.sillfdc. | |
$AuthProtocol | The type of protocol used for authentication VPN, SSH, WEB, CLI | |
$BaseURL | The URL ( Uniform Resource Locator ) or web address which was being accessed | |
$CPU | The percentage of CPU ( Processor ) utilised for the device | |
$CVE | Corresponds to an identifier provided in the Common Vulnerabilities and Exposures index (searchable at http://cve.mitre.org). | |
$Daemon | A program that runs in the background | |
$DevAction | The action performed by the device, rather than under the direct control of a user, waiting to be activated by the occurance of a specific event or condition. | |
$Domain | ||
$DstCN | The country to which the event was intented for | |
$DstIP | The IP Address which was targeted | |
$DstPort | The port number which was targeted on the host machine | |
$DstTranIP | ||
$DstTranPort | ||
$DstTranZone | ||
$DstUser | Name of the targeted user | |
$DstZone | ||
$EventID | A unique identifier for the event generated | |
$Action | PACK_BLKD, LOGIN_FAIL, LOGIN | The action performed on the resource. |
$File | ||
$FileHash | The hashes for the files which have been identified as a threat, Note - In order to refer to the file for which the hash was displayed, please refer ‘FileName’ and ‘FilePath’ fields for more details on the same | |
$FileName | The name of the file used | |
$Hits | The total number of counts for a request | |
$Iface | ||
$IfaceIn | ||
$IfaceOut | ||
$LogLevel | NOTICE, WARNING, INFORMATION, CRITICAL, ERROR | |
$MEM | The percentage of Memory ( RAM ) utilised for the device | |
$Message | A summary of the activity performed by the malware or applications | |
$PID | A unique identifier pertaining to a process running within a system | |
$PolicyName | The name of the firewall policy which was implemented for the current event | |
$Process | The name of the process. Example, ‘httpd’ | |
$Proto | The communication protocol involved ,such as SMTP or FTP | |
$Reason | ||
$RXLen | The size / length of the received message | |
$ScrPort | The port number which was targeted on the host machine | |
$Server | ||
$Severity | The severity/importance of the identified threat event. Note - Higher the number, more the severity. | |
$SiteClass | ||
$SrcCN | The country from which the event was triggered from | |
$SrcIP | The source IP Address of the event | |
$SrcPort | The port number, from which the host seems to be targeted . For example, 80 ( HTTP ) or 22 ( SSH ) | |
$SrcTranIP | ||
$SrcTranPort | ||
$SrcTranZone | ||
$SrcUser | Name of the user using the application at the source address | |
$SrcZone | ||
$Status | NEF,NLF,PAD,PER | This field states whether the current event has been parsed as desired or not |
$SubSystem | FIREWALL, AUTHENTICATION, VIRUS, SYSTEM, ADMINISTRATION, ANTIVIRUS, THREAT, WEBFILTER | The name of the process or service which encountered a malicious activity during its operation. Note - This field is not appropriate for service or daemon names, such as SQL Server or Web Server. Service or daemon names belong to the ‘Daemon’ field . |
$SystemName | Name of the system/host machine | |
$SystemTstamp | The system time during which the event was generated | |
$TargetUser | Name of the user which was being targeted | |
$TLen | ||
$TotalSession | ||
$TunnelIP | ||
$TXLen | The length or size of the transmitted message | |
$TXTime | The time taken by the message to travel from source to the destination device | |
$URL | The URL ( Uniform Resource Locator ) or web address which was being accessed | |
$User | Name of the user using the application | |
$UserAgent | ||
$ActionTaken | Action taken by the reporting device |