The firewall data model provided below aligns with the most commonly used firewalls and their log formats. Read more about how to use the DNIF Data Model

$Fields Possible Values Description
$App   Name of the application/service
$AppService   Type of service running on the device
$AtkDesc   A brief overview of the type of attack detected\n
$AtkMsg   The name of the malware infection detected on the client (destination device), such as Trojan.FakeAV, Spyware.Keylogger, and W32.sillfdc.
$AuthProtocol   The type of protocol used for authentication VPN, SSH, WEB, CLI
$BaseURL   The URL ( Uniform Resource Locator ) or web address which was being accessed
$CPU   The percentage of CPU ( Processor ) utilised for the device
$CVE   Corresponds to an identifier provided in the Common Vulnerabilities and Exposures index (searchable at
$Daemon   A program that runs in the background
$DevAction   The action performed by the device, rather than under the direct control of a user, waiting to be activated by the occurance of a specific event or condition.
$DstCN   The country to which the event was intented for
$DstIP   The IP Address which was targeted
$DstPort   The port number which was targeted on the host machine
$DstUser   Name of the targeted user
$EventID   A unique identifier for the event generated
$Action PACK_BLKD, LOGIN_FAIL, LOGIN The action performed on the resource.
$FileHash   The hashes for the files which have been identified as a threat, Note - In order to refer to the file for which the hash was displayed, please refer ‘FileName’ and ‘FilePath’ fields for more details on the same
$FileName   The name of the file used
$Hits   The total number of counts for a request
$MEM   The percentage of Memory ( RAM ) utilised for the device
$Message   A summary of the activity performed by the malware or applications
$PID   A unique identifier pertaining to a process running within a system
$PolicyName   The name of the firewall policy which was implemented for the current event
$Process   The name of the process. Example, ‘httpd’
$Proto   The communication protocol involved ,such as SMTP or FTP
$RXLen   The size / length of the received message
$ScrPort   The port number which was targeted on the host machine
$Severity   The severity/importance of the identified threat event. Note - Higher the number, more the severity.
$SrcCN   The country from which the event was triggered from
$SrcIP   The source IP Address of the event
$SrcPort   The port number, from which the host seems to be targeted . For example, 80 ( HTTP ) or 22 ( SSH )
$SrcUser   Name of the user using the application at the source address
$Status NEF,NLF,PAD,PER This field states whether the current event has been parsed as desired or not
$SubSystem FIREWALL, AUTHENTICATION, VIRUS, SYSTEM, ADMINISTRATION, ANTIVIRUS, THREAT, WEBFILTER The name of the process or service which encountered a malicious activity during its operation. Note - This field is not appropriate for service or daemon names, such as SQL Server or Web Server. Service or daemon names belong to the ‘Daemon’ field .
$SystemName   Name of the system/host machine
$SystemTstamp   The system time during which the event was generated
$TargetUser   Name of the user which was being targeted
$TXLen   The length or size of the transmitted message
$TXTime   The time taken by the message to travel from source to the destination device
$URL   The URL ( Uniform Resource Locator ) or web address which was being accessed
$User   Name of the user using the application
$ActionTaken   Action taken by the reporting device