The “SWITCH” data model provided below aligns with the most commonly used Switch and their log formats. Read more about how to use the DNIF Data Model

$Fields Possible Values Description
$EventID   A unique identifier for the event generated from the application
$SubSystem AUTHENTICATION, SWITCH, FIREWALL, ADMINISTRATION The name of the process or service which encountered a malicious activity during its operation. Note - This field is not appropriate for service or daemon names, such as SQL Server or Web Server. Service or daemon names belong to the ‘Daemon’ field.
$Daemon   Name of the process pertaining to different services on the application
$Iface   The name of the network interface present
$Severity NOTIFICATION The severity/importance of the identified threat event. Note - Higher the number, more the severity.
$SystemTstamp   The system time during which the event was generated
$Proto   The communication protocol involved , such as SMTP or FTP
$LogLevel INFORMATION, WARNING Signifies the priority of the event detected
$PID   A unique identifier pertaining to a process running within a system
$App   Name of the application which triggered the event
$SrcPort   The port number, from which the host seems to be targeted . For example, 80 ( HTTP ) or 22 ( SSH )
$AuthProtocol SSH The type of protocol used for authentication
$Status PASSED, FAILED, ALLOWED This field states whether the current eventhas been parsed as desired or not
$Action LOGIN, LOGOUT, TERM_LOGIN, PORT_BLKD … Action taken by the reporting device
$DstIP   The IP Address which is targeted
$SystemName   Name of the system/host machine
$User   Name of the user using the application
$SrcIP   The source IP Address of the event
$Message   A summary of the activity performed by the malware or applications
$DstPort   The port number which is targeted on the host machine
$Port   The port number of the Switch in use