SWITCH
The “SWITCH” data model provided below aligns with the most commonly used Switch and their log formats. Read more about how to use the DNIF Data Model
$Fields | Possible Values | Description |
---|---|---|
$EventID | A unique identifier for the event generated from the application | |
$SubSystem | AUTHENTICATION, SWITCH, FIREWALL, ADMINISTRATION | The name of the process or service which encountered a malicious activity during its operation. Note - This field is not appropriate for service or daemon names, such as SQL Server or Web Server. Service or daemon names belong to the ‘Daemon’ field. |
$Daemon | Name of the process pertaining to different services on the application | |
$Iface | The name of the network interface present | |
$Severity | NOTIFICATION | The severity/importance of the identified threat event. Note - Higher the number, more the severity. |
$SystemTstamp | The system time during which the event was generated | |
$Proto | The communication protocol involved , such as SMTP or FTP | |
$LogLevel | INFORMATION, WARNING | Signifies the priority of the event detected |
$PID | A unique identifier pertaining to a process running within a system | |
$App | Name of the application which triggered the event | |
$SrcPort | The port number, from which the host seems to be targeted . For example, 80 ( HTTP ) or 22 ( SSH ) | |
$AuthProtocol | SSH | The type of protocol used for authentication |
$Status | PASSED, FAILED, ALLOWED | This field states whether the current eventhas been parsed as desired or not |
$Action | LOGIN, LOGOUT, TERM_LOGIN, PORT_BLKD … | Action taken by the reporting device |
$DstIP | The IP Address which is targeted | |
$SystemName | Name of the system/host machine | |
$User | Name of the user using the application | |
$SrcIP | The source IP Address of the event | |
$Message | A summary of the activity performed by the malware or applications | |
$DstPort | The port number which is targeted on the host machine | |
$Port | The port number of the Switch in use |