UTM


The “UTM” data model provided below aligns with the most commonly used “UTM” and their log formats. Read more about how to use the DNIF Data Model

$Fields Possible Values Description
$Category   Signifies the category of firewall events. Example - ‘Attacks’ , ‘System Maintenance’ …
$Proto   The communication protocol involved , such as SMTP or FTP
$PID   A unique identifier pertaining to a process running within a system
$BaseURL   The primary domain which was accessed. Example - ‘www.google.com’
$RXLen   The length or size of the received message in bytes
$Priority   The level of urgency with which the event was generated
$SystemName   Name of the system/host machine
$SID   It provides the IPS / AntiSpyware signature ID
$Status PASSED , FAILED This field states whether the current event has been parsed as desired or not
$TXLen   The length or size of the transmitted message in message
$LogLevel ERROR , INFO … Signifies the priority of the event detected
$SrcPort   The port number, from which the host seems to be targeted . For example, 80 ( HTTP ) or 22 ( SSH )
$User   Name of the user using the application
$AtkMsg   The name of the malware infection detected on the client (destination device), such as Trojan.FakeAV, Spyware.Keylogger, and W32.sillfdc.
$User   The name of the user involved in the malware event.
$SrcIP   The source IP Address of the event
$SubSystem AUTHENTICATION, FIREWALL, ADMINISTRATION The name of the process or service which encountered a malicious activity during its operation. Note - This field is not appropriate for service or daemon names, such as SQL Server or Web Server. Service or daemon names belong to the ‘Daemon’ field .
$Daemon    
$SystemTstamp   The system time during which the event was generated
$EventCount   The Action performed by the Anti Virus software
$URL   The URL ( Uniform Resource Locator ) or web address which was being accessed
$Action LOGN_FAIL_SYS_CREDS, LOGOUT, PACK_BLKD… Action taken by the reporting device
$EventID   A unique identifier for the event generated from the application
$Domain   The primary domain which was accessed
$DstIP   The IP Address which is targeted
$App   Name of the application which triggered the event
$Message   A summary of the activity performed by the malware or applications
$DstPort   The port number which is targeted on the host machine