The “WAF” data model provided below aligns with the most commonly used WAF and their log formats. Read more about how to use the DNIF Data Model

$Fields Possible Values Description
$UserName   A sequence of string literals which uniquely identifies a user
$Proto   The communication protocol involved , such as SMTP or FTP
$BaseURL   The URL ( Uniform Resource Locator ) or web address which was being accessed
$RXLen   The size / length of the received message
$SystemName   Name of the system/host machine
$Status   This field states whether the current event has been parsed as desired or not
$SrcPort   The port number, from which the host seems to be targeted . For example, 80 ( HTTP ) or 22 ( SSH )
$AtkMsg   The name of the malware infection detected on the client (destination device), such as Trojan.FakeAV, Spyware.Keylogger, and W32.sillfdc.
$User   Name of the user using the application
$SrcIP   The source IP Address of the event
$RXTime   The total time duration for the packets to be received by the device for a request
$SubSystem APPFILTER, AUTHENTICATION, ADMINISTRATION The name of the process or service which encountered a malicious activity during its operation. Note - This field is not appropriate for service or daemon names, such as SQL Server or Web Server. Service or daemon names belong to the ‘Daemon’ field .
$SystemTstamp   The system time during which the event was generated
$URL   The URL ( Uniform Resource Locator ) or web address which was being accessed
$Action URL_BLKD,CONFIG_CHNGD, URL_ALLWD … Action taken by the reporting device
$EventID   A unique identifier for the event generated from WAF
$Domain   The primary domain which was accessed
$DstIP   The IP Address which is targeted
$AtkClass   It signifies the type or classification of the web attack detected
$HttpMethod   The HTTP Method used during the HTTP Request
$Message   A summary of the activity performed by the malware or applications
$DstPort   The port number which is targeted on the host machine