Integrations
Nile SIEM Event Schema

7min
Introduction
Security Information and Event Management (SIEM) schema defines the structure of the data used in SIEM systems. Below is a detailed overview of the SIEM schema based on various event types:
Example of a Complete Payload: 
JSON
{
    "time": 1739963820.000000,
    "sourcetype": "_json",
    "event": {
        "topic": "audit",
        "action": "Create",
        "additionalDetails": {
            "newValue": {
                "email": "[email protected]",
                "firstName": "CloudSre",
                "groupIds": [
                    "Administrator"
                ],
                "lastName": "no-lastname"
            }
        },
        "agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.128 Safari/537.36",
        "auditDescription": "Created User 'CloudSre no-lastname'",
        "entity": "User",
        "errorMessage": null,
        "id": "fa853e0a-fe19-4661-9ec9-ec8cf5d29c9a",
        "sourceIP": "103.159.10.27",
        "time": 1721224802000,
        "user": "[email protected]"
    }
}
{
    "time": 1739963820.000000,
    "sourcetype": "_json",
    "event": {
        "topic": "audit",
        "action": "Create",
        "additionalDetails": {
            "newValue": {
                "email": "rohitnile26@gmail.com",
                "firstName": "CloudSre",
                "groupIds": [
                    "Administrator"
                ],
                "lastName": "no-lastname"
            }
        },
        "agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.128 Safari/537.36",
        "auditDescription": "Created User 'CloudSre no-lastname'",
        "entity": "User",
        "errorMessage": null,
        "id": "fa853e0a-fe19-4661-9ec9-ec8cf5d29c9a",
        "sourceIP": "103.159.10.27",
        "time": 1721224802000,
        "user": "cl.hit.test@gmail.com"
    }
}
﻿
time: Epoch time of the event.
sourcetype: Indicates the payload format, which is always JSON.
event: Actual SIEM Event
event.topic: Type of event. Supported values:
"audit"
"UserDeviceEvents"
"Alerts"
Payload Details for Different Event Types 
Audit Events
Example of Audit Event Payload (event.topic=="audit") : 
JSON
{
  "topic":"audit",
  "id": "fa853e0a-fe19-4661-9ec9-ec8cf5d29c9a",
  "action": "Create",
  "entity": "User",
  "additionalDetails": {
    "newValue": {
      "email": "[email protected]",
      "firstName": "CloudSre",
      "groupIds": [
        "Administrator"
      ],
      "lastName": "no-lastname"
    }
  },
  "agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.128 Safari/537.36",
  "auditDescription": "Created User 'CloudSre no-lastname'",
  "errorMessage": null,
  "sourceIP": "103.159.10.27",
  "time": 1721224802000,
  "user": "[email protected]"
}
{
  "topic":"audit",
  "id": "fa853e0a-fe19-4661-9ec9-ec8cf5d29c9a",
  "action": "Create",
  "entity": "User",
  "additionalDetails": {
    "newValue": {
      "email": "rohitnile26@gmail.com",
      "firstName": "CloudSre",
      "groupIds": [
        "Administrator"
      ],
      "lastName": "no-lastname"
    }
  },
  "agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.128 Safari/537.36",
  "auditDescription": "Created User 'CloudSre no-lastname'",
  "errorMessage": null,
  "sourceIP": "103.159.10.27",
  "time": 1721224802000,
  "user": "cl.hit.test@gmail.com"
}
﻿
id: A UUID representing the event.
action: Indicates the type of action performed, such as “Create,” “Update,” “Test,” “Login,” “Logout,” etc.
entity: Specifies the type of entity where the action was performed, such as “User,” “Segment,” “DHCP,” “RADIUS,” “MAB,” etc.
additionalDetails: Contains information about the change. It includes two fields: “newValue” and “oldValue.” For an update event, both values are populated; for a create event, only the new value is provided. The content of these fields depends on the entity type. Sensitive information like passwords or keys is excluded.
agent: The user-agent part of the HTTP request.
auditDescription: A human-readable description of the event.
errorMessage: If the operation fails, this contains a descriptive error message; otherwise, it is null.
sourceIP: The IP address from which the action was performed.
time: The timestamp of the event, represented in epoch milliseconds.
user: The user who performed the action.
End User Events  
Example of End User Event Payload (event.topic=="UserDeviceEvents") :
JSON
{
    "topic": "UserDeviceEvents",
    "macAddress": "62:e2:aa:1c:99:06",
    "ssid": "dont-delete-ssid-cp",
    "bssid": "26:15:10:22:12:4a",
    "clientEventDescription": "DHCP Renew Request Success",
    "clientEventSeverity": "INFO",
    "clientEventSuppressionStatus": "CLIENT_EVENT_TO_SUPPRESS",
    "timestamp": "1721230876198",
    "additionalDetails": "{\"server_ip\":\"10.132.14.2\",\"sourceSerialNum\":\"A00A00064588\",\"ip_address\":\"10.151.100.148\"}"
}
{
    "topic": "UserDeviceEvents",
    "macAddress": "62:e2:aa:1c:99:06",
    "ssid": "dont-delete-ssid-cp",
    "bssid": "26:15:10:22:12:4a",
    "clientEventDescription": "DHCP Renew Request Success",
    "clientEventSeverity": "INFO",
    "clientEventSuppressionStatus": "CLIENT_EVENT_TO_SUPPRESS",
    "timestamp": "1721230876198",
    "additionalDetails": "{\"server_ip\":\"10.132.14.2\",\"sourceSerialNum\":\"A00A00064588\",\"ip_address\":\"10.151.100.148\"}"
}
﻿
macAddress: MAC address of the end-user device.
ssid: SSID name.
For wireless clients, ssid represents the actual SSID to which the client is connected.
Example: "ssid": "Nile"
For wired clients, the port details are included in the ssid in the format rtP_X_Y.
Example: "ssid": "rt1_0_19"
bssid: BSSID of the SSID.
For wireless clients, it represents the BSSID to which the client is connected.
Example: "bssid": "26:15:10:2b:01:c2"
For wired clients, it represents the switch MAC address.
Example: "bssid": "24:15:10:20:c9:12"
clientEventDescription: Describes various client events related to:
Authentication events for wireless (Enterprise, PSK, UPSK, Open, SSO, Captive Portal, Guest, etc.) and wired clients (MAB, Radius Mac Auth, Dot1x).
Examples: Authorized event, Disassociation event, Authentication failed event.
DHCP and DNS success and failure events for wireless and wired clients.
RADIUS errors, including configuration errors, timeouts, null negotiation segments, etc., for wireless and wired clients.
Client sticky errors and successes.
Static IP, IP conflict errors, and success events (functionality yet to be enabled in production).
SSO and Guest transition events.
Credential-related events.
Example: "clientEventDescription": "DHCP Renew Request Success"
clientEventSeverity: Severity of the event.
Possible values:
INFO: Indicates success or informational events.
CRITICAL: Indicates failure scenarios.
clientEventSuppressionStatus: Status indicating event handling.
Possible values:
CLIENT_EVENT_TO_SUPPRESS: For events that do not change the client's health status.
CLIENT_EVENT_TO_PROCESS: For events that change the client's health status.
timestamp: The timestamp of the event represented in epoch milliseconds.
additionalDetails: A JSON string containing formatted additional information, which can be NULL. It may include server IP and serial numbers for DHCP, DNS servers, etc. In some events, it may also contain the client's IP address.
Example: "additionalDetails": "{\"server_ip\":\"10.4.5.1\",\"sourceSerialNum\":\"A00A00076253\",\"ip_address\":\"10.4.5.38\"}"
Alerts 
Example of Alerts Payload (event.topic=="Alerts") :
JSON
{
    "topic": "Alerts",
    "id": "c69f4fb2-955c-4951-8263-61ef6973e859",
    "alertStatus": "Created",
    "alertSubject": "New Nile Alert [Coverage]",
    "alertSummary": "Poor WiFi coverage detected.",
    "impact": "WiFi Network connectivity may be impacted.",
    "customer": "BLR_R2I_HW-CL-HIT-HW",
    "site": "BLR-R2I-HW-CL-HIT",
    "building": "BLR-Indicube-CL-HIT",
    "floor": "Cloud-Area-CL-HIT",
    "duration": "13 minutes",
    "startTime": "Jul 17, 2024 07:30:00 PM IST"
}
{
    "topic": "Alerts",
    "id": "c69f4fb2-955c-4951-8263-61ef6973e859",
    "alertStatus": "Created",
    "alertSubject": "New Nile Alert [Coverage]",
    "alertSummary": "Poor WiFi coverage detected.",
    "impact": "WiFi Network connectivity may be impacted.",
    "customer": "BLR_R2I_HW-CL-HIT-HW",
    "site": "BLR-R2I-HW-CL-HIT",
    "building": "BLR-Indicube-CL-HIT",
    "floor": "Cloud-Area-CL-HIT",
    "duration": "13 minutes",
    "startTime": "Jul 17, 2024 07:30:00 PM IST"
}
﻿
id: UUID of the alert. Events will be sent when an alert is created and resolved. This ID can be used to correlate the information.
alertStatus: Status of the alert. Valid values are "Created" and "Resolved".
alertSubject: Describes the alert.
alertSummary: Textual summary of the alert.
impact: Describes the impact of the alert.
customer: Customer name.
site / building / floor: Names of the site, building, and floor respectively.
duration: The duration of the alert, presented as descriptive text such as "10 minutes" or "1 hour 12 minutes" as seen in the Nile Portal.
startTime: The start time of the alert in the format "MMM dd, yyyy hh:mm a zzz".
﻿
Updated 28 Feb 2025
Did this page help you?
Splunk SIEM Integration Guide Nile
Infoblox NIOS Integration