Integrations

Nile SIEM Event Schema

7min

Introduction

Security Information and Event Management (SIEM) schema defines the structure of the data used in SIEM systems. Below is a detailed overview of the SIEM schema based on various event types:

Example of a Complete Payload:

JSON

  • time: Epoch time of the event.
  • sourcetype: Indicates the payload format, which is always JSON.
  • event: Actual SIEM Event
  • eventType: Type of event. Supported values:
    • "audit_trail"
    • "nile_alerts"
    • "end_user_device_events"
    • "test"

Payload Details for Different Event Types

Audit Events

Example of Audit Event Payload (eventType=="audit_trail") :

JSON

  • version: The version of the audit event schema.
  • id: A UUID representing the event.
  • action: Indicates the type of action performed, such as “Create,” “Update,” “Test,” “Login,” “Logout,” etc.
  • entity: Specifies the type of entity where the action was performed, such as “User,” “Segment,” “DHCP,” “RADIUS,” “MAB,” etc.
  • additionalDetails: Contains information about the change. It includes two fields: “newValue” and “oldValue.” For an update event, both values are populated; for a create event, only the new value is provided. The content of these fields depends on the entity type. Sensitive information like passwords or keys is excluded.
  • agent: The user-agent part of the HTTP request.
  • auditDescription: A human-readable description of the event.
  • errorMessage: If the operation fails, this contains a descriptive error message; otherwise, it is null.
  • sourceIP: The IP address from which the action was performed.
  • auditTime: The timestamp of the event in ISO-8601 format (yyyy-MM-dd'T'HH:mm:ssxxx).
  • user: The user who performed the action.

End User Events

Example of End User Event Payload (eventType=="end_user_device_events") :

JSON

  • macAddress: MAC address of the end-user device.
  • ssid: SSID name.
    • For wireless clients, ssid represents the actual SSID to which the client is connected.
      • Example: "ssid": "Nile"
    • For wired clients, the port details are included in the ssid in the format rtP_X_Y.
      • Example: "ssid": "rt1_0_19"
  • bssid: BSSID of the SSID.
    • For wireless clients, it represents the BSSID to which the client is connected.
      • Example: "bssid": "26:15:10:2b:01:c2"
    • For wired clients, it represents the switch MAC address.
      • Example: "bssid": "24:15:10:20:c9:12"
  • clientEventDescription: Describes various client events related to:
    • Authentication events for wireless (Enterprise, PSK, UPSK, Open, SSO, Captive Portal, Guest, etc.) and wired clients (MAB, Radius Mac Auth, Dot1x).
      • Examples: Authorized event, Disassociation event, Authentication failed event.
    • DHCP and DNS success and failure events for wireless and wired clients.
    • RADIUS errors, including configuration errors, timeouts, null negotiation segments, etc., for wireless and wired clients.
    • Client sticky errors and successes.
    • Static IP, IP conflict errors, and success events (functionality yet to be enabled in production).
    • SSO and Guest transition events.
    • Credential-related events.
      • Example: "clientEventDescription": "DHCP Renew Request Success"
  • clientEventSeverity: Severity of the event.
    • Possible values:
      • INFO: Indicates success or informational events.
      • CRITICAL: Indicates failure scenarios.
  • clientEventSuppressionStatus: Status indicating event handling.
    • Possible values:
      • CLIENT_EVENT_TO_SUPPRESS: For events that do not change the client's health status.
      • CLIENT_EVENT_TO_PROCESS: For events that change the client's health status.
  • timestamp: The timestamp of the event represented in epoch milliseconds.
  • additionalDetails: A JSON string containing formatted additional information, which can be NULL. It may include server IP and serial numbers for DHCP, DNS servers, etc. In some events, it may also contain the client's IP address.
    • Example: "additionalDetails": "{\"server_ip\":\"10.4.5.1\",\"sourceSerialNum\":\"A00A00076253\",\"ip_address\":\"10.4.5.38\"}"

Alerts

Example of Alerts Payload (eventType=="nile_alerts") :

JSON

  • version: The version of the alert event schema.
  • id: UUID of the alert. Events will be sent when an alert is created and resolved. This ID can be used to correlate the information.
  • alertSubscriptionCategory: These are the Nile Alerts categories, for example:
    • "Nile Service Alerts"
    • "Infrastructure Alerts"
    • "Application Alerts"
    • "Security Alerts"
  • alertType: This indicates the type of alerts, for example:
    • “AQI”
    • "High Temperature"
    • "Link"
    • "PoE"
  • alertStatus: Status of the alert. Valid values are "Created" and "Resolved".
  • alertSubject: Describes the alert.
  • alertSummary: Textual summary of the alert.
  • impact: Describes the impact of the alert.
  • customer: Customer name.
  • site / building / floor: Names of the site, building, and floor respectively.
  • duration: The duration of the alert, presented as descriptive text such as "10 minutes" or "1 hour 12 minutes" as seen in the Nile Portal.
  • startTime: The start time of the alert in ISO-8601 format (yyyy-MM-dd'T'HH:mm:ssxxx).

NOTE : This same schema is used for Alerts over Webhook Integration.

Updated 09 Apr 2025
Doc contributor
Did this page help you?
PREVIOUS
Splunk SIEM
NEXT
Infoblox NIOS
Docs powered by Archbee