Version 1 - SIEM Event Schema

this document represents version 1 of the nile siem event schema, which outlines the initial structure, format, and supported event types for integrating with security information and event management (siem) systems as the foundational release, version 1 serves as the baseline specification for how nile emits and organizes security related event data, ensuring compatibility with industry standard siem platforms and setting the stage for future enhancements and expanded event coverage audit event schema v1 { "$schema" "https //json schema org/draft/2020 12/schema", "type" "object", "properties" { "action" { "type" "string", "description" "action that's performed on the entity for example 'login', 'logout', 'approved', 'update', 'delete', 'create'" }, "additionaldetails" { "type" "object", "description" "json representation of actual changes it has two fields 'newvalue' and 'oldvalue' the oldvalue field captures the data before the change and newvalue captures the current data if the action is create, then only newvalue will be populated if the action is delete, then only the old value will be populated if the action is update, then both oldvalue and newvalue will be populated the actual json payload of the oldvalue and newvalue changes based on the type of entity that was modified" }, "agent" { "type" "string", "description" "user agent" }, "auditdescription" { "type" "string", "description" "short description which explains about the audit entry" }, "audittime" { "type" "string", "description" "the start time of the alert in iso 8601 format yyyy mm dd't'hh\ mm\ ssxxx", "format" "date time" }, "entity" { "type" "string", "description" "entity on which the specific action is performed example segments, 'user', 'policyrule', 'ssid', 'mab', 'dhcp', 'radius' " }, "errormessage" { "type" "string", "description" "error message if any if the action failed, then the error message explains the reason" }, "id" { "type" "string", "description" "unique id representing the even for example 'eaafcd8a 0174 4deb b051 9be04d09b874'", "format" "uuid" }, "sourceip" { "type" "string", "description" "source ip address from where the specific action was performed" }, "user" { "type" "string", "description" "user who performed the audit action" }, "version" { "type" "string", "description" "the version of the audit event schema", "pattern" "1 0" } }, "required" \[ "auditdescription", "audittime", "id", "sourceip", "user", "version" ] } alert event schema v1 { "$schema" "https //json schema org/draft/2020 12/schema", "type" "object", "properties" { "additionalinformation" { "type" "string", "description" "additional information about the alert this is usually a hyper link to the help documentation", "format" "uri" }, "alertstatus" { "type" "string", "description" "status of the alert", "pattern" "created|resolved" }, "alertsubject" { "type" "string", "description" "subject of the alert" }, "alertsubscriptioncategory" { "type" "string", "description" "alert subscription category " }, "alertsummary" { "type" "string", "description" "summary / short description of the alert" }, "alerttype" { "type" "string", "description" "the type of the alert" }, "building" { "type" "string", "description" "building name where this alert has occurred if the alert is at tenant or site level, then the value will \\"all\\"" }, "customer" { "type" "string", "description" "customer name" }, "duration" { "type" "string", "description" "user friendly duration of the alert example 15 minutes or 1 hour or 5 days" }, "floor" { "type" "string", "description" "floor name where this alert has occurred if the alert is at tenant or site or building level, then the value will \\"all\\"" }, "id" { "type" "string", "description" "alert id when an alert changes it's state, another notification with same id will be sent ", "format" "uuid" }, "impact" { "type" "string", "description" "impact of the alert describes " }, "site" { "type" "string", "description" "site name where this alert has occurred if the alert is at tenant level, then the value will \\"all\\"" }, "starttime" { "type" "string", "description" "the start time of the alert in iso 8601 format", "format" "date time" }, "version" { "type" "string", "description" "the version of the alert schema", "pattern" "1 0" } }, "required" \[ "additionalinformation", "alertstatus", "alertsubject", "alertsubscriptioncategory", "alertsummary", "alerttype", "building", "customer", "duration", "floor", "id", "site", "starttime", "version" ] } end user event schema v1 { "$schema" "https //json schema org/draft/2020 12/schema", "type" "object", "properties" { "clienteventadditionaldetails" { "type" "object", "description" "additional information for user device event returned as json object this will be having radius server ipaddress for dot1x authenticated clients and connected to ap, switch serial number" }, "clienteventdescription" { "type" "string", "description" "description of user device event" }, "clienteventseverity" { "type" "string", "description" "severity of user device event", "pattern" "info|critical" }, "clienteventtimestamp" { "type" "string", "description" "the start time of the alert in iso 8601 format", "format" "date time" }, "clientlastknownipaddress" { "type" "string", "description" "last known ipaddress of client this will be current ip for online client and last known ip for offline or error clients" }, "clientmac" { "type" "string", "description" "mac address of client" }, "clientusername" { "type" "string", "description" "username of client" }, "connectedbssid" { "type" "string", "description" "bssid details to which wireless client is connected" }, "connectedport" { "type" "string", "description" "port details to which wired client is connected example port 0/40" }, "connectedssid" { "type" "string", "description" "ssid details to which wireless client is connected" }, "connectedswitch" { "type" "string", "description" "switch serial number or mac address details to which wired client is connected" }, "id" { "type" "string", "description" "user device event id this will be uniquely generated for every user device event ", "format" "uuid" }, "version" { "type" "string", "description" "the version of the user device event schema", "pattern" "1 0" } }, "required" \[ "clienteventdescription", "clienteventseverity", "clienteventtimestamp", "clientmac", "id", "version" ] }