Ubika Cloud Protector Next Generation Traffic Logs
Overview
Ubika Cloud Protector's Next Generation Traffic Logs feature gives organizations real-time visibility into every byte of network activity across their cloud environments. This detailed traffic intelligence empowers teams to optimize network operations and swiftly detect—and respond to—unusual behavior before it impacts their infrastructure.
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
- Vendor: Ubika
- Supported environment: SaaS
- Detection based on: Telemetry
- Supported application or feature: Web application firewall logs
Configure
How to create refresh token
Warning
The device code is valid during 10 minutes only
- Log in the Ubika console
-
Execute the following command to get the device code
curl https://login.ubika.io/auth/realms/main/protocol/openid-connect/auth/device -d "client_id=rest-api" -d "grant_type=device" -d "scope=offline_access" -
Copy the
user code, provided in the response, and paste it on the Ubika authentication - Copy the
device code, provided in the curl response -
Execute the following command to get the
refresh tokencurl https://login.ubika.io/auth/realms/main/protocol/openid-connect/token -d "client_id=rest-api" -d "grant_type=urn:ietf:params:oauth:grant-type:device_code" -d "device_code=<device_code>" -
Copy the
refresh token
- Log in the Ubika console
- Save the script as
get_token.py -
Create a virtual environment and execute the script
python3 -m venv /tmp/venv /tmp/venv/bin/pip install requests /tmp/venv/bin/python3 get_token.py -
Copy the
refresh token
Create your intake
- Go to the intake page and create a new intake from the
Ubika Cloud Protector Next Generation Traffic Logs. - Set the intake account configuration with the
namespaceandrefresh tokenfrom theHow to create refresh tokenstep
Enjoy your events on the Events page
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"timestamp": "1777383278301",
"context": {
"assetName": "testAsset",
"assetNamespace": "example",
"reaction": "BLOCKED"
},
"request": {
"uid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"hostname": "example.comm",
"method": "GET",
"path": "/.aws/credentials",
"headers": [
{
"key": "referer",
"value": "-"
},
{
"key": "user-agent",
"value": "Googlebot-News"
}
],
"ipSource": "192.0.2.1",
"query": "",
"size": "292"
},
"response": {
"backendResponseTime": "0",
"backendStatusCode": 0,
"size": "520",
"statusCode": 403,
"totalResponseTime": "1589"
}
}
{
"timestamp": "1777383263946",
"context": {
"assetName": "testAsset",
"assetNamespace": "example",
"reaction": "PASSED"
},
"request": {
"uid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"hostname": "example.com",
"method": "GET",
"path": "/",
"headers": [
{
"key": "user-agent",
"value": "Opera/9.80 (X11; Linux i686; U; en) Presto/2.2.15 Version/10.10"
},
{
"key": "referer",
"value": "-"
}
],
"ipSource": "192.0.2.17",
"query": "",
"size": "332"
},
"response": {
"backendResponseTime": "0",
"backendStatusCode": 0,
"size": "522",
"statusCode": 200,
"totalResponseTime": "1861"
}
}
{
"timestamp": "1777383263946",
"context": {
"assetName": "testAsset",
"assetNamespace": "example",
"reaction": "MONITORED"
},
"request": {
"uid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"hostname": "example.com",
"method": "GET",
"path": "/",
"headers": [
{
"key": "user-agent",
"value": "Opera/9.80 (X11; Linux i686; U; en) Presto/2.2.15 Version/10.10"
},
{
"key": "referer",
"value": "-"
}
],
"ipSource": "192.0.2.17",
"query": "",
"size": "332"
},
"response": {
"backendResponseTime": "0",
"backendStatusCode": 0,
"size": "522",
"statusCode": 302,
"totalResponseTime": "1861"
}
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Web application firewall logs |
Ubika detects and mitigates threats against web applications and APIs |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | `` |
| Category | web |
| Type | access |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"timestamp\":\"1777383278301\",\"context\":{\"assetName\":\"testAsset\",\"assetNamespace\":\"example\",\"reaction\":\"BLOCKED\"},\"request\":{\"uid\":\"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\"hostname\":\"example.comm\",\"method\":\"GET\",\"path\":\"/.aws/credentials\",\"headers\":[{\"key\":\"referer\",\"value\":\"-\"},{\"key\":\"user-agent\",\"value\":\"Googlebot-News\"}],\"ipSource\":\"192.0.2.1\",\"query\":\"\",\"size\":\"292\"},\"response\":{\"backendResponseTime\":\"0\",\"backendStatusCode\":0,\"size\":\"520\",\"statusCode\":403,\"totalResponseTime\":\"1589\"}}",
"event": {
"action": "BLOCKED",
"category": [
"web"
],
"dataset": "traffic logs",
"duration": 1589000000,
"outcome": "failure",
"type": [
"access"
]
},
"@timestamp": "2026-04-28T13:34:38.301000Z",
"http": {
"request": {
"bytes": 292,
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"method": "GET"
},
"response": {
"status_code": 403
}
},
"observer": {
"product": "Cloud Protector Next Generation",
"vendor": "Ubika"
},
"related": {
"hosts": [
"example.comm"
],
"ip": [
"192.0.2.1"
]
},
"source": {
"address": "192.0.2.1",
"ip": "192.0.2.1"
},
"ubika": {
"cloud_protector": {
"asset": {
"name": "testAsset",
"namespace": "example"
}
}
},
"url": {
"domain": "example.comm",
"path": "/.aws/credentials",
"subdomain": "example"
},
"user_agent": {
"device": {
"name": "Spider"
},
"name": "Googlebot-News",
"original": "Googlebot-News",
"os": {
"name": "Other"
}
}
}
{
"message": "{\"timestamp\":\"1777383263946\",\"context\":{\"assetName\":\"testAsset\",\"assetNamespace\":\"example\",\"reaction\":\"PASSED\"},\"request\":{\"uid\":\"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\"hostname\":\"example.com\",\"method\":\"GET\",\"path\":\"/\",\"headers\":[{\"key\":\"user-agent\",\"value\":\"Opera/9.80 (X11; Linux i686; U; en) Presto/2.2.15 Version/10.10\"},{\"key\":\"referer\",\"value\":\"-\"}],\"ipSource\":\"192.0.2.17\",\"query\":\"\",\"size\":\"332\"},\"response\":{\"backendResponseTime\":\"0\",\"backendStatusCode\":0,\"size\":\"522\",\"statusCode\":200,\"totalResponseTime\":\"1861\"}}",
"event": {
"action": "PASSED",
"category": [
"web"
],
"dataset": "traffic logs",
"duration": 1861000000,
"outcome": "success",
"type": [
"access"
]
},
"@timestamp": "2026-04-28T13:34:23.946000Z",
"http": {
"request": {
"bytes": 332,
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"method": "GET"
},
"response": {
"status_code": 200
}
},
"observer": {
"product": "Cloud Protector Next Generation",
"vendor": "Ubika"
},
"related": {
"hosts": [
"example.com"
],
"ip": [
"192.0.2.17"
]
},
"source": {
"address": "192.0.2.17",
"ip": "192.0.2.17"
},
"ubika": {
"cloud_protector": {
"asset": {
"name": "testAsset",
"namespace": "example"
}
}
},
"url": {
"domain": "example.com",
"path": "/",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Opera",
"original": "Opera/9.80 (X11; Linux i686; U; en) Presto/2.2.15 Version/10.10",
"os": {
"name": "Linux"
},
"version": "10.10"
}
}
{
"message": "{\"timestamp\":\"1777383263946\",\"context\":{\"assetName\":\"testAsset\",\"assetNamespace\":\"example\",\"reaction\":\"MONITORED\"},\"request\":{\"uid\":\"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\"hostname\":\"example.com\",\"method\":\"GET\",\"path\":\"/\",\"headers\":[{\"key\":\"user-agent\",\"value\":\"Opera/9.80 (X11; Linux i686; U; en) Presto/2.2.15 Version/10.10\"},{\"key\":\"referer\",\"value\":\"-\"}],\"ipSource\":\"192.0.2.17\",\"query\":\"\",\"size\":\"332\"},\"response\":{\"backendResponseTime\":\"0\",\"backendStatusCode\":0,\"size\":\"522\",\"statusCode\":302,\"totalResponseTime\":\"1861\"}}",
"event": {
"action": "MONITORED",
"category": [
"web"
],
"dataset": "traffic logs",
"duration": 1861000000,
"outcome": "unknown",
"type": [
"access"
]
},
"@timestamp": "2026-04-28T13:34:23.946000Z",
"http": {
"request": {
"bytes": 332,
"id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"method": "GET"
},
"response": {
"status_code": 302
}
},
"observer": {
"product": "Cloud Protector Next Generation",
"vendor": "Ubika"
},
"related": {
"hosts": [
"example.com"
],
"ip": [
"192.0.2.17"
]
},
"source": {
"address": "192.0.2.17",
"ip": "192.0.2.17"
},
"ubika": {
"cloud_protector": {
"asset": {
"name": "testAsset",
"namespace": "example"
}
}
},
"url": {
"domain": "example.com",
"path": "/",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Opera",
"original": "Opera/9.80 (X11; Linux i686; U; en) Presto/2.2.15 Version/10.10",
"os": {
"name": "Linux"
},
"version": "10.10"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.dataset |
keyword |
Name of the dataset. |
event.duration |
long |
Duration of the event in nanoseconds. |
event.outcome |
keyword |
The outcome of the event. The lowest level categorization field in the hierarchy. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
http.request.bytes |
long |
Total size in bytes of the request (body and headers). |
http.request.id |
keyword |
HTTP request ID. |
http.request.method |
keyword |
HTTP request method. |
http.response.status_code |
long |
HTTP response status code. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
source.ip |
ip |
IP address of the source. |
ubika.cloud_protector.asset.name |
keyword |
|
ubika.cloud_protector.asset.namespace |
keyword |
|
url.domain |
keyword |
Domain of the url. |
url.path |
wildcard |
Path of the request, such as "/search". |
url.query |
keyword |
Query string of the request. |
user_agent.original |
keyword |
Unparsed user_agent string. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.