Event Standardization for Network Events

To ensure consistent recognition and semantic interpretation of network events, we follow the standardization guidelines bellow. We recommend users to adopt the same guidelines for their "network custom format". The supported network services include Vade, Varonis, Trellix, Proofpoint, Netskope, Gatewatcher, FortiGate, Darktrace, and Cisco.

📋 Required Fields

Field	Description	Examples
event.action	Describes what the event represents or what action was taken.	`allow`, `deny`, `connection`, `disconnection`, `alert`
event.kind	Describes the kind of event.	`event`, `alert`, `metric`, `state`
event.category	The high-level category of the event.	`network`, `intrusion_detection`, `firewall`

🛠️ Additional Fields

To provide more context and enhance the description of the events, the inclusion of additional fields is encouraged. The following additional fields can be used:

Field	Description	Examples
source.ip	The IP address of the source of the event.	`192.168.1.1`
source.port	The source port involved in the event.	`443`
destination.ip	The IP address of the destination of the event.	`192.168.1.2`
destination.port	The destination port involved in the event.	`80`
url.domain	The domain of the URL involved in the event.	`example.com`
destination.domain	The domain of the destination involved in the event.	`destination.com`
dns.question.name	The name of the DNS question.	`example.com`
http.request.method	The HTTP request method used.	`GET`
http.response.status_code	The HTTP response status code.	`200`
http.response.bytes	The size of the HTTP response in bytes.	`1024`
network.transport	The network transport protocol used.	`TCP`, `UDP`
event.severity	Qualification of the severity of an alert.	`low`, `medium`, `high`, `very high`
event.dataset	It helps identify the type of logs or data stream the event belongs to.	`ips-event`, `firewall.traffic`,`dns_response`

Examples of event parsing

In this section, we will see how the raw messages are transformed into the ECS format for several examples of network security tools.

Fortinate Fortigate

The following example is a DNS respone event generated by Fortigate Firewall. This event log indicates that a DNS response was processed by the FortiGate firewall. The DNS query was for the domain 'detectportal.firefox.com', which is typically used by Firefox for detecting captive portals. The query originated from the user "bob" with a source IP address of '10.1.100.11', and it was targeting '172.16.200.55' on port '53' (DNS).

Raw Event Before Parsing

CEF:0|Fortinet|Fortigate|v6.0.3|54802|dns:dns-response pass|3|deviceExternalId=FGT5HD3915800610 FTNTFGTlogid=1501054802 cat=dns:dns-response FTNTFGTsubtype=dns-response FTNTFGTlevel=notice FTNTFGTvd=vdom1 FTNTFGTeventtime=1545950726 FTNTFGTpolicyid=1 externalId=13355 duser=bob src=10.1.100.11 spt=54621 deviceInboundInterface=port12 FTNTFGTsrcintfrole=lan dst=172.16.200.55 dpt=53 deviceOutboundInterface=port11 FTNTFGTdstintfrole=wan proto=17 FTNTFGTprofile=default FTNTFGTsrcmac=a2:e9:00:ec:40:01 FTNTFGTxid=5137 FTNTFGTqname=detectportal.firefox.com FTNTFGTqtype=A FTNTFGTqtypeval=1 FTNTFGTqclass=IN FTNTFGTipaddr=104.80.89.26, 104.80.89.24 msg=Domain is monitored act=pass FTNTFGTcat=52 FTNTFGTcatdesc=Information Technology

For instance, the event.category is derived from the key of the name field in the CEF raw event, which is set to 'dns:dns-response pass'.
Similarly, the event.action is directly extracted from the act field, which is 'pass'.

ECS Fields After Parsing

 "event": {
        "action": "pass",
        "category": "dns",
        "code": "1501054802",
        "dataset": "dns:dns-response",
        "outcome": "success",
        "reason": "Domain is monitored"
    },
    "@timestamp": "2018-12-27T22:45:26Z",
    "action": {
        "name": "pass",
        "outcome": "success",
        "outcome_reason": "Domain is monitored",
        "target": "network-traffic",
        "type": "dns-response"
    },
    "destination": {
        "address": "172.16.200.55",
        "ip": "172.16.200.55",
        "port": 53,
        "user": {
            "name": "bob"
        }
    },
    "log": {
        "level": "notice"
    },
    "network": {
        "transport": "udp"
    },
    "observer": {
        "egress": {
            "interface": {
                "name": "port11"
            }
        },
        "ingress": {
            "interface": {
                "name": "port12"
            }
        },
        "type": "Fortigate",
        "vendor": "Fortinet",
        "version": "v6.0.3"
    },
    "related": {
        "ip": [
            "10.1.100.11",
            "172.16.200.55"
        ],
        "user": [
            "bob"
        ]
    },
    "source": {
        "address": "10.1.100.11",
        "ip": "10.1.100.11",
        "port": 54621
    }

Trellix Network Security

The following example is a Trellix log detailing a high-severity IPS event (level 7). It identifies traffic from source IP '1.2.3.4' on port '80' to destination IP '5.6.7.8' on port '1109' as an Exploit Kit Landing Page. The system alerted stakeholders of this potential threat. The detection, associated with signature ID '85305161', was recorded on device cms-nx5600-1.eng.fireeye.com, with further details available via a provided URL. The source and destination MAC addresses were '6c:af:1a:fb:fe:a7' and '00:78:db:db:96:f6', respectively, and the event was categorized as a client attack.

Raw Event Before Parsing

CEF:0|Trellix|MPS|10.0.0.992057|IE|ips-event|7|externalId=3463232 rt=Sep 05 2023 16:46:51 UTC proto=tcp src=1.2.3.4 spt=80 smac=6c:af:1a:fb:fe:a7 dst=5.6.7.8 dpt=1109 dmac=00:78:db:db:96:f6 cnt=1 cs1Label=sname cs1=Exploit Kit Landing Page act=notified dvchost=cms-nx5600-1.eng.fireeye.com dvc=3.4.5.6 dvcmac=e3:e9:d0:5e:ba:8e cn2=85305161 cn2Label=sid cfp1=12 cfp1Label=signature revision cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=6682a2ba-bf3e-4c12-b7a1-822d648132fd cs4Label=link flexString2=client flexString2Label=attack mode msg=MVX Correlation Status:N/A cn1=0 cn1Label=vlan

event.action is mapped directly from the CEF act field which is set to 'notified'.
event.categoryis less intuitive in this example. However, if we check the expert descriptions of the parser, we can see that the default value event.category is set to 'intrusion_detection' and it takes another value only and only if message.nameof our raw event matches 'domain-match', 'malware-object' or 'riskware-object'.

ECS Fields After Parsing

"event": {
        "action": "notified",
        "category": [
            "intrusion_detection"
        ],
        "dataset": "ips-event",
        "reason": "MVX Correlation Status:N/A",
        "severity": 7,
        "type": [
            "info"
        ],
        "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=6682a2ba-bf3e-4c12-b7a1-822d648132fd"
    },
    "@timestamp": "2023-09-05T16:46:51Z",
    "destination": {
        "address": "5.6.7.8",
        "ip": "5.6.7.8",
        "mac": "00:78:db:db:96:f6",
        "port": 1109
    },
    "network": {
        "transport": "tcp"
    },
    "observer": {
        "hostname": "cms-nx5600-1.eng.fireeye.com",
        "ip": [
            "3.4.5.6"
        ],
        "mac": [
            "e3:e9:d0:5e:ba:8e"
        ],
        "product": "MPS",
        "vendor": "Trellix",
        "version": "10.0.0.992057"
    },
    "related": {
        "hosts": [
            "cms-nx5600-1.eng.fireeye.com"
        ],
        "ip": [
            "1.2.3.4",
            "3.4.5.6",
            "5.6.7.8"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4",
        "mac": "6c:af:1a:fb:fe:a7",
        "port": 80
    },
    "trellix": {
        "nx": {
            "sname": "Exploit Kit Landing Page"
        }
    }

Note

Following these standards ensures that the EDR event data is consistent and can be easily interpreted and analyzed across different systems. This standardization helps in providing a unified view of security events and enhances the capability to respond to incidents efficiently.