Traffic-Blocked Log Event JSON Format
This document describes the JSON log event fields of the Log Streaming Traffic Blocked log event and provides an example.
The traffic-blocked log event is generated when Cyber Shield Traffic Filtering blocks a traffic flow.
The log event JSON contains the Header fields and a log JSON object. The fields in the log JSON object for when the eventName in the Header is set to traffic-blocked are described in the table below. For more information on the Header, refer to Log Event Header Fields.
Field Name | Type | Description |
|---|---|---|
signatureId | String | The ID of the traffic signature, which matched the traffic flow to cause it to be blocked. |
eventName | String | Informative text describing the traffic signature with which the blocked traffic flow was matched. |
classification | String | Informative text describing the threat classification of the blocked traffic flow. |
priority | Integer | The Cyber Shield Traffic Filtering priority level. Traffic matching specific patterns of interest are classified into three threat priority levels, where 1 is the highest severity, and 3 is the lowest. |
category | String | The Cyber Shield traffic filter category of the blocked traffic flow. |
protocol | String | The protocol of the blocked traffic flow. |
sourceIp | String | The IP address of the traffic source. |
sourcePort | Integer | The port number of the traffic source. |
destinationIp | String | The IP address of the intended traffic destination. |
destinationPort | Integer | The port number of the intended traffic destination. |
{
"CloudConnexaLogVersion": 1,
"timestamp": "2023-11-10T15:50:04.000000Z",
"cloudId": "test",
"service": "CloudConnexa",
"traceId": "33249eb9-836e-4f9c-b9da-3688166bfa2b",
"initiator": "521572bc-fcc2-4c05-a78c-d2a9654cc676",
"initiatorType": "Device",
"initiatorName": "My Main Device",
"parentEntity": "43efdaaa-d8a1-4af1-acc1-d96b77313f42",
"parentEntityType": "User",
"parentEntityName": "My User",
"category": "Security.CyberShieldBlockedTraffic",
"eventName": "traffic-blocked",
"log": {
"signatureId": "1:99999907:1",
"eventName": "ET WORM OpenVPN generate event for category Malware prio 1",
"classification": "Attempted Information Leak",
"priority": 1,
"category": "Malware and Ransomware",
"protocol": "TCP",
"sourceIp": "100.96.1.130",
"sourcePort": 55544,
"destinationIp": "104.18.21.80",
"destinationPort": 80
}
}