Log Field Reference
All of the fields available in the log data supplied by the SIEM log streaming integration.
| Field | Type | Description |
|---|---|---|
time | String containing RFC3339 Datetime | The time the query occurred |
query | string | The domain queried, also called question |
query_type | string | The RR Type |
src_ip | string | The IP from which the request came |
reply_code_id | integer | The DNS status code |
protocol | string (enum) | The DNS protocol used: - legacy- doh- doh3- dot- doq |
answers | object | |
answers.ips | array | List of all answers provided. Currently only contains IPs. |
answers.geoip | object (optional) | GeoIP2 information about the first valid IP in the answers. |
answers.geoip.countryCode | string (optional) | two-letter country code of the IP |
answers.geoip.city | string (optional) | Name of the city of the IP |
answers.geoip.isp | string (optional) | Name of the ISP of the IP |
answers.geoip.asn | integer (optional) | ASN number of the ISP |
organisation | object | |
organisation.id | string | the ID of the organisation account |
organisation.name | name | the name of the organisation (currently not supplied) |
user | object (null if organisation is not null) | |
user.id | string | the ID of the user account |
user.name | string | the name of the user (currently not supplied) |
device | object | |
device.id | string | the ID of the endpoint |
device.name | string | the name of the endpoint |
client | object (optional) | |
client.id | string | the ID of the client |
client.name | string | the name of the client (usually hostname or custom alias) |
controld_action | integer | The action taken by Control D - 1 Request Failed- 0 Blocked- 1 Bypassed- 2 Redirected (IP)- 3 Redirected (Location) |
controld_trigger | string (optional) | The reason the action was taken - default default action- filter blocked by filter- service action triggered by service- custom custom rule- grule global rule- rebind rebind protection |
controld_trigger_name | string (optional) | The label for the trigger described above, if any. - filter: the name of the filter- forservice: the name of the service- forcustom: the name of the custom rule |
controld_spoof_target | string (optional) | The target of a redirect, if any. Generally an IP, another domain, or an IATA code of a proxy location. |
domain_category | string (optional) | A broad category of the type of website, such as business or entertainment. Not currently supplied |
source_ip | object (optional) | Contains the same info as answers.geoip (see above), but for src_ip |
Updated 10 days ago