A breakdown of the event fields sent by Peakhour#
Introduction#
When integrating Peakhour event logs, it's crucial to understand the JSON format that Peakhour sends. In this blog post, we'll provide a detailed explanation of the JSON format, which is used to store events as Python dictionaries. This knowledge will help you work more effectively with the data, enabling better analysis and security event management.
Peakhour JSON Format#
The JSON format sent by Peakhour to consists of various fields, each containing specific information about the event. Below is a list of the fields included in the JSON format:
{
"time": "UTC timestamp of the event",
"location": "Location of the server handling the request",
"host": "Hostname of the server",
"blocklists": "List of blocklists the client's IP is part of",
"geoip": {
"country_code": "Country code of the client's IP",
"as_organization": "AS of the client's IP",
"as_number": "ASN of the client's IP",
},
"client": "Client's IP address",
"bytesin": "Number of bytes received from the client",
"bytesout": "Number of bytes sent to the client",
"unique_id": "Unique identifier for the request",
"httpver": "HTTP version used for the request",
"method": "HTTP method of the request",
"path": "Path of the requested resource",
"query": "Query string of the request",
"referer": "Referer URL of the request",
"request_headers": {
"name": "Name of the request header",
"value": "Value of the request header"
},
"user_agent": "User agent string of the client",
"user_agent_type": "Type of the user agent (e.g., browser, bot)",
"block.by": "Type of block that occurred (e.g., WAF, IP threat list, custom rule, rate limit, bot)"
}
This JSON format represents the structure of the data sent by Peakhour. When ingested the data is stored and you can use externally query and analyze the data.
Field Descriptions#
- time: The timestamp of the event in UTC format.
- location: The geographical location of the event, usually represented by the server's location.
- host: The hostname associated with the event.
- blocklists: A list of blocklists, including IP threat lists that contributed to the event.
- geoip: Geolocation information of the client's IP address.
- client: The client IP address involved in the event.
- bytesin: The number of bytes received by the server during the event.
- bytesout: The number of bytes sent by the server during the event.
- unique_id: A unique identifier assigned to the event.
- httpver: The HTTP version used for the request (e.g., HTTP/1.1 or HTTP/2).
- method: The HTTP request method (e.g., GET, POST, PUT, DELETE, etc.).
- path: The requested URL path of the event.
- query: The query string, if any, included in the request.
- referer: The referring URL, if available, from which the client navigated to the event URL.
- request_headers: A dictionary containing the HTTP request headers.
- user_agent: The client's user agent string, which provides information about the client's browser and operating system.
- user_agent_type: A categorization of the user agent (e.g., desktop, mobile, bot, etc.).
- block.by: The specific reason for blocking the request (e.g., WAF, IP threat list, custom rule, rate limit, bot, etc.).
Conclusion#
Understanding the Peakhour JSON format is crucial when integrating with with a third party system, as it allows you to work more effectively with the data and perform comprehensive security event analysis. With this knowledge, you can create custom rules, alerts, and visualizations, enabling better threat detection and response.