Skip to content

Commit 5caa689

Browse files
oshezafoshezaf
committed
asim/update-dns-version
1 parent 965af9a commit 5caa689

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

articles/sentinel/dns-normalization-schema.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -141,7 +141,7 @@ The following list mentions fields that have specific guidelines for DNS events:
141141
| **EventType** | Mandatory | Enumerated | Indicates the operation reported by the record. <br><br> For DNS records, this value would be the [DNS op code](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml). <br><br>Example: `lookup`|
142142
| **EventSubType** | Optional | Enumerated | Either `request` or `response`. <br><br>For most sources, [only the responses are logged](#guidelines-for-collecting-dns-events), and therefore the value is often **response**. |
143143
| <a name=eventresultdetails></a>**EventResultDetails** | Mandatory | Enumerated | For DNS events, this field provides the [DNS response code](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml). <br><br>**Notes**:<br>- IANA doesn't define the case for the values, so analytics must normalize the case.<br> - If the source provides only a numerical response code and not a response code name, the parser must include a lookup table to enrich with this value. <br>- If this record represents a request and not a response, set to **NA**. <br><br>Example: `NXDOMAIN` |
144-
| **EventSchemaVersion** | Mandatory | String | The version of the schema documented here is **0.1.3**. |
144+
| **EventSchemaVersion** | Mandatory | String | The version of the schema documented here is **0.1.4**. |
145145
| **EventSchema** | Mandatory | String | The name of the schema documented here is **Dns**. |
146146
| **Dvc** fields| - | - | For DNS events, device fields refer to the system that reports the DNS event. |
147147

@@ -302,6 +302,7 @@ The changes in version 0.1.3 of the schema are:
302302
- Added optional Geo Location and Risk Level fields.
303303

304304
The changes in version 0.1.4 of the schema are:
305+
- Added the optional fields `ThreatIpAddr`, `ThreatName`, `ThreatConfidence`, `ThreatOriginalConfidence`, `ThreatOriginalRiskLevel`, `ThreatIsActive`, `ThreatFirstReportedTime`, and `ThreatLastReportedTime`
305306

306307

307308
## Source-specific discrepancies

0 commit comments

Comments
 (0)