Cortex Xsiam Data Ingestion Event Data Payload Structure

{
  "$schema": "https://json-structure.org/meta/core/v0/#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cortex-xsiam-data-ingestion-event-data-payload-structure.json",
  "name": "EventDataPayload",
  "description": "The payload structure for pre-normalized event data ingestion directly into the XSIAM data lake. Contains all required routing metadata plus the normalized event content for direct dataset indexing.\n",
  "type": "object",
  "properties": {
    "dataset": {
      "type": "string",
      "description": "The target XSIAM dataset name for direct indexing. Must match an existing dataset schema in the XSIAM data lake.\n"
    },
    "vendor": {
      "type": "string",
      "description": "The vendor that produced the source event data.\n"
    },
    "product": {
      "type": "string",
      "description": "The product that generated the source event.\n"
    },
    "log_type": {
      "type": "string",
      "description": "The log type or event category identifier for schema selection during indexing.\n"
    },
    "raw_log": {
      "type": "string",
      "description": "The original raw event content from the source system, preserved alongside normalized fields for audit and reprocessing purposes.\n"
    },
    "timestamp": {
      "type": "datetime",
      "description": "The ISO 8601 date-time string indicating when the original event occurred at the source system.\n"
    },
    "tenant_id": {
      "type": "string",
      "description": "The XSIAM tenant identifier for multi-tenant data routing.\n"
    },
    "event_id": {
      "type": "string",
      "description": "A unique identifier for this event record used for deduplication and correlation reference.\n"
    }
  },
  "required": [
    "dataset",
    "vendor",
    "product",
    "log_type",
    "raw_log",
    "timestamp",
    "tenant_id",
    "event_id"
  ]
}