| dataset |
string |
The target XSIAM dataset name that this log data should be indexed into. Dataset names correspond to XSIAM data lake tables and determine the schema applied during normalization. |
| vendor |
string |
The name of the vendor that produced the log data. Used in combination with product and log_type to identify the correct parsing rule for normalizing the raw log content. |
| product |
string |
The name of the specific product or component that generated the log. Used in combination with vendor and log_type to route the log to the appropriate XSIAM parsing pipeline. |
| log_type |
string |
The log type identifier that classifies the nature of the log content, such as traffic, threat, authentication, or syslog. Used to select the correct normalization schema. |
| raw_log |
string |
The raw log content in its original format as produced by the source system. May be a syslog message, CSV line, JSON string, CEF record, or any other log format supported by the configured XSIAM parsi |
| timestamp |
string |
The ISO 8601 date-time string indicating when this log event occurred at the source. If not provided, the ingestion receipt time is used as the event timestamp. |
| tenant_id |
string |
The XSIAM tenant identifier that this log data belongs to. Used for multi-tenant environments to route data to the correct tenant data lake partition. |
| event_id |
string |
A unique identifier for this individual log event, generated by the submitting system or the XSIAM ingestion service. Used for deduplication and event correlation tracking. |