Palo Alto Networks · Schema
EventDataPayload
The payload structure for pre-normalized event data ingestion directly into the XSIAM data lake. Contains all required routing metadata plus the normalized event content for direct dataset indexing.
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR
Properties
| Name | Type | Description |
|---|---|---|
| dataset | string | The target XSIAM dataset name for direct indexing. Must match an existing dataset schema in the XSIAM data lake. |
| vendor | string | The vendor that produced the source event data. |
| product | string | The product that generated the source event. |
| log_type | string | The log type or event category identifier for schema selection during indexing. |
| raw_log | string | The original raw event content from the source system, preserved alongside normalized fields for audit and reprocessing purposes. |
| timestamp | string | The ISO 8601 date-time string indicating when the original event occurred at the source system. |
| tenant_id | string | The XSIAM tenant identifier for multi-tenant data routing. |
| event_id | string | A unique identifier for this event record used for deduplication and correlation reference. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "EventDataPayload",
"description": "The payload structure for pre-normalized event data ingestion directly into the XSIAM data lake. Contains all required routing metadata plus the normalized event content for direct dataset indexing.\n",
"$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cortex-xsiam-data-ingestion-event-data-payload-schema.json",
"type": "object",
"properties": {
"dataset": {
"type": "string",
"description": "The target XSIAM dataset name for direct indexing. Must match an existing dataset schema in the XSIAM data lake.\n",
"example": "authentication_events"
},
"vendor": {
"type": "string",
"description": "The vendor that produced the source event data.\n",
"example": "Microsoft"
},
"product": {
"type": "string",
"description": "The product that generated the source event.\n",
"example": "Active Directory"
},
"log_type": {
"type": "string",
"description": "The log type or event category identifier for schema selection during indexing.\n",
"example": "authentication"
},
"raw_log": {
"type": "string",
"description": "The original raw event content from the source system, preserved alongside normalized fields for audit and reprocessing purposes.\n",
"example": "{\"EventID\":4625,\"AccountName\":\"jsmith\",...}"
},
"timestamp": {
"type": "string",
"format": "date-time",
"description": "The ISO 8601 date-time string indicating when the original event occurred at the source system.\n",
"example": "2024-01-15T10:28:00.000Z"
},
"tenant_id": {
"type": "string",
"description": "The XSIAM tenant identifier for multi-tenant data routing.\n",
"example": "xsiam-tenant-001"
},
"event_id": {
"type": "string",
"description": "A unique identifier for this event record used for deduplication and correlation reference.\n",
"example": "evt-20240115-102800-002"
}
},
"required": [
"dataset",
"vendor",
"product",
"log_type",
"raw_log",
"timestamp",
"tenant_id",
"event_id"
]
}