{
  "@version": "1", // Internal log export configuration version
  "ogoVersion": "1", // Internal log export configuration version, only present for Microsoft Sentinel v2
  "requestInfo": { // Request meta data
    "scheme": "https", // Scheme : http or https
    "method": "GET", // Request method
    "protocol": "HTTP/2.0", // Request protocol
    "content-size": "0", // Request body content-size
    "query-string": "some_query=...", // Query parameters
    "request-uri": "/some-vulnerable-path" // Path (without Query parameters)
  },
  "countryCode": "FR", // Country code ISO 2
  "geoIp": {
    "countryCode":"FR",
    "cityName":"Paris",
    "latitude":"48.844", 
    "longitude":"2.408"
  }
  "responseHeaders": { // Response headers
    "content-encoding": "gzip",
    "content-type": "text/html; charset=UTF-8",
    ...
  },
  "tlsCipher": "TLS_AES_128_GCM_SHA256", // Used TLS Cipher
  "responseCode": 200, // Origin server response code
  "clientIP": "1.1.1.1", // Client IP
  "requestHeaders": { // Request headers
    "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
    "user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36"
    "x-forwarded-for": [
      "1.1.1.1"
    ],
    "host": "example.com",
    ...
  },
  "tlsVersion": "1.3", // TLS Version 
  "serviceAddr": "2.2.2.2", // Origin server IP address
  "requestUrl": "https://example.com/some-vulnerable-page?some_query=...", // Full URL
  "ogo": { // OGO Actions
    "whitelistedIp": "false", // Is IP a whitelisted IP
    "blocked": "false", // Is the request blocked
    "driveUid": "45B5F128B47C4AD494DB7F8B0D1D539D", // Strongest belief drive UID which react to the request
    "driveLabel" "Command Injection - Bash", // Strongest belief drive translation
    "dryRun": "false", // Is in Audit mode
    "geoBlocked": "false", // Is the country geoblocked
    "appliedAction": "brain", // OGO Action, can be : brain (analyzed) / bypass (not analyzed) / denied (blocked by access control rule),
    "credibility": 51000 // credibility rating of the request, value between 0 and 100,000, IP is temporary banned when dropped below the acceptability threshold.
  },
  "site": "example.com", // Normalized FQDN
  "clusterId": "163.172.105.73", // Cluster UID
  "responseTimeMs": 112, // Response time between OGO and Origin server
  "responseContentSize": 34143, // Body response content-size
  "timestamp": 1657875209811, // Epoch milliseconds timestamp,
  "TimeGenerated": "2024-04-24T01:08:02.491Z" // ISO8601 of timestamp, only present for Microsoft Sentinel v2
  "requestBody": "...", // only show if detected drive inside,
}