This article describes the log format that OGO sends when you activate Log Export feature.
{
"@version": "1", // Internal log export configuration version
"ogoVersion": "1", // Internal log export configuration version, only present for Microsoft Sentinel v2
"requestInfo": { // Request meta data
"scheme": "https", // Scheme : http or https
"method": "GET", // Request method
"protocol": "HTTP/2.0", // Request protocol
"content-size": "0", // Request body content-size
"query-string": "some_query=...", // Query parameters
"request-uri": "/some-vulnerable-path" // Path (without Query parameters)
},
"countryCode": "FR", // Country code ISO 2
"geoIp": {
"countryCode":"FR",
"cityName":"Paris",
"latitude":"48.844",
"longitude":"2.408"
}
"responseHeaders": { // Response headers
"content-encoding": "gzip",
"content-type": "text/html; charset=UTF-8",
...
},
"tlsCipher": "TLS_AES_128_GCM_SHA256", // Used TLS Cipher
"responseCode": 200, // Origin server response code
"clientIP": "1.1.1.1", // Client IP
"requestHeaders": { // Request headers
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36"
"x-forwarded-for": [
"1.1.1.1"
],
"host": "example.com",
...
},
"tlsVersion": "1.3", // TLS Version
"serviceAddr": "2.2.2.2", // Origin server IP address
"requestUrl": "https://example.com/some-vulnerable-page?some_query=...", // Full URL
"ogo": { // OGO Actions
"whitelistedIp": "false", // Is IP a whitelisted IP
"blocked": "false", // Is the request blocked
"driveUid": "45B5F128B47C4AD494DB7F8B0D1D539D", // Strongest belief drive UID which react to the request
"driveLabel" "Command Injection - Bash", // Strongest belief drive translation
"dryRun": "false", // Is in Audit mode
"geoBlocked": "false", // Is the country geoblocked
"appliedAction": "brain", // OGO Action, can be : brain (analyzed) / bypass (not analyzed) / denied (blocked by access control rule),
"credibility": 51000 // credibility rating of the request, value between 0 and 100,000, IP is temporary banned when dropped below the acceptability threshold.
},
"site": "example.com", // Normalized FQDN
"clusterId": "163.172.105.73", // Cluster UID
"responseTimeMs": 112, // Response time between OGO and Origin server
"responseContentSize": 34143, // Body response content-size
"timestamp": 1657875209811, // Epoch milliseconds timestamp,
"TimeGenerated": "2024-04-24T01:08:02.491Z" // ISO8601 of timestamp, only present for Microsoft Sentinel v2
"requestBody": "...", // only show if detected drive inside,
}