4. Event Logs Format

Logs Data

Parameter
Format
Detail

<event_time>

%Y/%m/%d %H:%M:%S

Time on the system running pyrasp

<application_name>

string

Value of the APP_NAME parameter

<event_type>

string

<source_ip>

string

IP address of the attack source

<country>

string

Country of the source address ("Private" if internal network), requires RESOLVE_COUNTRY option set

<location>

string

<payload>

string

Suspicious payload (base64 encoded)

<code>

list of strings

<action>

integer

<engine>

string

XSS or SQL Injection engine that made detection

<score>

float

Machine Learning engine probability (from 0 to 1)

JSON Logs

{
    "time": "<event_time>",
    "application": "<application_name>",
    "log_data": [
        "<event_type>", 
        "<source_ip>", 
        "<country>",
        {
            "location": "<location>",
            "payload": "<payload>",
            "codes": "<codes>",
            "action": "<action>",
            "engine": "<engine>",
            "score": "<machine_learning_score>"
        }
    ]
}

Syslog Logs

[<event_time>] "<application_name>" - "<event_type>" - "<source_ip>" - "<country>" - "<location>:<payload>", "<mitre_code> - <pcb_code>", "<action>"

Attack Types

Value
Attack Type

blacklist

Blacklisted IP

path

Invalid Path

flood

Flood

spoofing

Host Spoofing

decoy

Decoyed Request

format

Format Mismatch

sqli

SQL Injection

xss

XSS

hpp

Parameter Pollution

command

Command Injection

headers

Forbidden Header

dlp

Data Leak Prevention

brute

Brute Force

ztaa

Zero-Trust Application Access

Payload Locations

Value
Location

source_ip

Source IP

request

Request path or method

path

Request path

host

"Host" header

headers_names

Request header name

headers_values

Request header value

cookies

Cookies

user_agent

"User-Agent" header

referer

"Referer" header

qs_variables

Query String variable name

qs_values

Qyery String value

post_variables

Posted data variable name

post_values

Posted data value

json_keys

JSON key name

json_values

JSON key value

content

Response content

ztaa_jwt

ZTAA header

browser_version

Client browser version

Attacks Codes Mapping

Attack Type
MITRE ATT&CK
PCB

Blacklisted IP

-

PCB000

Invalid Path

T1592.002

PCB001

Flood

T1498

PCB002

Host Spoofing

T1594

PCB003

Decoyed Request

T1592.002

PCB004

Format Mismatch

-

PCB005

SQL Injection

T1111

PCB006

XSS

T1059.007

PCB007

Parameter Pollution

T1211

PCB008

Command Injection

T1059

PCB009

Forbidden Header

-

PCB010

Data Leak Prevention

T1052

PCB011

Brute Force

T1110

PCB012

Zero-Trust Application Access

-

PCB013

Previous3. ConfigurationNext5. Cloud Operations

Last updated