{ "$schema": "https://json-schema.org/draft/2020-12/schema", "title": "EventDataPayload", "description": "The payload structure for pre-normalized event data ingestion directly into the XSIAM data lake. Contains all required routing metadata plus the normalized event content for direct dataset indexing.\n", "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/cortex-xsiam-data-ingestion-event-data-payload-schema.json", "type": "object", "properties": { "dataset": { "type": "string", "description": "The target XSIAM dataset name for direct indexing. Must match an existing dataset schema in the XSIAM data lake.\n", "example": "authentication_events" }, "vendor": { "type": "string", "description": "The vendor that produced the source event data.\n", "example": "Microsoft" }, "product": { "type": "string", "description": "The product that generated the source event.\n", "example": "Active Directory" }, "log_type": { "type": "string", "description": "The log type or event category identifier for schema selection during indexing.\n", "example": "authentication" }, "raw_log": { "type": "string", "description": "The original raw event content from the source system, preserved alongside normalized fields for audit and reprocessing purposes.\n", "example": "{\"EventID\":4625,\"AccountName\":\"jsmith\",...}" }, "timestamp": { "type": "string", "format": "date-time", "description": "The ISO 8601 date-time string indicating when the original event occurred at the source system.\n", "example": "2024-01-15T10:28:00.000Z" }, "tenant_id": { "type": "string", "description": "The XSIAM tenant identifier for multi-tenant data routing.\n", "example": "xsiam-tenant-001" }, "event_id": { "type": "string", "description": "A unique identifier for this event record used for deduplication and correlation reference.\n", "example": "evt-20240115-102800-002" } }, "required": [ "dataset", "vendor", "product", "log_type", "raw_log", "timestamp", "tenant_id", "event_id" ] }