Skip to content

Add session info to all raw events and unify the data type of the time field #527

New issue
New issue
Open
Open
Add session info to all raw events and unify the data type of the time field#527
@syncpark

Description

@syncpark
syncpark
opened on Aug 11, 2025

Summary

We're currently working on improving the structure of protocol events generated by Sensor.
Events generated by Semi-supervised & Unsupervised engines also require the same modifications as raw events.
Additionally, this process also requires consistent unification of the types of time-related fields.

Tasks

  • Add packet count and size information, which was only present in the Conn event, to the detection event structures.
    orig_pkts, resp_pkts, orig_l2_bytes, resp_l2_bytes
  • Add a duration (i64 type) field to the detection event structures and store the session duration in this field.
  • The types of the start_time and end_time fields are unified to DateTime<Utc> (or Timestamp when applying Jiff crate).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions