Reference · Hadron Core

total fields

groups

contract

v1.0 · stable

The Core Hadron Firehose contract.

Every record arrives with the same field set. Names are stable. Types are stable. Build matchers and projections against this list — not against vendor-specific log shapes.

154 match

Identity & Probe Context Transport & Flow Metrics Addressing & Assets Geographic Enrichment Protocol, Risk & Classification Domain & Host HTTP TLS DNS Cumulative Counters & Pair Metrics Global TIP Summary Source IP TIP Enrichment Destination IP TIP Enrichment Domain TIP Enrichment JA4 TIP Enrichment Analytic Flags & ASN UI Counters & Rendering

identity

Identity & Probe Context

Where the signal originated.

8 fields

Field

Type

Definition

event_time

string

Event timestamp from the Signal Fabric flow record.

organization

string

Organization or tenant label associated with the emitting probe or matched network.

probe_name

string

Human-readable probe alias.

probe_id

string

Probe identifier exposed to clients.

source_id

string

Source identifier associated with the emitter.

probe_unid

string

Stable UUID of the probe.

probeLat

number

Probe latitude used by geospatial interfaces.

probeLon

number

Probe longitude used by geospatial interfaces.

transport

Transport & Flow Metrics

Layer-3/4 counters and flow state.

12 fields

Field

Type

Definition

flow_source_total_l4_payload_length

number

Source-to-destination layer-4 payload bytes for the current flow record.

flow_source_packets_processed

number

Source-side packet count for the current flow record.

source_port

number

Source port.

destination_port

number

Destination port.

layer4_protocol

string

Layer-4 protocol such as TCP or UDP.

port_src_des

string

Human-readable service description for the source port.

port_dat_des

string

Human-readable service description for the destination port.

flow_destination_total_l4_payload_length

number

Destination-to-source layer-4 payload bytes.

flow_destination_packets_processed

number

Destination-side packet count.

flow_id

number

Probe-native flow identifier.

layer3_protocol

string

Layer-3 protocol, for example IPv4 or IPv6.

flow_state

string

Probe-reported flow state.

addressing

Addressing & Assets

IPs, CIDRs, and asset names.

15 fields

Field

Type

Definition

public_ip

string

Public IP chosen for geo, ASN, and ISP enrichment.

luSRC

number

Source-side public-IP lookup flag.

luDST

number

Destination-side public-IP lookup flag.

ipv4_source_address

string

Source IPv4 address.

ipv4_destination_address

string

Destination IPv4 address.

source_ip

string

Canonical source IP for downstream use.

destination_ip

string

Canonical destination IP for downstream use.

ipv4_source_cidr

string

Source IPv4 CIDR-style value used in matching or UI logic.

ipv4_destination_cidr

string

Destination IPv4 CIDR-style value.

ipv6_source_cidr

string

Source IPv6 CIDR-style value.

ipv6_destination_cidr

string

Destination IPv6 CIDR-style value.

destination_asset

string|null

Optional asset name associated with the destination IP.

source_asset

string|null

Optional asset name associated with the source IP.

ipv6_source_address

string

Source IPv6 address.

ipv6_destination_address

string

Destination IPv6 address.

geo

Geographic Enrichment

Country, city, and lat/lon for both ends.

9 fields

Field

Type

Definition

source_ip_country

string

Source IP country.

source_ip_city

string

Source IP city.

destination_ip_country

string

Destination IP country.

destination_ip_city

string

Destination IP city.

src_ip_long

number

Source longitude.

src_ip_lat

number

Source latitude.

dst_ip_long

number

Destination longitude.

dst_ip_lat

number

Destination latitude.

dstlatlon

string|array

Destination latitude-longitude convenience value.

classification

Protocol, Risk & Classification

nDPI categories and normalized risk.

8 fields

Field

Type

Definition

application_protocol

string

nDPI application protocol.

risk_type

string

Human-readable risk name.

risk_score_total

number

Total normalized risk score.

risk_id

number

Risk identifier.

risk_severity

string

Human-readable severity label.

confidence_id

number

Confidence identifier associated with the classification.

Domain & Host

Raw and normalized hostnames.

4 fields

Field

Type

Definition

domain_name

string

Raw domain value.

host_name

string

Raw host name value.

host_name_norm

string

Normalized host name for matching.

domain_name_norm

string

Normalized domain value for matching or suppression.

http

HTTP

Observed application-layer detail.

5 fields

Field

Type

Definition

http_url

string

Observed HTTP URL.

http_code

number

HTTP status code.

http_content_type

string

HTTP content type.

http_user_agent

string

HTTP user-agent string.

http_detected_os

string

OS inferred from the user-agent.

tls

TLS

Versions, ciphers, certs, and JA fingerprints.

9 fields

Field

Type

Definition

tls_version

string

TLS version.

tls_cipher

string

TLS cipher.

tls_unsafe_cipher

number

Unsafe-cipher flag.

tls_server_names

string

TLS server-name content.

tls_certificate_issuer_dn

string

TLS certificate issuer distinguished name.

tls_certificate_subject_dn

string

TLS certificate subject distinguished name.

tls_ja3_fingerprint

string

JA3 fingerprint.

tls_ja3s_fingerprint

string

JA3S fingerprint.

tls_ja4_fingerprint

string

JA4 fingerprint.

dns

DNS

Query and response detail.

9 fields

Field

Type

Definition

dns_number_of_queries

number

Number of DNS queries.

dns_number_of_answers

number

Number of DNS answers.

dns_reply_code

number

DNS reply code.

dns_query_type

number

DNS query type.

dns_response_type

number

DNS response type.

dns_response_address_0

string

First DNS response address.

dns_response_address_1

string

Second DNS response address.

dns_response_address_2

string

Third DNS response address.

dns_response_address_3

string

Fourth DNS response address.

cumulative

Cumulative Counters & Pair Metrics

Running totals per side and pair.

10 fields

Field

Type

Definition

source_ip_cumulative_occurrences

number

Running source-side occurrence count.

destination_ip_cumulative_occurrences

number

Running destination-side occurrence count.

source_ip_cumulative_bytes

number

Running source-side bytes.

destination_ip_cumulative_bytes

number

Running destination-side bytes.

source_ip_cumulative_packets

number

Running source-side packets.

destination_ip_cumulative_duration

number

Running destination-side duration.

pair_ip_cumulative_bytes

number

Pair-level cumulative bytes.

pair_ip_cumulative_packets

number

Pair-level cumulative packets.

pair_ip_cumulative_occurrences

number

Pair-level cumulative occurrences.

pair_ip_cumulative_duration

number

Pair-level cumulative duration.

tip

Global TIP Summary

Threat-intel match summary across enrichers.

10 fields

Field

Type

Definition

tip_hit

number|bool

Whether any TIP enrichment matched the record.

tip_hit_count

number

Count of TIP hits.

tip_hit_types

array|string

Summary of matched TIP classes.

tip_hit_max_severity_bp

number

Maximum TIP severity in basis points.

tip_hit_max_confidence_bp

number

Maximum TIP confidence in basis points.

tip_best_type

string

Highest-priority TIP type.

tip_best_value

string

Highest-priority TIP value.

tip_best_source_primary

string

Primary source for the best TIP match.

tip_best_severity_bp

number

Best-match severity in basis points.

tip_best_confidence_bp

number

Best-match confidence in basis points.

tip-src

Source IP TIP Enrichment

Per-source threat enrichment.

8 fields

Field

Type

Definition

threat_indicator_ip_source

number

Source IP threat-indicator flag.

tip_ip_source_risk_score_bp

number

Source IP TIP risk score.

tip_ip_source_risk_level

string

Source IP TIP risk label.

tip_ip_source_conf_level

string

Source IP TIP confidence label.

tip_ip_source_conf_score_bp

number

Source IP TIP confidence score.

tip_ip_source_categories

array

Source IP TIP categories.

tip_ip_source_sources

array

Source IP TIP sources.

tip_ip_source_source_primary

string

Primary source IP TIP source.

tip-dst

Destination IP TIP Enrichment

Per-destination threat enrichment.

8 fields

Field

Type

Definition

indicator_ip_destination

number

Destination IP threat-indicator flag.

tip_ip_destination_risk_score_bp

number

Destination IP TIP risk score.

tip_ip_destination_risk_level

string

Destination IP TIP risk label.

tip_ip_destination_conf_level

string

Destination IP TIP confidence label.

tip_ip_destination_conf_score_bp

number

Destination IP TIP confidence score.

tip_ip_destination_categories

array

Destination IP TIP categories.

tip_ip_destination_sources

array

Destination IP TIP sources.

tip_ip_destination_source_primary

string

Primary destination IP TIP source.

tip-domain

Domain TIP Enrichment

Domain-level threat enrichment.

11 fields

Field

Type

Definition

threat_indicator_domain

number

Domain threat-indicator flag.

tip_domain_registered

string|null

Registered domain used for TIP matching.

tip_domain_risk_score_bp

number

Domain TIP risk score.

tip_domain_risk_level

string

Domain TIP risk label.

tip_domain_conf_level

string

Domain TIP confidence label.

tip_domain_conf_score_bp

number

Domain TIP confidence score.

tip_domain_categories

array

Domain TIP categories.

tip_domain_sources

array

Domain TIP sources.

tip_domain_source_primary

string

Primary domain TIP source.

tip_domain_sample_count

number

Number of domain samples.

tip_domain_samples

array

Domain sample values.

tip-ja4

JA4 TIP Enrichment

JA4 fingerprint threat enrichment.

8 fields

Field

Type

Definition

ja4T

number

JA4 threat-indicator hit flag.

tip_ja4_risk_score_bp

number

JA4 TIP risk score.

tip_ja4_risk_level

string

JA4 TIP risk label.

tip_ja4_conf_level

string

JA4 TIP confidence label.

tip_ja4_conf_score_bp

number

JA4 TIP confidence score.

tip_ja4_categories

array

JA4 TIP categories.

tip_ja4_sources

array

JA4 TIP sources.

tip_ja4_source_primary

string

Primary JA4 TIP source.

analytic

Analytic Flags & ASN

Heuristic flags, ASN, ISP context.

12 fields

Field

Type

Definition

threat_indicator_exfiltration

number

Exfiltration heuristic flag.

ffT

number

Fast-flux indicator flag.

source_asn_number

number

Source ASN number.

source_asn_org

string

Source ASN organization.

source_isp

string

Source ISP.

source_asn_company

string

Source ASN company or organization label.

destination_asn_number

number

Destination ASN number.

destination_asn_org

string

Destination ASN organization.

destination_isp

string

Destination ISP.

destination_asn_company

string

Destination ASN company or organization label.

is_anomaly_positive

string|number

ML anomaly-positive output.

record_unique_id

string

Unique event identifier generated by Hadron.

UI Counters & Rendering

Counters useful for live dashboards.

8 fields

Field

Type

Definition

enrvioip

number

Count of IP threat-enrichment objects loaded.

enrviodom

number

Count of domain threat-enrichment objects loaded.

enrvioja4

number

Count of JA4 threat-enrichment objects loaded.

totalGeoflows

number

Rolling count of flows considered for geo coverage.

flowsWithGeo

number

Rolling count of flows with usable geo coordinates.

bar_total_flows

number

Total flows for progress bar logic.

bar_risky_flows_100

number

Risky flows for progress bar logic.

bar_risk_fraction_100

number

Fraction used to position the progress indicator.

Built a useful projection?

Most teams use 30–60 fields per app. Send us yours — we publish notable projections in the showcase.

Submit a projection