CybrIQ for government — sample syslog event payloads
=====================================================

Format: RFC 5424. Facility 16 (local0) by default; configurable.
Severity 4 (warning) for identification events; 1 (alert) for covered-entity matches.
Each event carries a STRUCTURED-DATA element containing CybrIQ-specific fields.

The samples below show what an agency's SIEM will receive. Vendor names, MACs, and
agency identifiers are synthetic. Real events include the actual values.

----------------------------------------------------------------------
1) Routine device-identification event — a new device appears on a port
----------------------------------------------------------------------

<134>1 2026-05-14T09:23:11.247Z gov-ese-01 cybriq 12347 ID-NEW [cybriq@99999
  device-dna="d4f8a72c1b3e9..." vendor="Cisco" model-class="Catalyst 2960"
  confidence="0.94" port="GigabitEthernet1/0/14" switch="agency-core-02"
  vlan="270" mac="00:1a:a0:5b:8c:d4" first-seen="2026-05-14T09:23:11Z"
  authorized="true" supports-controls="CM-8 CM-8(2) CSF-ID.AM-1"]
  Device identified: Cisco Catalyst 2960 on switch agency-core-02 port Gi1/0/14 VLAN 270.

----------------------------------------------------------------------
2) Covered-entity match — NDAA Section 889 detection
----------------------------------------------------------------------

<129>1 2026-05-14T09:24:38.512Z gov-ese-01 cybriq 12347 ID-COVERED [cybriq@99999
  device-dna="a91b3f7e2d4c8..." vendor="Hikvision" vendor-relabeled-as="AcmeCorp"
  model-class="IP Camera (Hikvision DS-2CD2x family)" confidence="0.91"
  port="GigabitEthernet2/0/22" switch="agency-bldg-c-04" vlan="811"
  mac="bc:ad:28:9f:e2:14" first-seen="2026-05-14T09:24:38Z"
  authorized="false" covered-mandate="NDAA-889(a)(1)(B)"
  supports-controls="SR-3 SR-11 PM-30 FAR-52.204-25"]
  Covered-entity device identified: Hikvision IP camera on switch agency-bldg-c-04 port Gi2/0/22.
  Device chassis is relabeled as 'AcmeCorp' — switch-side signal set matches Hikvision firmware
  signature. NDAA Section 889(a)(1)(B) detection event.

----------------------------------------------------------------------
3) Authorization-list deviation — unknown device on a port
----------------------------------------------------------------------

<132>1 2026-05-14T09:31:02.819Z gov-ese-01 cybriq 12347 ID-DEVIATE [cybriq@99999
  device-dna="f72ad9c4e8b1..." vendor="Unknown" model-class="USB-to-Ethernet bridge"
  confidence="0.62" port="GigabitEthernet1/0/03" switch="agency-conf-01"
  vlan="42" mac="aa:55:cc:11:33:44" first-seen="2026-05-14T09:31:02Z"
  authorized="false" deviation-type="not-on-authorized-list"
  supports-controls="CM-8(3) CSF-DE.CM-7"]
  Authorization-list deviation: device not on the authorized-hardware list. Low confidence
  identification — recommend follow-up walkthrough.

----------------------------------------------------------------------
4) Device removal — port goes empty
----------------------------------------------------------------------

<135>1 2026-05-14T09:42:15.103Z gov-ese-01 cybriq 12347 ID-REMOVE [cybriq@99999
  device-dna="d4f8a72c1b3e9..." vendor="Cisco" model-class="Catalyst 2960"
  port="GigabitEthernet1/0/14" switch="agency-core-02" vlan="270"
  mac="00:1a:a0:5b:8c:d4" last-seen="2026-05-14T09:42:15Z" duration-sec="1144"]
  Device removed from switch. Final identification: Cisco Catalyst 2960. Duration on
  port: 19 minutes 4 seconds.

----------------------------------------------------------------------
5) USB-protection event (optional endpoint agent only) — HID-spoofer insertion
----------------------------------------------------------------------

<129>1 2026-05-14T11:14:42.882Z agency-wks-0214 cybriq-usb 9942 USB-HIDSPOOF [cybriq@99999
  workstation-host="agency-wks-0214" usb-vid="0x1234" usb-pid="0x4567"
  device-class="HID (keyboard)" device-name-claimed="Generic Keyboard"
  signature-match="rubber-ducky-family" insertion-time="2026-05-14T11:14:42Z"
  supports-controls="MP-7 AC-19 NIST-800-171-3.8.7"]
  HID-spoofing device detected on workstation agency-wks-0214. Device claims to be a
  generic keyboard; USB descriptor matches the Rubber Ducky family. Insertion event.

----------------------------------------------------------------------
Notes for SIEM integration
----------------------------------------------------------------------

- All events carry a structured-data element with the SD-ID "cybriq@99999".
- The "supports-controls" field lists the NIST 800-53 / CSF controls the event is
  evidence for; many SIEM correlation rules pivot on this.
- Confidence is 0.00 to 1.00. Default threshold for action is 0.65; tunable.
- Covered-entity events use syslog severity 1 (alert) to ensure routing priority.
- Field names are stable across CybrIQ versions. Backwards-compatibility is maintained.
- For Splunk Cloud for Government: a curated TA (technology add-on) is available;
  request it via the briefing call.
- For Microsoft Sentinel for Government: a sample KQL detection set is available
  on request.