{ "_": "Sample CybrIQ syslog/REST event payloads. Pipe into a SIEM parser to draft detection rules before pilot. Each event matches the shape the platform emits in production. RFC 5424 wraps these as the MSG field; the REST API delivers them as POST bodies. Field reference: docs.cybriq.io/api/events (placeholder).", "events": [ { "event": "device-detected", "t": "2026-05-11T14:32:11.482Z", "switch_id": "core-sw-01", "switch_vendor": "Cisco", "port_id": "Gi1/0/14", "vlan": 220, "mac": "00:50:c2:88:a1:34", "oui": "BD-Carefusion", "device_dna": "sha256:9d4f3b88c7e6...4218", "device_family": "infusion-pump", "manufacturer": "BD", "model_class": "Alaris-PCU-8015", "confidence": 0.94, "first_seen": "2026-05-11T14:32:11.482Z", "site": "hospital-east" }, { "event": "device-substituted", "t": "2026-05-11T16:08:42.110Z", "switch_id": "core-sw-01", "port_id": "Gi1/0/14", "vlan": 220, "previous_dna": "sha256:9d4f3b88c7e6...4218", "current_dna": "sha256:7a1c9e22fd80...3e91", "previous_device_family": "infusion-pump", "current_device_family": "unknown-l2-switch", "previous_model_class": "Alaris-PCU-8015", "current_model_class": "generic-unmanaged-5port", "similarity_score": 0.38, "priority": "P1", "site": "hospital-east" }, { "event": "device-vanished", "t": "2026-05-11T18:14:09.221Z", "switch_id": "core-sw-04", "port_id": "Gi2/0/22", "last_known_dna": "sha256:c4a18ef25d11...8842", "last_known_family": "telemetry-monitor", "last_known_model_class": "GE-CARESCAPE-B650", "last_seen": "2026-05-11T17:51:33.000Z", "missing_duration_seconds": 1356, "site": "hospital-east" }, { "event": "port-topology-changed", "t": "2026-05-11T19:02:47.580Z", "switch_id": "core-sw-02", "port_id": "Gi3/0/08", "previous_topology": "direct", "current_topology": "direct+1hop", "downstream_dna": "sha256:b29c45e1d770...09a3", "downstream_family": "unmanaged-switch-5port", "change_management_ticket": null, "priority": "P1", "site": "campus-north" }, { "event": "usb-threat-detected", "t": "2026-05-11T20:18:22.044Z", "host": "WS-FIN-014", "host_role": "finance", "user": "DOMAIN\\jruiz", "usb": { "vid": "05ac", "pid": "0220", "class": "03", "subclass": "01", "protocol": "01", "mfg": "Hak5", "product": "Rubber Ducky", "serial": "RD-9D4F-A218" }, "match": { "family": "hak5-ducky", "confidence": "high", "db_version": "2026-05-09" }, "agent_version": "1.8.4", "action": "alerted-no-block", "allow_listed": false }, { "event": "banned-vendor-detected", "t": "2026-05-11T21:44:01.998Z", "switch_id": "branch-sw-03", "port_id": "Gi1/0/24", "vlan": 100, "device_dna": "sha256:f81d3a99c612...c704", "device_family": "ip-camera", "manufacturer": "Hikvision", "model_class": "DS-2CD2387G2", "ndaa_889_status": "covered-equipment", "regulatory_flag": "NDAA-889", "site": "branch-12" }, { "event": "vlan-mismatch", "t": "2026-05-11T22:12:35.667Z", "switch_id": "core-sw-05", "port_id": "Gi4/0/11", "device_dna": "sha256:11b8f93214ab...e25d", "device_family": "imaging-modality", "model_class": "Siemens-SOMATOM-Force", "expected_vlan": 230, "current_vlan": 100, "policy_ref": "biomed-segmentation-v2", "site": "hospital-east" }, { "event": "identity-drift", "t": "2026-05-11T22:55:08.300Z", "switch_id": "core-sw-02", "port_id": "Gi1/0/19", "device_dna_before": "sha256:dd44a91077c8...112b", "device_dna_after": "sha256:dd44a91077c8...44e7", "similarity_score": 0.71, "likely_cause_inferred": "firmware-update", "priority": "P3", "site": "hospital-east" } ] }