Metadata Filtering & Field Reference
Every event sent to LiteSOC can carry an arbitrary metadata object. Custom Threat Model conditions can reach into any depth of this object using dot-notation field paths.
Field Path Syntax
Conditions reference event fields using dot-notation paths resolved left-to-right:
| Path Prefix | Resolves To | Example Path |
|---|---|---|
metadata.<key> | event.metadata[key] | metadata.service |
metadata.<a>.<b> | event.metadata[a][b] | metadata.geo.country |
actor.<key> | event.actor[key] | actor.email |
user_ip | event.user_ip | user_ip |
event | event.event (the event type string) | event |
Common Metadata Paths
These fields are automatically populated by LiteSOC's enrichment pipeline when an IP is provided:
| Field Path | Type | Description |
|---|---|---|
metadata.service | string | Your application service name (e.g. "ssh", "api") |
metadata.error_code | string | Application error code (e.g. "invalid_password") |
metadata.raw_log | string | Raw log line — use contains operator for substring search |
metadata.method | string | Auth method (e.g. "password", "oauth", "api_key") |
metadata.endpoint | string | API endpoint accessed (e.g. "/api/v1/export") |
metadata.record_count | number | Number of records affected — use gt/gte operators |
metadata.destination_country | string | ISO country code for data movement rules |
metadata.file_type | string | File type for data export/download rules |
Network Intelligence Fields
When LiteSOC enriches an event with network intelligence, these fields are available:
| Field Path | Type | Description |
|---|---|---|
metadata.network_intelligence.is_vpn | boolean | IP belongs to a known VPN provider |
metadata.network_intelligence.is_tor | boolean | IP is a Tor exit node |
metadata.network_intelligence.is_proxy | boolean | IP is an open proxy |
metadata.network_intelligence.is_datacenter | boolean | IP belongs to a cloud/datacenter ASN |
metadata.network_intelligence.network_type | string | "residential", "datacenter", "vpn", "tor" |
Note: These fields are populated server-side by LiteSOC. You do not need to send them — they are injected during ingestion enrichment.
Geolocation Fields
| Field Path | Type | Description |
|---|---|---|
metadata.country_code | string | ISO 3166-1 alpha-2 country code (e.g. "US", "KP") |
metadata.city | string | City name |
metadata.isp | string | ISP / ASN name |
Condition Shapes
A condition is a JSONB object stored in the condition column of your rule. Three formats are supported, all fully backward-compatible:
1. No Condition (match all events of this type)
{}
Use this when the event type alone is sufficient — e.g. count every data.bulk_delete regardless of context.
2. Single Filter (simple equality)
{
"field": "metadata.service",
"operator": "equals",
"value": "ssh"
}
3. Advanced Condition (AND / OR / NOT)
{
"logical_operator": "AND",
"filters": [
{ "field": "metadata.service", "operator": "equals", "value": "ssh" },
{ "field": "metadata.raw_log", "operator": "contains", "value": "invalid user" }
]
}
The logical_operator must be one of "AND", "OR", or "NOT".
- AND — all filters must match
- OR — at least one filter must match
- NOT — negates the first filter only
Optional: group_by
Add a group_by hint to tell the UI which field to aggregate by in the alert detail view:
{
"logical_operator": "AND",
"filters": [...],
"group_by": "user_ip"
}
This is an annotation only — it does not affect detection logic.
Next: Operator Reference →