InfoWatch Traffic Monitor
InfoWatch Traffic Monitor DLP events — enterprise data leak prevention system monitoring email, web, messengers, USB devices, and printers for policy violations and sensitive data exfiltration. Generates policy violation alerts, content capture records, device control actions, print control events, system health notifications, and incident workflow updates in CEF/syslog-compatible JSON format with ECS field mapping.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/dlp-infowatch/generator.yml \
--id dlp-infowatch \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| content-capture | Content Capture (data channel interception) | 35% | network |
| policy-violation | Policy Violation (DLP rule triggered) | 25% | intrusion_detection |
| device-control | Device Control (removable media events) | 12% | host |
| system-event | System Event (service health and status) | 10% | host |
| incident-update | Incident Update (workflow state changes) | 10% | configuration |
| print-control | Print Control (print job monitoring) | 8% | file |
Realism Features
- Shared monotonic event ID counter across all event types for consistent ordering
- CSV-sampled employee pool with username, full name, department, and position for realistic user attribution
- Multi-channel content capture covering email, web uploads, messenger, USB copy, and print channels
- DLP policy library with category names, sensitivity levels, and pattern match descriptions
- Device inventory with vendor, model, serial number for USB and removable media events
- Incident lifecycle with assignee, status transitions, and resolution timestamps
- File metadata with MIME types, sizes, and content fingerprint hashes
Sample Output
{
"@timestamp": "2026-03-07T10:22:15.000Z",
"event": {
"kind": "alert",
"module": "infowatch",
"dataset": "infowatch.dlp",
"category": ["intrusion_detection"],
"type": ["info"],
"severity": 4,
"outcome": "success"
},
"observer": {
"vendor": "InfoWatch",
"product": "Traffic Monitor",
"version": "6.11.0.2345",
"hostname": "IW-TM01",
"ip": ["10.1.0.20"]
},
"infowatch": {
"event_id": 500012,
"event_type": "policy_violation",
"channel": "email",
"policy": {
"name": "Confidential Documents",
"category": "Data Protection",
"sensitivity": "high",
"action": "block"
},
"content": {
"subject": "Q1 Financial Report",
"recipient": "external@partner.com",
"match_count": 3,
"match_pattern": "Credit card numbers (PCI DSS)"
},
"verdict": "blocked"
},
"host": {
"hostname": "DESKTOP-FIN03",
"ip": ["10.1.10.33"],
"os": { "name": "Windows 10", "version": "10.0.19045" },
"domain": "CORP.ACME.COM"
},
"user": {
"name": "petrov.av",
"full_name": "Petrov Alexey V.",
"domain": "CORP"
},
"file": {
"name": "Q1_Financial_Report.xlsx",
"size": 1482752,
"mime_type": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
"hash": { "sha256": "b3f1a2c4d5e6..." }
},
"related": {
"hosts": ["DESKTOP-FIN03"],
"ip": ["10.1.10.33"],
"user": ["petrov.av"]
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| iw_version | 6.11.0.2345 | InfoWatch Traffic Monitor version |
| iw_server | IW-TM01 | InfoWatch server hostname |
| iw_server_ip | 10.1.0.20 | InfoWatch server IP address |
| domain | CORP.ACME.COM | Active Directory domain |
| organization | ACME Corp | Organization name |
Related Generators
Suricata IDS/IPS
Suricata EVE JSON output — IDS alerts with ET Open signatures, DNS/HTTP/TLS/SSH protocol logs, NetFlow records, and anomaly detections with correlated flow IDs and MITRE ATT&CK mapping.
Palo Alto Threat
Palo Alto PAN-OS Threat logs — IPS vulnerability exploits, antivirus detections, anti-spyware (DNS sinkhole and C2 callback), WildFire cloud verdicts, file type matching, and network scan detection with correlated severity, action, and threat category fields.
Palo Alto URL Filtering
Palo Alto PAN-OS URL Filtering logs — web browsing activity with 65+ URL categories, allow/block/continue/override actions, App-ID application attribution, and content type inspection.