Network Traffic (Continent-Level Geo)
Network traffic events enriched with continent-level geographic information. Models cross-continent and same-continent flows for both inbound and outbound directions, with realistic allow/deny outcomes based on geographic policy.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/network-continent/generator.yml \
--id network-continent \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| cross-continent-outbound-allow | Outbound traffic to a different continent — allowed | ~25% | network |
| same-continent-outbound-allow | Outbound traffic within the same continent — allowed | ~30% | network |
| cross-continent-inbound-allow | Inbound traffic from a different continent — allowed | ~15% | network |
| same-continent-inbound-allow | Inbound traffic from the same continent — allowed | ~15% | network |
| cross-continent-inbound-denied | Inbound traffic from a different continent — denied by geo policy | ~10% | network |
| same-continent-inbound-denied | Inbound traffic from the same continent — denied | ~5% | network |
Realism Features
- Continent-level geolocation — source and destination enriched with continent codes (NA, EU, AS, SA, AF, OC)
- Cross-continent vs same-continent traffic split reflects real-world routing patterns
- Direction-aware policies — outbound traffic predominantly allowed; inbound subject to geo-based filtering
- Denied traffic skewed toward cross-continent inbound, modeling geographic access restrictions
- ECS geo fields — source.geo.continent_name and destination.geo.continent_name populated on every event
Sample Output
{
"@timestamp": "2026-03-07T10:15:32.456789+00:00",
"event": {
"action": "allow",
"category": ["network"],
"dataset": "network.continent",
"outcome": "success",
"type": ["connection", "allowed"]
},
"source": {
"ip": "10.1.1.45",
"port": 49821,
"geo": { "continent_name": "North America" }
},
"destination": {
"ip": "203.0.113.80",
"port": 443,
"geo": { "continent_name": "Europe" }
},
"network": {
"direction": "outbound",
"transport": "tcp"
},
"observer": { "hostname": "gw-01", "type": "firewall", "vendor": "Generic" }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | gw-01 | Gateway hostname |
| domain | example.com | Domain for FQDN |
| agent_id | a1b2c3d4-... | Filebeat agent ID |
| agent_version | 8.17.0 | Filebeat version |
Related Generators
Cisco ASA Firewall
Cisco ASA adaptive security appliance syslog — TCP/UDP/ICMP connection lifecycle, ACL permit/deny decisions, NAT translations, VPN tunnel events, and failover status messages.
Check Point Security Gateway
Check Point Security Gateway SmartLog — 8 software blades including Firewall, IPS, Application Control, URL Filtering, Anti-Bot, Anti-Virus, Threat Emulation, and Identity Awareness.
Network DNS Traffic
Passive DNS transaction logs — query/response pairs for A, AAAA, CNAME, MX, TXT, PTR, SRV, SOA, NS, and DNSKEY records. Mixed internal/external resolvers with NXDOMAIN, SERVFAIL, and REFUSED errors.