diff --git a/dictionary.json b/dictionary.json
index d602fb28c..5d63aec1d 100644
--- a/dictionary.json
+++ b/dictionary.json
@@ -1052,6 +1052,11 @@
"description": "Decision/outcome of the authorization mechanism (e.g. Approved, Denied)",
"type": "string_t"
},
+ "delay": {
+ "caption": "Root Delay",
+ "description": "The total round-trip delay to the reference clock in milliseconds.",
+ "type": "integer_t"
+ },
"deleted_time": {
"caption": "Deleted Time",
"description": "The timestamp when the user was deleted. In Active Directory (AD), when a user is deleted they are moved to a temporary container and then removed after 30 days. So, this field can be populated even after a user is deleted for the next 30 days.",
@@ -1156,6 +1161,11 @@
"sibling": "direction",
"type": "integer_t"
},
+ "dispersion": {
+ "caption": "Root Dispersion",
+ "description": "The dispersion in the NTP protocol is the estimated time error or uncertainty relative to the reference clock in milliseconds.",
+ "type": "integer_t"
+ },
"disposition": {
"caption": "Disposition",
"description": "The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.",
@@ -2355,6 +2365,11 @@
"description": "The postal code of the location.",
"type": "string_t"
},
+ "precision": {
+ "caption": "Precision",
+ "description": "The numeric precision. See specific usage.",
+ "type": "integer_t"
+ },
"priority": {
"caption": "Priority",
"description": "The priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source. See specific usage.",
@@ -3014,6 +3029,42 @@
"sibling": "status",
"type": "integer_t"
},
+ "stratum": {
+ "caption": "Stratum",
+ "description": "The stratum level of the NTP server's time source, normalized to the caption of the stratum_id value.",
+ "type": "string_t"
+ },
+ "stratum_id": {
+ "caption": "Stratum ID",
+ "description": "The normalized identifier of the stratum level, as defined in RFC-5905.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "Unspecified or invalid."
+ },
+ "1": {
+ "caption": "Primary Server",
+ "description": "The highest precision primary server (e.g atomic clock or GPS)."
+ },
+ "2": {
+ "caption": "Secondary Server",
+ "description": "A secondary level server (possible values: 2-15)."
+ },
+ "16": {
+ "caption": "Unsynchronized"
+ },
+ "17": {
+ "caption": "Reserved",
+ "description": "Reserved stratum (possible values: 17-255)."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The stratum level is not mapped. See the stratum attribute, which may contain a data source specific value."
+ }
+ },
+ "sibling": "stratum",
+ "type": "integer_t"
+ },
"subdomain": {
"caption": "Subdomain",
"description": "The subdomain portion of the URL. For example: sub in https://sub.example.com or sub2.sub1 in https://sub2.sub1.example.com.",
@@ -3270,7 +3321,7 @@
"web_resources_result": {
"caption": "Web Resources Result",
"description": "The results of the activity on web resources. It should contain the new values of the changed attributes of the web resources.",
- "is_array": true,
+ "is_array": true,
"type": "web_resource"
},
"x_forwarded_for": {
diff --git a/events/network/ntp.json b/events/network/ntp.json
new file mode 100644
index 000000000..1262c49c3
--- /dev/null
+++ b/events/network/ntp.json
@@ -0,0 +1,75 @@
+{
+ "caption": "NTP Activity",
+ "description": "The Network Time Protocol (NTP) Activity events report instances of remote clients synchronizing their clocks with an NTP server, as observed on the network.",
+ "extends": "network_activity",
+ "name": "ntp_activity",
+ "uid": 13,
+ "attributes": {
+ "activity_id": {
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "Not used in standard NTP implementations."
+ },
+ "1": {
+ "caption": "Symmetric Active Exchange",
+ "description": "Bidirectional time exchange between devices."
+ },
+ "2": {
+ "caption": "Symmetric Passive Response",
+ "description": "Device responds as a server to peers in symmetric active mode."
+ },
+ "3": {
+ "caption": "Client Synchronization",
+ "description": "NTP client, syncs with servers."
+ },
+ "4": {
+ "caption": "Server Response",
+ "description": "Dedicated NTP time server, responds to clients."
+ },
+ "5": {
+ "caption": "Broadcast",
+ "description": "Broadcast time info to network devices."
+ },
+ "6": {
+ "caption": "Control",
+ "description": "Monitoring and control messaging."
+ },
+ "7": {
+ "caption": "Private Use Case",
+ "description": "Reserved - Not defined in standard NTP specifications."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The event activity is not mapped."
+ }
+ }
+ },
+ "delay": {
+ "group": "primary",
+ "requirement": "optional"
+ },
+ "dispersion": {
+ "group": "primary",
+ "requirement": "optional"
+ },
+ "precision": {
+ "description": "The NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "stratum": {
+ "group": "primary",
+ "requirement": "optional"
+ },
+ "stratum_id": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "version": {
+ "description": "The version number of the NTP protocol.",
+ "group": "context",
+ "requirement": "required"
+ }
+ }
+}
\ No newline at end of file