[ Event Schema ]
Detection payload schema
Event payloads are intentionally minimal and operational. Use the field reference below when wiring dashboards, external analytics, or automation workflows.
| Field | Type | Description |
|---|---|---|
| event_type | string | Classification bucket like honeypot_triggered or agent_detected. |
| timestamp | int | Unix timestamp recorded at event creation. |
| agent_id | string|null | Internal agent identifier when fingerprinting succeeds. |
| agent_name | string|null | Human-readable name when known in the intelligence registry. |
| trap_id | string|null | Trap route identifier tied to honeypot path seed. |
| depth | int|null | Maze depth reached before trigger fired. |
| request_context | array | HTTP headers, path metadata, and request behavior markers. |
| time_to_trigger | float|null | Seconds between session start and trap activation. |
| js_executed | bool|null | Whether JavaScript challenge markers were observed. |
| session_id | string|null | Ephemeral session key for forensic event stitching. |
Sample event payload
json{
"event_type": "honeypot_triggered",
"timestamp": 1765236154,
"agent_id": "agent_2f6d9f",
"agent_name": "Unknown crawler",
"trap_id": "trap_91adf",
"depth": 3,
"request_context": {
"path": "/wp-content/uploads/cache/...",
"user_agent": "Mozilla/5.0 ...",
"method": "GET"
},
"time_to_trigger": 1.82,
"js_executed": false,
"session_id": "sess_8ea31"
}Privacy note: avoid storing secrets, passwords, or session tokens in external sinks. Keep badger_intelligence_anonymize_ips enabled unless legal policy requires otherwise.