- Contrast Action Attributes
- Contrast Action Authn Attributes
- Contrast Action Authz Attributes
- Contrast Action File Open Create Attributes
- Contrast Code Exec Attributes
- Contrast Host Cmd Exec Attributes
- Contrast Resource Attributes
This document defines semantic convention attributes in the Contrast namespace
| Attribute | Type | Description | Examples | Stability |
|---|---|---|---|---|
contrast.action |
string | The type of action that was observed. | file-open-create; authn-request |
 |
contrast.action has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.
| Value | Description | Stability |
|---|---|---|
authn-request |
Functions that perform authentication actions | |
authz-request |
Functions that perform authorization actions | |
el-execution |
Spring expression language execution | |
file-open-create |
file open or create action | |
host-cmd-exec |
system shell command execution | |
ldap-query |
Functions that result in and ldap query operation | |
ognl-execution |
Object-Graph Navigation Language expression execution. | |
outbound_service_call |
Functions that result in external calls to other services | |
smtp-exec |
Functions that result in an SMTP command execution | |
storage-query |
Functions that execute queries | |
url-forward |
Any function designed to forward a request to another URL | |
url-redirect |
Function that result in an http 302 redirect code sent to the client | |
Describes attributes for Contrast Action span of type authn-request
| Attribute | Type | Description | Examples | Stability |
|---|---|---|---|---|
contrast.authentication.mechanism |
string | An authentication mechanism is a specific method or approach used to verify the identity of a user, system, or entity attempting to access a resource. | password; token; biometric |
|
contrast.authentication.protocol |
string | An authentication protocol is a set of rules and procedures that dictate how authentication mechanisms should operate to establish trust and verify identities securely. | oauth; saml; ldap; custom |
|
contrast.authentication.mechanism has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.
| Value | Description | Stability |
|---|---|---|
biometric |
file open or create action | |
certificate |
x509 certificate authentication or similar | |
mfa |
Two or more of the above mechanisms are used | |
password |
Users provide a username and password. | |
token |
Involves using a physical or virtual token to authenticate a user | |
contrast.authentication.protocol has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.
| Value | Description | Stability |
|---|---|---|
kerberos |
kerberos | |
ldap |
Lightweight Directory Access Protocol | |
oauth |
Open Authentication and OIDC | |
saml |
Security Assertion Markup Language | |
Describes attributes for Contrast Action span of type authz-request
| Attribute | Type | Description | Examples | Stability |
|---|---|---|---|---|
contrast.authorization.dac.permission |
string | Permission requested for access to the resource. The values here are very domain specific, but will always be normalized to a lowercase value in the data here. | read; write; append; delete |
|
contrast.authorization.mac.labels |
string | Labels on the requested resource. The values here are very domain specific, but will always be normalized to a lowercase value in the data here. | top_secret; confidential; internal; public |
|
contrast.authorization.mechanism |
string | How are authz decisions made for the resource. | rbac; dac; pbac |
|
contrast.authorization.rbac.role |
string | Role Requested for authz check. The values here are very domain specific, but will always be normalized to a lowercase value in the data here. | user; editor; manager |
|
contrast.authorization.mechanism has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.
| Value | Description | Stability |
|---|---|---|
abac |
Attribute Based Access Control | |
dac |
Discretionary Access Control (DAC) is a model where owners of resources have the discretion to control access to their resources. | |
hbac |
History Based Access Control | |
mac |
Mandatory Access Control (MAC) is a security model where access to resources is determined by the security labels assigned to subjects (users or processes) and objects (resources). | |
pbac |
Policy Based Access Control | |
rbac |
Role Based Access Control | |
tbac |
Time Based Access Control | |
Describes attributes for Contrast Action span of type file-open-create.
| Attribute | Type | Description | Examples | Stability |
|---|---|---|---|---|
contrast.file.open.flags |
string | The flags used when the file was opened or created. | o_rdonly; o_rdwr |
|
contrast.file.open.path |
string | The absolute path that was accessed. | /etc/myconfig; /foo/bar; /some/tmp |
|
contrast.file.open.flags has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.
| Value | Description | Stability |
|---|---|---|
o_rdonly |
Read only access | |
o_rdwr |
Read/write access | |
o_wronly |
Write only access | |
Attributes that refer to code execution operations
| Attribute | Type | Description | Examples | Stability |
|---|---|---|---|---|
contrast.code.contents |
string | The code representing the expression being executed. | #{'String1 ' + 'string2'}; #{20 - 1}; 'Just a string value'.substring(5) |
|
Describes attributes for Contrast Action span of type host-cmd-exec.
| Attribute | Type | Description | Examples | Stability |
|---|---|---|---|---|
contrast.host_cmd_exec.cmd |
string | String of executed command with its arguments. | ls /foo; bash -c somebin; chmod 755 foobar |
|
contrast defined resources for observability data
| Attribute | Type | Description | Examples | Stability |
|---|---|---|---|---|
contrast.deployment |
string | deployment environment | QA; DEVELOPMENT; PRODUCTION |
|
contrast.semconv.version |
string | The version of contrast semantic conventions the data adheres to. | 0.3.0 |
|
otel.semconv.version |
string | The version of otel semantic conventions the data adheres to. | 1.22.0 |
|
contrast.deployment has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.
| Value | Description | Stability |
|---|---|---|
DEVELOPMENT |
development environment | |
PRODUCTION |
production environment | |
QA |
quality assurance environment | |