| NFO timestamp | Format: Mmm dd hh:mm:ss |
| NFO server IP address | Format: IPv4_address |
| NFO server NetFlow source ID | Configurable. |
| nfc_id | Message type identifier | “nfc_id=20191” |
| exp_ip | Network device (exporter) IP address | <IPv4 address> |
| event_type | begin | cont | end | <string>, indicates attack current state |
| t_event | NFO time of event | <number>, unix sec. NFO time at the end of the time interval when the event was identified. |
| t_report | NFO time of report | <number>, unix sec. NFO time to which this message pertains |
| protocol | “tcp” | “udp” | “icmp” | L4 protocol traffic for which anomaly was observed |
| trend | Trend | <string>, increasing, steady, abating |
| confidence | Confidence score | <number>, A value >= 90 indicating confidence in the event detection |
| t_int | Observation time interval, msec | <number> |