| NFO timestamp | Format: Mmm dd hh:mm:ss |
| NFO server IP address | Format: IPv4_address |
| NFO server NetFlow source ID | Configurable. |
| nfc_id | Message type identifier | "nfc_id=20196" |
| exp_ip | Network device (exporter) IP address | <IPv4 address> |
| t_last | NFO time of event | <number>, unix sec. NFO time of a most recent event which contributed to this report. |
| t_first | NFO time of report | <number>, unix sec. NFO time of an oldest event which contributed to this report |
| event_count | Event count | <number>, The number of indicators which contributed to this report |
| indicator | Indicator | <string>, Textual representation of the indicators which contributed to this report. See table in Appendix 1 for details |
| confidence | Confidence score | <number/number>, Cumulative confidence score and reporting threshold confidence value |
| confidence_bonus | Confidence bonus | <number>, Bonus confidence score included in the cumulative confidence score |