title: analytics/mediawiki/ip_reputation/score description: >- Represents an event where MediaWiki fetches the IP reputation score for a particular action (editing, creating an account, etc) $id: /analytics/mediawiki/ip_reputation/score/1.4.0 $schema: https://json-schema.org/draft-07/schema# type: object allOf: - $ref: /fragment/analytics/common/2.0.0 - $ref: /fragment/http/client_ip/1.0.0 # from schemas/event/primary - required: - http # from /fragment/http/client_ip/1.0.0 - wiki_id - performer # /fragment/mediawiki/state/entity/user/1.1.0 - properties: performer: description: > Represents the MediaWiki actor that made this change. If this change is an edit, this will be the same as revision.editor. $ref: /fragment/mediawiki/state/entity/user/1.1.0 wiki_id: description: > The wiki ID, which is usually the same as the MediaWiki database name. E.g. enwiki, metawiki, etc. type: string minLength: 1 action: type: string enum: - edit - createaccount - autocreateaccount mw_entry_point: type: string enum: - api - cli - index - load - img_auth - opensearch_desc - rest - thumb - thumb_handler - unknown description: >- The MediaWiki entry point this event originated from, as given by MW_ENTRY_POINT. identifier: type: integer description: >- The unique identifier for the event. For type=edit, this is the revision ID. For type=createaccount, this is not set. For other events associated with a log entry, this is the corresponding log ID. tunnels: type: array items: type: object properties: anonymous: type: boolean operator: type: string type: type: string description: >- The top-level "tunnels" property in Spur data. This is a list of objects containing properties like { "anonymous": , "operator": "", "type": }. Indicates VPN/Proxy/Anonymization details and operator information Note, there are only 661 items in the dataset with multiple tunnels. tunnels_types: type: array items: type: string description: >- If the top-level "tunnels" array is set, this is a list of the "type" property of each item. tunnels_operators: type: array items: type: string description: >- If the top-level "tunnels" array is set, this is a list of the "operator" property of each item. tunnels_flattened_anonymous: type: boolean description: >- If the tunnel is "anonymous". This is data from the first item in the tunnels array. tunnels_flattened_entries: type: array items: type: string description: >- The list of "entries" IP addresses for the first item in the tunnels array. tunnels_flattened_exits: type: array items: type: string description: >- The list of "exits" IP addresses for the first item in the tunnels array. tunnels_flattened_operator: type: string description: >- The "operator" for the first item in the tunnels array. tunnels_flattened_type: type: string description: >- The "type" for the first item in the tunnels array. infrastructure: type: string description: >- The top-level "infrastructure" property in Spur data. Indicates classification of infrastructure this IP is in. risks: type: array items: type: string description: >- The top-level "risks" property in Spur data. Indicates risks and threats from this IP address. services: type: array items: type: string description: >- The top-level "services" property in Spur data. Indicates protocols and services running on this IP (e.g. OpenVPN). client_proxies: type: array items: type: string description: >- The "client.proxies" property in Spur data, indicating call-back proxies running from devices on this IP. as_organization: type: string description: >- Autonomous System Details "as.organization" property in Spur data. as_number: type: integer description: >- Autonomous System Details "as.number" property in Spur data. organization: type: string description: >- The top-level "organization" property in Spur data. Indicates the organization operating the IP address. location_country: type: string description: >- The ISO code for the country client.concentration.country property or the MaxMind GeoLite2 country associated with the client_ip. location_city: type: string description: >- The "client.location.city" property in Spur data, or the MaxMind GeoLite2 city data associated with the client_ip. client_spread: type: integer description: >- The "client.spread" property in Spur data. Indicates the geographic spread of clients (km^2). client_behaviors: type: array items: type: string description: >- The "client.behaviors" property in Spur data, representing behaviors of clients on this IP. client_count: type: integer description: >- The "client.count" property in Spur data, indicating the average number of clients seen on this IP per day. client_countries: type: integer description: >- The "client.countries" property in Spur data, indicating the number of countries clients have come from. client_types: type: array items: type: string description: >- The "client.types" property in Spur data, indicating the types of clients associated with the IP. Examples: "DESKTOP" or "MOBILE". examples: - $schema: $ref: '#/$id' meta: stream: mediawiki.ip_reputation.score domain: en.wikipedia.org dt: '2024-03-14T00:20:00.649Z' wiki_id: 'enwiki' action: 'edit' mw_entry_point: index client_count: 5 performer: user_id: 123 client_behaviors: - 'FOO' - 'BAR' http: client_ip: 10.0.2.2 request_headers: user-agent: curl/7.64.1 identifier: 123