Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (17)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.process.process Name of the process. | bitdefender.gravityzone.application_path bitdefender.gravityzone.detection_path bitdefender.gravityzone.exploit_path bitdefender.gravityzone.process_info_path bitdefender.gravityzone.process_path | string |
gen.src.ip Source IP address. | bitdefender.gravityzone.attack_source bitdefender.gravityzone.source_ip bitdefender.gravityzone.storage_ip | text_general |
gen.dest.ip Destination IP address. | bitdefender.gravityzone.computer_ip bitdefender.gravityzone.victim_ip | text_general |
gen.hostname Normalized hostname of the system generating the log. | bitdefender.gravityzone.computer_name | text_general |
gen.av.infectionName Name of the detected infection or malware. | bitdefender.gravityzone.detection_name bitdefender.gravityzone.malware_name | strings |
gen.process.parent.process Name of the parent process. | bitdefender.gravityzone.detection_parentPath bitdefender.gravityzone.parent_process_path | string |
gen.process.parent.pid Process ID of the parent process. | bitdefender.gravityzone.detection_parentPid bitdefender.gravityzone.parent_process_id bitdefender.gravityzone.parent_process_pid | pint |
gen.file.name File name associated with the event. | bitdefender.gravityzone.detection_path bitdefender.gravityzone.exploit_path bitdefender.gravityzone.file_info.file_path bitdefender.gravityzone.file_name bitdefender.gravityzone.file_path bitdefender.gravityzone.localPath bitdefender.gravityzone.malware_path bitdefender.gravityzone.networkSharePath | strings |
gen.file.path Full file path associated with the event. | bitdefender.gravityzone.detection_path bitdefender.gravityzone.exploit_path bitdefender.gravityzone.file_info.file_path bitdefender.gravityzone.file_name bitdefender.gravityzone.file_path bitdefender.gravityzone.localPath bitdefender.gravityzone.malware_path bitdefender.gravityzone.networkSharePath | strings |
gen.process.pid Process ID of the running process. | bitdefender.gravityzone.detection_pid bitdefender.gravityzone.process_pid | pint |
gen.username Username associated with the event. | bitdefender.gravityzone.detection_username bitdefender.gravityzone.user.name | text_general |
gen.dest.port Destination port number. | bitdefender.gravityzone.local_port | pint |
gen.process.commandline Command line used to start the process. | bitdefender.gravityzone.process_command_line bitdefender.gravityzone.process_info_command_line | string |
gen.mail.receiver Email address of the message recipient. | bitdefender.gravityzone.recipients | strings |
gen.mail.sender Email address of the message sender. | bitdefender.gravityzone.sender | strings |
gen.severity Normalized severity field across log sources. | bitdefender.gravityzone.severity | strings |
gen.mail.subject Subject line of the email. | bitdefender.gravityzone.subject | strings |
Reference-Specific Fields (199)
| Field | Type |
|---|---|
bitdefender.gravityzone.UUID_BIOS BIOS UUID | string |
bitdefender.gravityzone.UUID_INSTANCE Instance UUID | string |
bitdefender.gravityzone.VM_ID Virtual machine ID | string |
bitdefender.gravityzone.VM_NAME Virtual machine name | string |
bitdefender.gravityzone.action Action that was performed, e.g., allow, block, cleanup. | string |
bitdefender.gravityzone.action_taken Actual remediation action taken by the security agent. | string |
bitdefender.gravityzone.aph_type Type of anti-phishing handling applied. | string |
bitdefender.gravityzone.app_control_status Application Control status (0 = disabled, 1 = enabled). | pint |
bitdefender.gravityzone.application_path Full path to the application executable. | string |
bitdefender.gravityzone.applications.name Names of applications managed by the agent. | strings |
bitdefender.gravityzone.applications.version Versions of the managed applications. | strings |
bitdefender.gravityzone.att_ck_id The ID of the attack campaign or tactic. | strings |
bitdefender.gravityzone.attack_entry Entry point of the detected attack. | plong |
bitdefender.gravityzone.attack_source Source from which the attack originated. | string |
bitdefender.gravityzone.attack_technique MITRE ATT&CK technique identifier associated with the event. | string |
bitdefender.gravityzone.attack_types Types of attacks detected; may list multiple types. | strings |
bitdefender.gravityzone.available_version Latest available version of the agent or module. | string |
bitdefender.gravityzone.avc_status Status code of the Application Vulnerability Control scan. | pint |
bitdefender.gravityzone.backup_status Status of the backup operation (0 = failure, 1 = success). | pint |
bitdefender.gravityzone.block_type Type of block applied (e.g., firewall, application control). | string |
bitdefender.gravityzone.blocking_rule_name Name of the rule that blocked the event. | string |
bitdefender.gravityzone.browser_name Name of the browser where the event was observed. | string |
bitdefender.gravityzone.browser_version Version of the browser where the event was observed. | string |
bitdefender.gravityzone.categories Security categories assigned to the event. | strings |
bitdefender.gravityzone.certificate_type Type of certificate used (e.g., code signing, SSL). | pint |
bitdefender.gravityzone.companyId ID of the Bitdefender company (tenant) the event belongs to. | string |
bitdefender.gravityzone.company_name Human-readable name of the Bitdefender company (tenant). | string |
bitdefender.gravityzone.computer_fqdn Fully qualified domain name of the computer. | string |
bitdefender.gravityzone.computer_id Internal ID assigned to the computer by GravityZone. | string |
bitdefender.gravityzone.computer_ip IP address of the computer at event time. | string |
bitdefender.gravityzone.computer_name Host name of the computer. | string |
bitdefender.gravityzone.container_id Identifier of the container if the endpoint is containerized. | string |
bitdefender.gravityzone.count General purpose counter associated with the event. | pint |
bitdefender.gravityzone.cpuUsage CPU usage percentage on the endpoint at event time. | pint |
bitdefender.gravityzone.created Date/time when the event was created in GravityZone. | pdate |
bitdefender.gravityzone.csv_id Identifier used when events are exported via CSV. | string |
bitdefender.gravityzone.current_version Currently installed version of the agent on the endpoint. | string |
bitdefender.gravityzone.date Event date in GravityZone system. | pdate |
bitdefender.gravityzone.days Number of days since a relevant lifecycle event occurred (e.g. installation). | pint |
bitdefender.gravityzone.days_left Days remaining until a license or support expiration. | pint |
bitdefender.gravityzone.db_version Version of the local agent database. | string |
bitdefender.gravityzone.detected_malware.actionTaken Actions taken against detected malware (stored array). | strings |
bitdefender.gravityzone.detected_malware.infectedObject Paths of objects infected by malware (stored array). | strings |
bitdefender.gravityzone.detected_malware.malwareName Names of detected malware families (stored array). | strings |
bitdefender.gravityzone.detected_malware.malwareType Types of detected malware, e.g. virus, trojan (stored array). | strings |
bitdefender.gravityzone.detected_on Date/time when malware was detected. | pdate |
bitdefender.gravityzone.detection_action Remediation action performed during malware detection. | string |
bitdefender.gravityzone.detection_exploitTechnique Exploit technique used, if any, in the detected attack. | string |
bitdefender.gravityzone.detection_level Severity level assigned to the detection. | string |
bitdefender.gravityzone.detection_name Name of the detection rule or signature. | string |
bitdefender.gravityzone.detection_parentPath Filesystem path of the parent process when detection occurred. | string |
bitdefender.gravityzone.detection_parentPid Process ID of the parent process at detection time. | pint |
bitdefender.gravityzone.detection_path Filesystem path of the detected object. | string |
bitdefender.gravityzone.detection_pid Process ID of the process where detection occurred. | pint |
bitdefender.gravityzone.detection_time Timestamp when the detection was logged. | pdate |
bitdefender.gravityzone.detection_username Username under which the detection was performed. | string |
bitdefender.gravityzone.deviceClass Class of the device (e.g., workstation, server). | pint |
bitdefender.gravityzone.deviceId Unique identifier of the managed device. | string |
bitdefender.gravityzone.deviceName Friendly name of the managed device. | string |
bitdefender.gravityzone.device_ip IP address of the managed device. | string |
bitdefender.gravityzone.discoveredOn Date/time when the device was first discovered by GravityZone. | pdate |
bitdefender.gravityzone.dlp_status Data Loss Prevention status code on the endpoint. | pint |
bitdefender.gravityzone.endDate End date/time of the event or subscription. | pdate |
bitdefender.gravityzone.endpointId Unique identifier of the endpoint where the event occurred. | string |
bitdefender.gravityzone.endpoint_id Deprecated alias of endpointId. | string |
bitdefender.gravityzone.engines_version Version of the security engines in use. | string |
bitdefender.gravityzone.error_code Numeric error code returned by an operation. | pint |
bitdefender.gravityzone.error_message Text of the error message returned, if any. | text_general |
bitdefender.gravityzone.exchange_as_status Exchange anti-spam scan status code | pint |
bitdefender.gravityzone.exchange_at_status Exchange anti-tampering scan status code | pint |
bitdefender.gravityzone.exchange_av_status Exchange antivirus scan status code | pint |
bitdefender.gravityzone.exchange_cf_status Exchange content-filter scan status code | pint |
bitdefender.gravityzone.exchange_od_status Exchange on-demand scan status code | pint |
bitdefender.gravityzone.exploit_path Filesystem path to the detected exploit | string |
bitdefender.gravityzone.exploit_type Type or category of the detected exploit | string |
bitdefender.gravityzone.fileVersion Version of the file or application | string |
bitdefender.gravityzone.file_hash_md5 MD5 hash of the file associated with the event. | string |
bitdefender.gravityzone.file_hash_sha256 SHA-256 hash of the file associated with the event. | string |
bitdefender.gravityzone.file_info.file_path Original path of the file in file info metadata | strings |
bitdefender.gravityzone.file_info.file_size Size in bytes of the file in file info metadata | strings |
bitdefender.gravityzone.file_info.remediation_action Recommended remediation action for the file | strings |
bitdefender.gravityzone.file_name Name of the file associated with the event | string |
bitdefender.gravityzone.file_path Filesystem path of the file associated with the event | string |
bitdefender.gravityzone.final_status Final status code of the protection operation | string |
bitdefender.gravityzone.fingerprint Unique fingerprint of the endpoint or file | string |
bitdefender.gravityzone.fromSupa Flag indicating events coming from SupA (Security Update API). | boolean |
bitdefender.gravityzone.hash General SHA-256 hash associated with the event. | string |
bitdefender.gravityzone.hwid Hardware ID of the managed endpoint. | string |
bitdefender.gravityzone.incident_id Unique ID of the security incident. | string |
bitdefender.gravityzone.installed_agent Name/version of the installed agent. | string |
bitdefender.gravityzone.interval_end End timestamp of the reporting interval. | pdate |
bitdefender.gravityzone.interval_start Start timestamp of the reporting interval. | pdate |
bitdefender.gravityzone.ip IP address related to the event, may be source or destination. | string |
bitdefender.gravityzone.is_fileless_attack Boolean flag indicating a fileless attack was detected. | boolean |
bitdefender.gravityzone.is_partner Boolean flag indicating the event relates to a partner environment. | boolean |
bitdefender.gravityzone.is_scheduled Flag indicating whether the action was scheduled | boolean |
bitdefender.gravityzone.is_successful Flag indicating whether the action succeeded | boolean |
bitdefender.gravityzone.item_count Number of items processed | pint |
bitdefender.gravityzone.last_blocked Timestamp of the last blocked event | pdate |
bitdefender.gravityzone.last_notification_date Date of the last notification sent | pdate |
bitdefender.gravityzone.license_company_id Identifier of the licensed company | string |
bitdefender.gravityzone.license_key License key string | string |
bitdefender.gravityzone.license_limit Maximum allowed licenses | pint |
bitdefender.gravityzone.loadAverage System load average | pint |
bitdefender.gravityzone.localPath Local file or directory path | string |
bitdefender.gravityzone.local_port Local network port number | pint |
bitdefender.gravityzone.location Geographical or network location | string |
bitdefender.gravityzone.location_type Type of location (e.g., site, region) | pint |
bitdefender.gravityzone.mailboxes Number of mailboxes monitored | pint |
bitdefender.gravityzone.main_action Primary action taken | string |
bitdefender.gravityzone.malware_hash Hash of the detected malware | string |
bitdefender.gravityzone.malware_name Name of the detected malware | string |
bitdefender.gravityzone.malware_path File path of the detected malware | string |
bitdefender.gravityzone.malware_status Status of the malware event | string |
bitdefender.gravityzone.malware_type Type or category of the malware | string |
bitdefender.gravityzone.memoryUsage Memory usage in megabytes | pint |
bitdefender.gravityzone.mode Operating mode code | pint |
bitdefender.gravityzone.module Module or component name | string |
bitdefender.gravityzone.name General name field | text_general |
bitdefender.gravityzone.networkSharePath Path to the network share | string |
bitdefender.gravityzone.networkUsage Amount of network bandwidth used | pint |
bitdefender.gravityzone.next_backup Scheduled time for next backup | pdate |
bitdefender.gravityzone.os Operating system name and version | string |
bitdefender.gravityzone.overallUsage Overall resource usage percentage | pint |
bitdefender.gravityzone.parent_process_id Process ID of the parent process | pint |
bitdefender.gravityzone.parent_process_path File path of the parent process executable | string |
bitdefender.gravityzone.parent_process_pid Process ID of the parent process. | pint |
bitdefender.gravityzone.patch_management Flag indicating whether patch management is enabled | boolean |
bitdefender.gravityzone.platform Hardware or software platform identifier | string |
bitdefender.gravityzone.policy_name Name of the applied security policy | string |
bitdefender.gravityzone.powered_off Flag indicating if the endpoint is powered off | boolean |
bitdefender.gravityzone.process_command_line Full command line of the process | string |
bitdefender.gravityzone.process_info_command_line Command line from process metadata | string |
bitdefender.gravityzone.process_info_path Executable path from process metadata | string |
bitdefender.gravityzone.process_path Filesystem path of the process executable | string |
bitdefender.gravityzone.process_pid Process ID of the process that raised the event. | pint |
bitdefender.gravityzone.productName Name of the product | text_general |
bitdefender.gravityzone.productVersion Version of the product | string |
bitdefender.gravityzone.product_id Internal product identifier | pint |
bitdefender.gravityzone.product_installed Flag indicating if the product is installed | string |
bitdefender.gravityzone.product_registration Registration status or ID of the product | string |
bitdefender.gravityzone.protected_entities.company.id ID of a protected company entity | strings |
bitdefender.gravityzone.protected_entities.company.name Name of a protected company entity | strings |
bitdefender.gravityzone.protected_entities.name Names of protected entities | strings |
bitdefender.gravityzone.protected_entities_more Additional count of protected entities | pint |
bitdefender.gravityzone.protocol_id Numeric identifier of the protocol used | pint |
bitdefender.gravityzone.pu_status Patch management status flag | boolean |
bitdefender.gravityzone.publisher Software publisher name | string |
bitdefender.gravityzone.recipients List of email recipients | strings |
bitdefender.gravityzone.recv_for_his_company Flag indicating reception for own company | boolean |
bitdefender.gravityzone.recv_for_partner_company Flag indicating reception for a partner company | boolean |
bitdefender.gravityzone.release_date Release date of the software update | pdate |
bitdefender.gravityzone.request_time Time when the request was made | pdate |
bitdefender.gravityzone.ruleName Name of the applied rule | string |
bitdefender.gravityzone.sandboxDetection Sandbox detection flag | boolean |
bitdefender.gravityzone.sandboxHostname Hostname of the sandbox | string |
bitdefender.gravityzone.saveToBitdefenderCloud Flag to save data to Bitdefender Cloud | boolean |
bitdefender.gravityzone.scanEngineType Type of scan engine used | pint |
bitdefender.gravityzone.scanMode Mode of scan performed | string |
bitdefender.gravityzone.securityContainers.hostName Hostname of the security container | strings |
bitdefender.gravityzone.securityContainers.securityContainerName Name of the security container | strings |
bitdefender.gravityzone.security_server_version Version of the security server | string |
bitdefender.gravityzone.sender Sender identifier | string |
bitdefender.gravityzone.server_name Name of the server | string |
bitdefender.gravityzone.servers_total Total number of servers | pint |
bitdefender.gravityzone.servers_used Number of servers used | pint |
bitdefender.gravityzone.severity Severity level of the event | string |
bitdefender.gravityzone.severity_score Severity score of the event | pint |
bitdefender.gravityzone.show_company_name Flag to show company name | boolean |
bitdefender.gravityzone.signaturesNumber Number of signatures | string |
bitdefender.gravityzone.source_ip Source IP address | string |
bitdefender.gravityzone.startDate Start date of the event | pdate |
bitdefender.gravityzone.status Current status | string |
bitdefender.gravityzone.storage_ip IP address of the storage | string |
bitdefender.gravityzone.storage_name Name of the storage | string |
bitdefender.gravityzone.storage_type Type of storage used | string |
bitdefender.gravityzone.subject Subject of the event | string |
bitdefender.gravityzone.svaLoad SVA load value | string |
bitdefender.gravityzone.target_name Name of the target | string |
bitdefender.gravityzone.target_type Type of the target | string |
bitdefender.gravityzone.taskId Identifier of the task | string |
bitdefender.gravityzone.taskName Name of the task | text_general |
bitdefender.gravityzone.taskType Type of the task | string |
bitdefender.gravityzone.threat_type Type of the threat detected | string |
bitdefender.gravityzone.threshold Configured threshold value | pint |
bitdefender.gravityzone.thumbprints List of certificate thumbprints | strings |
bitdefender.gravityzone.timestamp Event timestamp | pdate |
bitdefender.gravityzone.total Total count | pint |
bitdefender.gravityzone.uc_type Unified console type | string |
bitdefender.gravityzone.update_type Type of update performed | pint |
bitdefender.gravityzone.url Associated URL | string |
bitdefender.gravityzone.used Used amount | pint |
bitdefender.gravityzone.user.id User identifier | string |
bitdefender.gravityzone.user.name User name | string |
bitdefender.gravityzone.user.sid Security identifier of the user | string |
bitdefender.gravityzone.user_sid Security identifier (SID) of the user account. | string |
bitdefender.gravityzone.users List of users | strings |
bitdefender.gravityzone.vendorId Vendor identifier | pint |
bitdefender.gravityzone.victim_ip IP address of the victim endpoint | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.