Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (2)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.username Username associated with the event. | confluence.attributes.actor.name | text_general |
gen.src.ip Source IP address. | confluence.attributes.location.ip | text_general |
Reference-Specific Fields (32)
| Field | Type |
|---|---|
confluence.attributes.action Brief action description, mapped from the API's `summary` field (e.g., create, update, delete). | text_general |
confluence.attributes.actor.email Email address of the actor, if available via the API's user data. | text_general |
confluence.attributes.actor.id ID of the user who performed the action, from `author.username` or `accountId` in the API. | string |
confluence.attributes.actor.links.alt Alternate link URL for the actor resource, from `author._links.alternate`. | string |
confluence.attributes.actor.links.self Self link URL for the actor resource, from `author._links.self`. | string |
confluence.attributes.actor.name Display name of the actor, taken from `author.displayName` in the API. | text_general |
confluence.attributes.container.attributes.name Nested attribute name within container metadata, as defined by the API's schema. | text_generals |
confluence.attributes.container.attributes.siteHostName Nested siteHostName attribute within container metadata. | text_generals |
confluence.attributes.container.attributes.siteName Nested siteName attribute within container metadata. | text_generals |
confluence.attributes.container.id ID(s) of the container(s) affected, mapped from `affectedObject.name` or `associatedObjects[].name`. | strings |
confluence.attributes.container.links.alt Alternate link(s) for the container resource(s), from `affectedObject._links.alternate` or similar. | strings |
confluence.attributes.container.links.self Self link(s) for the container resource(s), from `affectedObject._links.self` or similar. | strings |
confluence.attributes.container.siteHostName Host name of the site for each container, if provided by the API. | text_generals |
confluence.attributes.container.siteName Site name for the container(s), if provided in the API's container attributes. | text_generals |
confluence.attributes.container.type Type of the container(s) (e.g., space, page), from `affectedObject.objectType` or `associatedObjects[].objectType`. | text_generals |
confluence.attributes.context.attributes.name Name attribute(s) within the context metadata, per the API's associatedObjects schema. | text_generals |
confluence.attributes.context.attributes.status Status value(s) of the context entity (e.g., current, archived), if provided by the API. | strings |
confluence.attributes.context.attributes.type Type attribute(s) within the context metadata. | text_generals |
confluence.attributes.context.id ID(s) of contextual entities (e.g., parent page or comment), from associatedObjects[].name. | strings |
confluence.attributes.context.links.alt Alternate link(s) for the context resource(s). | strings |
confluence.attributes.context.links.self Self link(s) for the context resource(s). | strings |
confluence.attributes.context.type Type(s) of contextual entities (e.g., page, comment), from associatedObjects[].objectType. | text_generals |
confluence.attributes.location.city City derived from the origin IP via geo-lookup. | text_general |
confluence.attributes.location.countryName Country name derived from the origin IP, via geo-lookup on `remoteAddress`. | text_general |
confluence.attributes.location.ip IP address from which the action originated, from the `remoteAddress` field in the API. | text_general |
confluence.attributes.location.regionName Region name derived from the origin IP via geo-lookup. | text_general |
confluence.attributes.time Unix timestamp when the event occurred, from the `creationDate` field in the API response. | pdate |
confluence.id Unique identifier of the audit record, matching the API's internal record ID. | string |
confluence.links.self Self link for the overall audit query, from the top-level `_links.self` in the API response. | string |
confluence.message.content Detailed description or message body of the audit event, from the API's `description` field. | text_general |
confluence.message.format Format of the audit message content indicating how `confluence.message.content` is encoded. | text_general |
confluence.type Resource type constant for audit records (fixed value "audit"). | text_general |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.