ESET PROTECT
ESET PROTECT server logs: malware detections, firewall alerts, agent status changes and administrator console logins.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (68)
| Field | Type |
|---|---|
esetProtect.command_line The full command-line string used by the process when the detection occurred. | string |
esetProtect.detection_uuid Unique UUID of this detection record, used to retrieve its full details via GET /v1/detections/{detectionUuid}. | string |
esetProtect.domain Active Directory domain name of the endpoint where the event was logged. | string |
esetProtect.eialarmid Internal alarm ID assigned by the ESET Inspect engine for correlating related alerts. | string |
esetProtect.engine_version Version number of the ESET detection engine that produced this event. | string |
esetProtect.event Plain-text description of the event type (e.g. detection, remediation, policy update). | text_general |
esetProtect.group_description Textual description of the group or container (e.g. machine group) involved in the event. | text_general |
esetProtect.group_name Name of the device group or organizational unit as defined in ESET Protect. | string |
esetProtect.handled String flag indicating whether the event has been marked handled (e.g. "true"/"false"). | string |
esetProtect.os_name Operating system name of the endpoint (e.g. Windows 10, macOS). | string |
esetProtect.result Outcome of the ESET action (e.g. detected, cleaned, blocked). | text_general |
esetProtect.rule_id Identifier of the detection rule or signature that triggered this event. | string |
esetProtect.scan_id UUID of the scan session in which this detection occurred (for on-demand or scheduled scans). | string |
esetProtect.scanner_id Identifier of the scanning engine instance (e.g. module name or internal GUID). | string |
esetProtect.source_uuid UUID of the source device or agent that reported the event. | string |
esetProtect.trigger_event Name of the trigger that caused the detection (e.g. file open, scheduled scan). | text_general |
esetProtect.computer_name Hostname of the computer where the detection or event was logged. | text_general |
esetProtect.first_seen_time UTC timestamp when the threat was first detected by ESET Protect. | pdate |
esetProtect.firewall_event Code or name of the firewall action (e.g. "ALLOW", "BLOCK") logged by the endpoint firewall. | string |
esetProtect.process_name Executable name of the process involved in the event. | text_general |
esetProtect.tgt_address IP address or hostname of the target resource involved (if network-related). | text_general |
esetProtect.target Logical name of the target object (file path, registry key, URL, etc.). | text_general |
esetProtect.notification_name Friendly name of the notification issued (e.g. "Malware Found"). | text_general |
esetProtect.notification_type Category of notification (e.g. alert, info, warning). | text_general |
esetProtect.msp_customer_name Name of the MSP customer if managed via ESET MSP console. | text_general |
esetProtect.computer_sg_parent Name of the parent security group or organizational hierarchy above the device. | text_general |
esetProtect.src_port Source port number for network-related events. | pint |
esetProtect.completion UTC timestamp when the remediation or scan action completed. | pdate |
esetProtect.cleaned Number of items successfully cleaned or remediated in this event. | plong |
esetProtect.detection_type High-level type of detection (e.g. malware, PUP, suspicious). | string |
esetProtect.object_type Type of object involved (file, process, registry, network). | string |
esetProtect.user Logged-on user account name when the event was generated. | text_general |
esetProtect.computer_sg_hierarchy Full hierarchical path of security groups this computer belongs to. | text_general |
esetProtect.ip_address IP address involved in the event (e.g. remote host, download URL). | text_general |
esetProtect.tgt_port Destination port number for network-related detections or blocks. | pint |
esetProtect.msp_company_name Name of the managed service provider company, if applicable. | text_general |
esetProtect.hash Hash value (MD5, SHA-1, etc.) of the file or object detected. | string |
esetProtect.action_error Detailed error message if a remediation or scan action failed. | text_general |
esetProtect.detection_handled Boolean flag indicating if the detection has been programmatically handled. | boolean |
esetProtect.inbound_comm True if the event involved inbound network communication. | boolean |
esetProtect.operation Name of the operation performed (e.g. scan, quarantine, block). | text_general |
esetProtect.infected Number of files or objects flagged as infected in this event. | plong |
esetProtect.scanner Name of the scanning module or engine component used. | text_general |
esetProtect.virus_db Version of the virus signature database in use. | string |
esetProtect.object_uri URI identifying the object in ESET Protect (e.g. /machines/{id}/files/{path}). | text_general |
esetProtect.tgt_address_type Type of target address (IPv4, IPv6, hostname). | string |
esetProtect.application Name of the application context in which the event occurred. | text_general |
esetProtect.scanned_targets List of target paths scanned during this event (files, folders). | text_general [] |
esetProtect.timestamp UTC timestamp when this log entry was generated. | pdate |
esetProtect.action High-level action taken by ESET (e.g. "quarantine", "ignore"). | string |
esetProtect.target_computer_name Hostname of the target machine for remote-initiated actions. | text_general |
esetProtect.is_hardware_detection_enabled True if hardware-based detection (e.g. UEFI) was enabled on the endpoint. | boolean |
esetProtect.scanned Number of objects scanned in this scan job or real-time check. | plong |
esetProtect.circumstances Contextual details about why this event was generated (e.g. scheduled vs. real-time). | text_general |
esetProtect.cause Underlying cause or detection method (heuristics, signatures, behavior). | text_general |
esetProtect.rule_name Human-readable name of the detection rule or signature. | text_general |
esetProtect.computer_severity_score Numeric severity score assigned to the machine by ESET policy. | plong |
esetProtect.status Current status of the detection (e.g. "new", "resolved"). | string |
esetProtect.severity String severity level of this event (e.g. "low", "medium", "high"). | string |
esetProtect.detection_name Display name of the detected threat or event category. | text_general |
esetProtect.description Detailed description or remediation recommendation provided with the event. | text_general |
esetProtect.src_address_type Type of source address (IPv4, IPv6, hostname) for network events. | string |
esetProtect.restart_required True if a system restart is required after this action. | boolean |
esetProtect.source_computer_name Hostname of the source machine initiating the event (for remote scans). | text_general |
esetProtect.severity_score Numeric score representing severity on a standardized scale (0-100). | plong |
esetProtect.occurrences Count of how many times this same event has recurred on the endpoint. | plong |
esetProtect.ei_console_link Deep link URL to view this detection or event in the ESET Protect web console. | text_general |
esetProtect.protocol Network protocol involved (e.g. TCP, UDP, ICMP) if applicable. | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they’re emitted by the system. Depending on the context of the event, some fields may be omitted if they’re not applicable.