Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (10)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.product Product name or component generating the log. | gdata.Product | strings |
gen.severity Normalized severity field across log sources. | gdata.Severity | strings |
gen.vendor Vendor name of the product generating the log. | gdata.Vendor | strings |
gen.av.infectionName Name of the detected infection or malware. | gdata.Virusname | strings |
gen.av.action Action taken by antivirus (e.g., blocked, quarantined, cleaned). | gdata.act | strings |
gen.src.ip Source IP address. | gdata.dvc | text_general |
gen.hostname Normalized hostname of the system generating the log. | gdata.dvchost | text_general |
gen.file.name File name associated with the event. | gdata.filepath gdata.fname | strings |
gen.file.path Full file path associated with the event. | gdata.filepath gdata.fname | strings |
gen.username Username associated with the event. | gdata.suser | text_general |
Reference-Specific Fields (47)
| Field | Type |
|---|---|
gdata.EventClassID | pint |
gdata.GDataClientDescription | text_general |
gdata.GDataNetgroupId | plong |
gdata.GDataRefId | string |
gdata.GDataRequestStatus | string |
gdata.GDataTenant | string |
gdata.GDataTenantId | pint |
gdata.GDataThreat | text_general |
gdata.Message | text_general |
gdata.Product | string |
gdata.ProductVersion | text_general |
gdata.Quarantine_File | text_general |
gdata.Report_ID | pint |
gdata.Severity | pint |
gdata.Vendor | string |
gdata.Virusname | text_general |
gdata.act | text_general |
gdata.cat | string |
gdata.cn1 | plong |
gdata.cn1Label | string |
gdata.cn2 | plong |
gdata.cn2Label | string |
gdata.cs1 | string |
gdata.cs1Label | string |
gdata.cs2 | string |
gdata.cs2Label | string |
gdata.cs3 | string |
gdata.cs3Label | string |
gdata.cs4 | string |
gdata.cs4Label | string |
gdata.cs5 | string |
gdata.cs5Label | string |
gdata.cs6 | string |
gdata.cs6Label | string |
gdata.deviceExternalId | string |
gdata.dproc | text_general |
gdata.duser | text_general |
gdata.dvc | text_general |
gdata.dvchost | text_general |
gdata.fileHash | string |
gdata.filepath | text_general |
gdata.fname | text_general |
gdata.request | string |
gdata.spid | plong |
gdata.sproc | text_general |
gdata.start | pdate |
gdata.suser | text_general |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.