Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (1)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.av.infectionCategory Category of detected malware or infection. | gen.signatures.category | strings |
Reference-Specific Fields (73)
| Field | Type |
|---|---|
gen.av.action Action taken by antivirus (e.g., blocked, quarantined, cleaned). | strings |
gen.av.infectionCategory Category of detected malware or infection. | strings |
gen.av.infectionName Name of the detected infection or malware. | strings |
gen.av.status Status of the antivirus event (e.g., success, failure). | strings |
gen.dest.badip.category Category of malicious reputation assigned to the destination IP. | strings |
gen.dest.badip.is Indicates if the destination IP is flagged as malicious. | boolean |
gen.dest.badip.source Source of the threat intelligence marking the destination IP as bad. | strings |
gen.dest.geoip.city Destination IP's city based on GeoIP lookup. | text_general |
gen.dest.geoip.code Destination IP's country code based on GeoIP lookup. | string |
gen.dest.geoip.continent Destination IP's continent based on GeoIP lookup. | text_general |
gen.dest.geoip.country Destination IP's country name based on GeoIP lookup. | text_general |
gen.dest.geoip.organisation Organisation/ISP associated with the destination IP. | text_general |
gen.dest.interface Network interface used for the destination connection. | strings |
gen.dest.ip Destination IP address. | text_general |
gen.dest.ipIsIPv4 Indicates if the destination IP is IPv4. | boolean |
gen.dest.ipIsInternal Indicates if the destination IP belongs to an internal network. | boolean |
gen.dest.mac MAC address of the destination device. | string |
gen.dest.port Destination port number. | pint |
gen.dns.domain Queried DNS domain name. | strings |
gen.dns.record DNS record type (e.g., A, AAAA, MX). | strings |
gen.dns.server DNS server used for the query. | strings |
gen.facility Normalized facility field across log sources. | string |
gen.file.name File name associated with the event. | strings |
gen.file.path Full file path associated with the event. | strings |
gen.firewall.action Firewall action taken (e.g., allow, block, drop). | strings |
gen.firewall.bytesReceived Number of bytes received through the firewall session. | plong |
gen.firewall.bytesSent Number of bytes sent through the firewall session. | plong |
gen.firewall.direction Traffic direction (e.g., inbound, outbound). | strings |
gen.firewall.rule Firewall rule that triggered the event. | strings |
gen.group User group associated with the event. | strings |
gen.hostname Normalized hostname of the system generating the log. | text_general |
gen.mail.receiver Email address of the message recipient. | strings |
gen.mail.sender Email address of the message sender. | strings |
gen.mail.size Size of the email in bytes. | plong |
gen.mail.subject Subject line of the email. | strings |
gen.process.action Action performed by the process (e.g., start, stop, create). | strings |
gen.process.commandline Command line used to start the process. | string |
gen.process.parent.commandline Command line of the parent process. | string |
gen.process.parent.pid Process ID of the parent process. | pint |
gen.process.parent.process Name of the parent process. | string |
gen.process.pid Process ID of the running process. | pint |
gen.process.privileges Privileges under which the process is running. | strings |
gen.process.process Name of the process. | string |
gen.product Product name or component generating the log. | strings |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | strings |
gen.proxy.bytesReceived Bytes received through the proxy session. | pint |
gen.proxy.bytesSent Bytes sent through the proxy session. | pint |
gen.proxy.endpoint Destination endpoint accessed through the proxy. | string |
gen.proxy.httpStatus HTTP response status code from the proxy. | pint |
gen.proxy.method HTTP request method (e.g., GET, POST). | string |
gen.proxy.referrer HTTP referrer header value. | string |
gen.proxy.userAgent User agent string from the HTTP request. | string |
gen.severity Normalized severity field across log sources. | strings |
gen.signatures.category Category of the triggered detection signature. | strings |
gen.signatures.malicious Indicates if the signature is malicious. | boolean |
gen.signatures.source Source that provided the detection signature. | strings |
gen.src.badip.category Category of malicious reputation assigned to the source IP. | strings |
gen.src.badip.is Indicates if the source IP is flagged as malicious. | boolean |
gen.src.badip.source Source of the threat intelligence marking the source IP as bad. | strings |
gen.src.geoip.city Source IP's city based on GeoIP lookup. | text_general |
gen.src.geoip.code Source IP's country code based on GeoIP lookup. | string |
gen.src.geoip.continent Source IP's continent based on GeoIP lookup. | text_general |
gen.src.geoip.country Source IP's country name based on GeoIP lookup. | text_general |
gen.src.geoip.organisation Organisation/ISP associated with the source IP. | text_general |
gen.src.interface Network interface used for the source connection. | strings |
gen.src.ip Source IP address. | text_general |
gen.src.ipIsIPv4 Indicates if the source IP is IPv4. | boolean |
gen.src.ipIsInternal Indicates if the source IP belongs to an internal network. | boolean |
gen.src.mac MAC address of the source device. | string |
gen.src.port Source port number. | pint |
gen.ssid SSID of the wireless network used. | strings |
gen.username Username associated with the event. | text_general |
gen.vendor Vendor name of the product generating the log. | strings |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.