Generic Fields (Unified Schema)
The "gen" namespace contains vendor-agnostic key names-such as src.ip, dest.port or event.time-used to map equivalent values across all log sources. It acts as the canonical schema layer so searches, correlations and dashboards work no matter where the data originated.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (73)
| Field | Type |
|---|---|
gen.src.port | pint |
gen.dest.port | pint |
gen.hostname | text_general |
gen.username | text_general |
gen.av.infectionName | string [] |
gen.av.infectionCategory | string [] |
gen.av.action | string [] |
gen.av.status | string [] |
gen.dns.domain | string [] |
gen.dns.record | string [] |
gen.dns.server | string [] |
gen.file.name | string [] |
gen.file.path | string [] |
gen.firewall.bytesSent | plong |
gen.firewall.bytesReceived | plong |
gen.firewall.direction | string [] |
gen.firewall.rule | string [] |
gen.firewall.action | string [] |
gen.mail.sender | string [] |
gen.mail.subject | string [] |
gen.mail.size | plong |
gen.mail.receiver | string [] |
gen.process.process | string |
gen.process.pid | pint |
gen.process.commandline | string |
gen.process.parent.process | string |
gen.process.parent.pid | pint |
gen.process.parent.commandline | string |
gen.process.action | string [] |
gen.process.privileges | string [] |
gen.proxy.endpoint | string |
gen.proxy.httpStatus | pint |
gen.proxy.bytesSent | pint |
gen.proxy.bytesReceived | pint |
gen.proxy.method | string |
gen.proxy.referrer | string |
gen.proxy.userAgent | string |
gen.group | string [] |
gen.src.mac | string |
gen.dest.mac | string |
gen.severity | string [] |
gen.facility | string |
gen.product | string [] |
gen.vendor | string [] |
gen.protocol | string [] |
gen.src.interface | string [] |
gen.dest.interface | string [] |
gen.ssid | string [] |
gen.signatures.malicious | boolean |
gen.signatures.category | string [] |
gen.signatures.source | string [] |
gen.dest.geoip.code | string |
gen.dest.geoip.country | text_general |
gen.dest.geoip.city | text_general |
gen.dest.geoip.organisation | text_general |
gen.dest.geoip.continent | text_general |
gen.dest.ip | text_general |
gen.dest.ipIsInternal | boolean |
gen.dest.ipIsIPv4 | boolean |
gen.src.geoip.code | string |
gen.src.geoip.country | text_general |
gen.src.geoip.city | text_general |
gen.src.geoip.organisation | text_general |
gen.src.geoip.continent | text_general |
gen.src.ip | text_general |
gen.src.ipIsInternal | boolean |
gen.src.ipIsIPv4 | boolean |
gen.src.badip.is | boolean |
gen.dest.badip.is | boolean |
gen.src.badip.category | string [] |
gen.dest.badip.category | string [] |
gen.src.badip.source | string [] |
gen.dest.badip.source | string [] |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.