Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (3)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.file.name File name associated with the event. | ngs.apt.location | strings |
gen.file.path Full file path associated with the event. | ngs.apt.location | strings |
gen.severity Normalized severity field across log sources. | ngs.apt.severity | strings |
Reference-Specific Fields (12)
| Field | Type |
|---|---|
ngs.apt.location Absolute file-system path where the suspicious object was found (e.g., "C:\Windows\System32\svchost.exe"). | string |
ngs.apt.md5 MD5 checksum of the file's content at detection time. | string |
ngs.apt.planId Identifier of the scan plan that scheduled or triggered the detection. | string |
ngs.apt.planName Human-readable name of the plan that defined scope, cadence and hosts for the scan. | text_general |
ngs.apt.ruleId Internal ID of the YARA or signature rule that matched the file. | string |
ngs.apt.ruleName Descriptive title of the detection rule (e.g., "Suspicious Powershell Loader"). | text_general |
ngs.apt.scanAlias Optional user-defined alias that makes the scan easier to recognize (e.g., "Weekly Deep Scan"). | text_general |
ngs.apt.scanId Unique identifier of the concrete scan execution in which the finding occurred. | string |
ngs.apt.scanName Label of the scan run (often auto-generated from date or host selection). | text_general |
ngs.apt.severity Qualitative risk rating assigned to the detection (low, medium, high, critical). | string |
ngs.apt.sha1 SHA-1 hash of the file for integrity and reputation look-ups. | string |
ngs.apt.sha256 SHA-256 hash of the file for accurate, collision-resistant identification. | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.