Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (3)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.file.name File name associated with the event. | ngs.fim.fileName | strings |
gen.file.path Full file path associated with the event. | ngs.fim.fileName | strings |
gen.username Username associated with the event. | ngs.fim.username | text_general |
Reference-Specific Fields (15)
| Field | Type |
|---|---|
ngs.fim.cwd Current working directory of the process at the time of the file operation. | text_generals |
ngs.fim.domain Windows or Active Directory domain of the user or host, if applicable. | text_generals |
ngs.fim.executable Full path to the executable that initiated the file-system change. | text_generals |
ngs.fim.fileName Absolute path and file name that was created, modified or removed. | text_generals |
ngs.fim.groupId Identifier of the primary group associated with the acting user or process. | string |
ngs.fim.groupname Primary group name tied to the GID involved in the event. | text_generals |
ngs.fim.logIds List of low-level audit record IDs that were consolidated into this FIM event. | strings |
ngs.fim.md5 MD5 checksum of the file content after the change (blank if file deleted). | string |
ngs.fim.occurrences Number of times this identical event was observed and aggregated within the reporting interval. | pint |
ngs.fim.operation Action that occurred on the file system object (e.g., create, modify, delete, rename, chmod). | text_generals |
ngs.fim.rules Set of FIM detection rules that triggered for the affected file or directory. | strings |
ngs.fim.sha1 SHA-1 hash of the file content after the change, used to verify integrity. | string |
ngs.fim.success Boolean flag indicating whether the attempted operation succeeded (true) or failed (false). | boolean |
ngs.fim.userId Numeric or string user identifier that performed the operation. | string |
ngs.fim.username User name associated with the UID that carried out the change. | text_generals |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.