Enginsight Intrusion Detection System (IDS)
Enginsight IDS is a host-based intrusion-detection system providing signature and anomaly alerts for OS and application activity.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (14)
| Field | Type |
|---|---|
ngs.ids.type Detection engine or rule-type that raised the alert (e.g., signature, anomaly, policy, brute-force). | text_general |
ngs.ids.category High-level threat class assigned to the event such as "web-attack", "malware", "network-scan", etc. | text_general |
ngs.ids.ipSource IP address from which the suspicious traffic or activity originated. | text_general |
ngs.ids.location.code ISO-3166-1 alpha-2 country code derived from the source IP geolocation. | string |
ngs.ids.location.country Full country name corresponding to the source IP address. | text_general |
ngs.ids.location.continent Continent name (e.g., Europe, Asia) associated with the source IP. | text_general |
ngs.ids.ipDestination Destination IP address targeted by the detected connection or payload. | text_general |
ngs.ids.foreignIpDestination External (non-local) destination IP involved in the event, if different from the monitored host. | text_general |
ngs.ids.hostnames List of hostnames resolved or referenced within the alert (may include requested domains or internal hosts). | text_general [] |
ngs.ids.payload Captured packet segment or base64-encoded content snippet that triggered the rule (for forensic review). | text_general [] |
ngs.ids.severity Textual severity rating assigned by the IDS (e.g. low, medium, high, critical). | string |
ngs.ids.blocked Boolean flag indicating whether the associated IPS component blocked the traffic (true) or only logged it (false). | boolean |
ngs.ids.action Action that the system took in response to the alert (alert, block, drop, allow, quarantine, etc.). | string |
ngs.ids.location.organization Autonomous System (AS) or organization name that owns the source IP range. | text_general |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.