Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (4)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.firewall.action Firewall action taken (e.g., allow, block, drop). | ngs.ids.action | strings |
gen.dest.ip Destination IP address. | ngs.ids.ipDestination | text_general |
gen.src.ip Source IP address. | ngs.ids.ipSource | text_general |
gen.severity Normalized severity field across log sources. | ngs.ids.severity | strings |
Reference-Specific Fields (14)
| Field | Type |
|---|---|
ngs.ids.action Action that the system took in response to the alert (alert, block, drop, allow, quarantine, etc.). | string |
ngs.ids.blocked Boolean flag indicating whether the associated IPS component blocked the traffic (true) or only logged it (false). | boolean |
ngs.ids.category High-level threat class assigned to the event such as "web-attack", "malware", "network-scan", etc. | text_general |
ngs.ids.foreignIpDestination External (non-local) destination IP involved in the event, if different from the monitored host. | text_general |
ngs.ids.hostnames List of hostnames resolved or referenced within the alert (may include requested domains or internal hosts). | text_generals |
ngs.ids.ipDestination Destination IP address targeted by the detected connection or payload. | text_general |
ngs.ids.ipSource IP address from which the suspicious traffic or activity originated. | text_general |
ngs.ids.location.code ISO-3166-1 alpha-2 country code derived from the source IP geolocation. | string |
ngs.ids.location.continent Continent name (e.g., Europe, Asia) associated with the source IP. | text_general |
ngs.ids.location.country Full country name corresponding to the source IP address. | text_general |
ngs.ids.location.organization Autonomous System (AS) or organization name that owns the source IP range. | text_general |
ngs.ids.payload Captured packet segment or base64-encoded content snippet that triggered the rule (for forensic review). | text_generals |
ngs.ids.severity Textual severity rating assigned by the IDS (e.g. low, medium, high, critical). | string |
ngs.ids.type Detection engine or rule-type that raised the alert (e.g., signature, anomaly, policy, brute-force). | text_general |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.