Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (11)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.file.name File name associated with the event. | ngs.apt.location ngs.defence.filePath ngs.fim.fileName | strings |
gen.file.path Full file path associated with the event. | ngs.apt.location ngs.defence.filePath ngs.fim.fileName | strings |
gen.severity Normalized severity field across log sources. | ngs.apt.severity ngs.ids.severity ngs.siem.incident.severity | strings |
gen.av.infectionName Name of the detected infection or malware. | ngs.defence.virusName | strings |
gen.username Username associated with the event. | ngs.fim.username | text_general |
gen.firewall.action Firewall action taken (e.g., allow, block, drop). | ngs.ids.action ngs.shield.action | strings |
gen.dest.ip Destination IP address. | ngs.ids.ipDestination ngs.shield.destination | text_general |
gen.src.ip Source IP address. | ngs.ids.ipSource ngs.shield.source | text_general |
gen.firewall.direction Traffic direction (e.g., inbound, outbound). | ngs.shield.direction | strings |
gen.firewall.rule Firewall rule that triggered the event. | ngs.shield.policy ngs.shield.rule ngs.shield.ruleName | strings |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | ngs.shield.protocol | strings |
Reference-Specific Fields (114)
| Field | Type |
|---|---|
ngs.collector ObjectID of the collector associated with the log. | strings |
ngs.collectorHost ObjectID of the host that collected the log (remote log collection only). | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.expiresAt Expiration Date of the log if configured. | pdate |
ngs.host ObjectID of the host associated with the log (local log collection only). | string |
ngs.hostDisplayName Enginsight Platform Display Name of the Host. | string |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
ngs.usedRelayExtractors | strings |
ngs.apt.location Absolute file-system path where the suspicious object was found (e.g., "C:\Windows\System32\svchost.exe"). | string |
ngs.apt.md5 MD5 checksum of the file's content at detection time. | string |
ngs.apt.planId Identifier of the scan plan that scheduled or triggered the detection. | string |
ngs.apt.planName Human-readable name of the plan that defined scope, cadence and hosts for the scan. | text_general |
ngs.apt.ruleId Internal ID of the YARA or signature rule that matched the file. | string |
ngs.apt.ruleName Descriptive title of the detection rule (e.g., "Suspicious Powershell Loader"). | text_general |
ngs.apt.scanAlias Optional user-defined alias that makes the scan easier to recognize (e.g., "Weekly Deep Scan"). | text_general |
ngs.apt.scanId Unique identifier of the concrete scan execution in which the finding occurred. | string |
ngs.apt.scanName Label of the scan run (often auto-generated from date or host selection). | text_general |
ngs.apt.severity Qualitative risk rating assigned to the detection (low, medium, high, critical). | string |
ngs.apt.sha1 SHA-1 hash of the file for integrity and reputation look-ups. | string |
ngs.apt.sha256 SHA-256 hash of the file for accurate, collision-resistant identification. | string |
ngs.defence.engine | string |
ngs.defence.filePath | text_generals |
ngs.defence.foundAt | pdate |
ngs.defence.quarantineFilePath | text_generals |
ngs.defence.rawVirusName | text_generals |
ngs.defence.reportTimestamp | pdate |
ngs.defence.resolved | boolean |
ngs.defence.source | text_generals |
ngs.defence.virusName | text_generals |
ngs.fim.cwd Current working directory of the process at the time of the file operation. | text_generals |
ngs.fim.domain Windows or Active Directory domain of the user or host, if applicable. | text_generals |
ngs.fim.executable Full path to the executable that initiated the file-system change. | text_generals |
ngs.fim.fileName Absolute path and file name that was created, modified or removed. | text_generals |
ngs.fim.groupId Identifier of the primary group associated with the acting user or process. | string |
ngs.fim.groupname Primary group name tied to the GID involved in the event. | text_generals |
ngs.fim.logIds List of low-level audit record IDs that were consolidated into this FIM event. | strings |
ngs.fim.md5 MD5 checksum of the file content after the change (blank if file deleted). | string |
ngs.fim.occurrences Number of times this identical event was observed and aggregated within the reporting interval. | pint |
ngs.fim.operation Action that occurred on the file system object (e.g., create, modify, delete, rename, chmod). | text_generals |
ngs.fim.rules Set of FIM detection rules that triggered for the affected file or directory. | strings |
ngs.fim.sha1 SHA-1 hash of the file content after the change, used to verify integrity. | string |
ngs.fim.success Boolean flag indicating whether the attempted operation succeeded (true) or failed (false). | boolean |
ngs.fim.userId Numeric or string user identifier that performed the operation. | string |
ngs.fim.username User name associated with the UID that carried out the change. | text_generals |
ngs.ids.action Action that the system took in response to the alert (alert, block, drop, allow, quarantine, etc.). | string |
ngs.ids.blocked Boolean flag indicating whether the associated IPS component blocked the traffic (true) or only logged it (false). | boolean |
ngs.ids.category High-level threat class assigned to the event such as "web-attack", "malware", "network-scan", etc. | text_general |
ngs.ids.foreignIpDestination External (non-local) destination IP involved in the event, if different from the monitored host. | text_general |
ngs.ids.hostnames List of hostnames resolved or referenced within the alert (may include requested domains or internal hosts). | text_generals |
ngs.ids.ipDestination Destination IP address targeted by the detected connection or payload. | text_general |
ngs.ids.ipSource IP address from which the suspicious traffic or activity originated. | text_general |
ngs.ids.location.code ISO-3166-1 alpha-2 country code derived from the source IP geolocation. | string |
ngs.ids.location.continent Continent name (e.g., Europe, Asia) associated with the source IP. | text_general |
ngs.ids.location.country Full country name corresponding to the source IP address. | text_general |
ngs.ids.location.organization Autonomous System (AS) or organization name that owns the source IP range. | text_general |
ngs.ids.payload Captured packet segment or base64-encoded content snippet that triggered the rule (for forensic review). | text_generals |
ngs.ids.severity Textual severity rating assigned by the IDS (e.g. low, medium, high, critical). | string |
ngs.ids.type Detection engine or rule-type that raised the alert (e.g., signature, anomaly, policy, brute-force). | text_general |
ngs.loggernaut.AccessKeyId Identifier of the API key or access credential used to perform the request. | string |
ngs.loggernaut.Action Specific action that was executed within the category (e.g., execute, index, purge). | string |
ngs.loggernaut.CachedGroupCombinations Number of cached facet/grouping combinations that were reused. | plong |
ngs.loggernaut.CachedLogs Count of log entries that were served from cache instead of live storage. | plong |
ngs.loggernaut.Category High-level functional group of the operation such as "query", "ingest", "workflow" or "cache". | string |
ngs.loggernaut.ETime End-to-end elapsed time of the operation (including queue and network) in milliseconds. | plong |
ngs.loggernaut.End End timestamp of the time range covered by the query or workflow. | pdate |
ngs.loggernaut.FacetField Field in the index on which the facet/aggregation was calculated. | text_general |
ngs.loggernaut.FacetType Type of facet or aggregation requested (e.g., terms, range, date_hist). | string |
ngs.loggernaut.Filter Additional filter expression applied to narrow the query results. | text_general |
ngs.loggernaut.ITime Time taken to index documents in milliseconds. | plong |
ngs.loggernaut.NumFound Number of documents or log records matched by the query. | pint |
ngs.loggernaut.NumIndexed Number of documents that were successfully written to the index. | pint |
ngs.loggernaut.NumQueried Number of documents that were scanned or queried during the operation. | plong |
ngs.loggernaut.QTime Time spent processing the search/query in milliseconds. | plong |
ngs.loggernaut.Query Full query string that was executed against the index. | text_general |
ngs.loggernaut.Size Total data volume processed or returned, in bytes. | plong |
ngs.loggernaut.Start Start timestamp of the time range covered by the query or workflow. | pdate |
ngs.loggernaut.WTime Duration of the workflow execution in milliseconds. | plong |
ngs.loggernaut.WorkflowID Universally unique identifier of the workflow instance that generated the event. | string |
ngs.loggernaut.WorkflowName Human-readable name of the ingestion or processing workflow. | text_general |
ngs.loggernaut.WorkflowType Classification of the workflow, e.g., scheduled, ad-hoc or retention. | string |
ngs.shield.action Enforcement action carried out by Shield (alert, drop, reject, pass). | string |
ngs.shield.autopilotId Unique identifier of the Autopilot instance reporting the event. | string |
ngs.shield.autopilotName Human-readable name of the Enginsight Autopilot that detected or blocked the traffic. | text_general |
ngs.shield.cause Short textual cause or keyword explaining why the traffic was blocked or flagged. | string |
ngs.shield.destination Destination IP address (and optional port) targeted by the packet. | text_generals |
ngs.shield.direction Traffic direction relative to the protected host (inbound or outbound). | string |
ngs.shield.hash Hash value (SHA-256) uniquely identifying the packet payload for deduplication. | string |
ngs.shield.occurrences Number of times the identical event was seen and aggregated during the reporting interval. | pint |
ngs.shield.payload Excerpt of the packet payload or HTTP request that triggered the rule (may be truncated). | text_generals |
ngs.shield.policy Name of the Shield policy bundle in which the rule is defined. | string |
ngs.shield.ports Array of TCP/UDP port numbers involved in the connection. | pints |
ngs.shield.protocol Layer-4 protocol of the packet flow (TCP, UDP, ICMP, etc.). | string |
ngs.shield.reason Detailed reason phrase returned by the engine (e.g., "pattern matched: ET EXPLOIT Shellcode"). | text_generals |
ngs.shield.rule Full text of the detection rule or signature that triggered the alert. | string |
ngs.shield.ruleId Internal or Snort/Suricata signature ID of the matched rule. | string |
ngs.shield.ruleName Descriptive name of the IPS/IDS rule that matched (e.g., "SQL Injection Attempt"). | text_general |
ngs.shield.segment CIDR notation of the segment's IP range (e.g., "192.168.0.0/24"). | string |
ngs.shield.segmentId Identifier of the segment object in the Enginsight inventory. | string |
ngs.shield.segmentName Label of the network segment or zone in which the traffic was observed. | text_general |
ngs.shield.source Source IP address (and optional port) of the packet that matched the rule. | text_generals |
ngs.shield.type High-level detection class, e.g., signature, anomaly, policy or reputation. | text_generals |
ngs.siem.incident.trigger The module that triggered the Incident. | string |
ngs.siem.incident.endedAt Timestamp when the incident was closed or last updated. | pdate |
ngs.siem.incident.id Unique identifier of the correlated incident (distinct from the log-entry ID). | string |
ngs.siem.incident.relevantFields Array of field names that contributed to the correlation and grouping of this incident. | strings |
ngs.siem.incident.severity Qualitative severity level assigned to the incident (low, medium, high, critical). | string |
ngs.siem.incident.severityScore Numeric score (0-10) quantifying severity for prioritization and SLA tracking. | pint |
ngs.siem.incident.startedAt Timestamp when the incident window started (time of the first contributing event). | pdate |
ngs.siem.incident.workflow Name of the Enginsight workflow associated with the incident. | text_general |
ngs.siem.incident.workflowId Identifier of the Enginsight workflow associated with the incident. | string |
ngs.siem.incident.stream Name of the Enginsight stream associated with the incident. | text_general |
ngs.siem.incident.streamId Identifier of the Enginsight stream associated with the incident. | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.