Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (6)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.firewall.action Firewall action taken (e.g., allow, block, drop). | ngs.shield.action | strings |
gen.dest.ip Destination IP address. | ngs.shield.destination | text_general |
gen.firewall.direction Traffic direction (e.g., inbound, outbound). | ngs.shield.direction | strings |
gen.firewall.rule Firewall rule that triggered the event. | ngs.shield.policy ngs.shield.rule ngs.shield.ruleName | strings |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | ngs.shield.protocol | strings |
gen.src.ip Source IP address. | ngs.shield.source | text_general |
Reference-Specific Fields (21)
| Field | Type |
|---|---|
ngs.shield.action Enforcement action carried out by Shield (alert, drop, reject, pass). | string |
ngs.shield.autopilotId Unique identifier of the Autopilot instance reporting the event. | string |
ngs.shield.autopilotName Human-readable name of the Enginsight Autopilot that detected or blocked the traffic. | text_general |
ngs.shield.cause Short textual cause or keyword explaining why the traffic was blocked or flagged. | string |
ngs.shield.destination Destination IP address (and optional port) targeted by the packet. | text_generals |
ngs.shield.direction Traffic direction relative to the protected host (inbound or outbound). | string |
ngs.shield.hash Hash value (SHA-256) uniquely identifying the packet payload for deduplication. | string |
ngs.shield.occurrences Number of times the identical event was seen and aggregated during the reporting interval. | pint |
ngs.shield.payload Excerpt of the packet payload or HTTP request that triggered the rule (may be truncated). | text_generals |
ngs.shield.policy Name of the Shield policy bundle in which the rule is defined. | string |
ngs.shield.ports Array of TCP/UDP port numbers involved in the connection. | pints |
ngs.shield.protocol Layer-4 protocol of the packet flow (TCP, UDP, ICMP, etc.). | string |
ngs.shield.reason Detailed reason phrase returned by the engine (e.g., "pattern matched: ET EXPLOIT Shellcode"). | text_generals |
ngs.shield.rule Full text of the detection rule or signature that triggered the alert. | string |
ngs.shield.ruleId Internal or Snort/Suricata signature ID of the matched rule. | string |
ngs.shield.ruleName Descriptive name of the IPS/IDS rule that matched (e.g., "SQL Injection Attempt"). | text_general |
ngs.shield.segment CIDR notation of the segment's IP range (e.g., "192.168.0.0/24"). | string |
ngs.shield.segmentId Identifier of the segment object in the Enginsight inventory. | string |
ngs.shield.segmentName Label of the network segment or zone in which the traffic was observed. | text_general |
ngs.shield.source Source IP address (and optional port) of the packet that matched the rule. | text_generals |
ngs.shield.type High-level detection class, e.g., signature, anomaly, policy or reputation. | text_generals |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.