Enginsight Shield (IPS)
Enginsight Shield is an inline intrusion-prevention system that blocks exploits and anomalies in real time.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (21)
| Field | Type |
|---|---|
ngs.shield.ruleName Descriptive name of the IPS/IDS rule that matched (e.g., "SQL Injection Attempt"). | text_general |
ngs.shield.ruleId Internal or Snort/Suricata signature ID of the matched rule. | string |
ngs.shield.autopilotName Human-readable name of the Enginsight Autopilot that detected or blocked the traffic. | text_general |
ngs.shield.autopilotId Unique identifier of the Autopilot instance reporting the event. | string |
ngs.shield.segmentName Label of the network segment or zone in which the traffic was observed. | text_general |
ngs.shield.segmentId Identifier of the segment object in the Enginsight inventory. | string |
ngs.shield.cause Short textual cause or keyword explaining why the traffic was blocked or flagged. | string |
ngs.shield.segment CIDR notation of the segment's IP range (e.g., "192.168.0.0/24"). | string |
ngs.shield.ports Array of TCP/UDP port numbers involved in the connection. | pint [] |
ngs.shield.occurrences Number of times the identical event was seen and aggregated during the reporting interval. | pint |
ngs.shield.direction Traffic direction relative to the protected host (inbound or outbound). | string |
ngs.shield.hash Hash value (SHA-256) uniquely identifying the packet payload for deduplication. | string |
ngs.shield.rule Full text of the detection rule or signature that triggered the alert. | string |
ngs.shield.policy Name of the Shield policy bundle in which the rule is defined. | string |
ngs.shield.action Enforcement action carried out by Shield (alert, drop, reject, pass). | string |
ngs.shield.protocol Layer-4 protocol of the packet flow (TCP, UDP, ICMP, etc.). | string |
ngs.shield.source Source IP address (and optional port) of the packet that matched the rule. | text_general [] |
ngs.shield.destination Destination IP address (and optional port) targeted by the packet. | text_general [] |
ngs.shield.reason Detailed reason phrase returned by the engine (e.g., "pattern matched: ET EXPLOIT Shellcode"). | text_general [] |
ngs.shield.payload Excerpt of the packet payload or HTTP request that triggered the rule (may be truncated). | text_general [] |
ngs.shield.type High-level detection class, e.g., signature, anomaly, policy or reputation. | text_general [] |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.