Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (14)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.firewall.action Firewall action taken (e.g., allow, block, drop). | securepoint.utm.action | strings |
gen.dest.port Destination port number. | securepoint.utm.dpt | pint |
gen.dest.ip Destination IP address. | securepoint.utm.dst | text_general |
gen.mail.sender Email address of the message sender. | securepoint.utm.from | strings |
gen.src.interface Network interface used for the source connection. | securepoint.utm.in | strings |
gen.av.infectionName Name of the detected infection or malware. | securepoint.utm.malwarename | strings |
gen.dest.interface Network interface used for the destination connection. | securepoint.utm.out | strings |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | securepoint.utm.proto | strings |
gen.firewall.rule Firewall rule that triggered the event. | securepoint.utm.selectors | strings |
gen.src.port Source port number. | securepoint.utm.spt | pint |
gen.src.ip Source IP address. | securepoint.utm.src | text_general |
gen.av.status Status of the antivirus event (e.g., success, failure). | securepoint.utm.status | strings |
gen.mail.receiver Email address of the message recipient. | securepoint.utm.to | strings |
gen.username Username associated with the event. | securepoint.utm.user | text_general |
Reference-Specific Fields (38)
| Field | Type |
|---|---|
securepoint.utm.ack | pint |
securepoint.utm.act | string |
securepoint.utm.action | string |
securepoint.utm.bytes | plong |
securepoint.utm.cats | strings |
securepoint.utm.code | pint |
securepoint.utm.dpt | pint |
securepoint.utm.dst | string |
securepoint.utm.filesize | plong |
securepoint.utm.flags | strings |
securepoint.utm.from | string |
securepoint.utm.id | pint |
securepoint.utm.in | string |
securepoint.utm.len | pint |
securepoint.utm.mac | string |
securepoint.utm.mailflags | strings |
securepoint.utm.malwarename | string |
securepoint.utm.mark | pint |
securepoint.utm.out | string |
securepoint.utm.pkts | plong |
securepoint.utm.prec | string |
securepoint.utm.proto | string |
securepoint.utm.reason | string |
securepoint.utm.selectors | strings |
securepoint.utm.seq | plong |
securepoint.utm.sni | string |
securepoint.utm.spt | pint |
securepoint.utm.src | string |
securepoint.utm.srv | strings |
securepoint.utm.status | string |
securepoint.utm.to | string |
securepoint.utm.tos | pint |
securepoint.utm.ttl | pint |
securepoint.utm.type | pint |
securepoint.utm.urgp | pint |
securepoint.utm.url | string |
securepoint.utm.user | string |
securepoint.utm.window | pint |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.