Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (9)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.src.ip Source IP address. | sophos.central.source_info.ip sophos.central.ips_threat_data.remoteIp | text_general |
gen.process.parent.pid Process ID of the parent process. | sophos.central.amsi_threat_data.parentProcessId | pint |
gen.process.parent.process Name of the parent process. | sophos.central.amsi_threat_data.parentProcessPath | string |
gen.process.pid Process ID of the running process. | sophos.central.amsi_threat_data.processId sophos.central.ips_threat_data.executablePid | pint |
gen.process.process Name of the process. | sophos.central.amsi_threat_data.processPath sophos.central.ips_threat_data.executablePath | string |
gen.dest.port Destination port number. | sophos.central.ips_threat_data.localPort | pint |
gen.src.port Source port number. | sophos.central.ips_threat_data.remotePort | pint |
gen.hostname Normalized hostname of the system generating the log. | sophos.central.location | text_general |
gen.severity Normalized severity field across log sources. | sophos.central.severity | strings |
Reference-Specific Fields (47)
| Field | Type |
|---|---|
sophos.central.source_info.ip IP of the Souce | string |
sophos.central.description The description of the alert that was generated | text_general |
sophos.central.event_service_event_id The Event Services event id | string |
sophos.central.threat_cleanable Is the threat automatically cleanable | boolean |
sophos.central.amsi_threat_data.parentProcessId Parent ProcessID of the AMSI Threat | pint |
sophos.central.amsi_threat_data.parentProcessPath Parent Process Path of the AMSI Threat | string |
sophos.central.amsi_threat_data.processId ProcessID of the AMSI Threat | pint |
sophos.central.amsi_threat_data.processName Process Name of the AMSI Threat | string |
sophos.central.amsi_threat_data.processPath Process Path of the AMSI Threat | string |
sophos.central.appCerts.signer Certificate Signer of the application associated with the threat | strings |
sophos.central.appCerts.thumbprint Certificate Thumbprint of the application associated with the threat | strings |
sophos.central.appSha256 SHA 256 hash of the application associated with the threat | string |
sophos.central.core_remedy_items.items.descriptor Descriptors of cleaned or restored items | strings |
sophos.central.core_remedy_items.items.processPath Process Paths of cleaned or restored items | strings |
sophos.central.core_remedy_items.items.result Results of cleaning or restoring | strings |
sophos.central.core_remedy_items.items.sophosPid Process ID of cleaned or restored items | strings |
sophos.central.core_remedy_items.items.suspendResult Suspend Results of cleaned or restored items | strings |
sophos.central.core_remedy_items.items.type Type of cleaned or restored items | strings |
sophos.central.core_remedy_items.totalItems Number of cleaned or restored items | pint |
sophos.central.created_at The date at which the event was created | pdate |
sophos.central.customer_id The identifier of the customer for which record is created | string |
sophos.central.details.property | strings |
sophos.central.details.type | strings |
sophos.central.endpoint_id The corresponding endpoint id associated with the record | string |
sophos.central.endpoint_type The corresponding endpoint type associated with the record | string |
sophos.central.group The group associated with the record | string |
sophos.central.id The Identifier for the event | string |
sophos.central.ips_threat_data.detectionType Detection type of the IPS Threat | pint |
sophos.central.ips_threat_data.executableName Executable name of the IPS Threat | string |
sophos.central.ips_threat_data.executablePath Executable path of the IPS Threat | string |
sophos.central.ips_threat_data.executablePid Executable process id of the IPS Threat | pint |
sophos.central.ips_threat_data.executableVersion Executable version of the IPS Threat | string |
sophos.central.ips_threat_data.localPort Local port of the IPS Threat | pint |
sophos.central.ips_threat_data.rawData Raw data of the IPS Threat | text_general |
sophos.central.ips_threat_data.remoteIp Remote Ip of the IPS Threat | string |
sophos.central.ips_threat_data.remotePort Remote port of the IPS Threat | pint |
sophos.central.ips_threat_data.techSupportId Tech support Id of the IPS Threat | string |
sophos.central.location The location captured for this record | string |
sophos.central.origin Originating component of a detection | string |
sophos.central.severity The severity for this event | string |
sophos.central.source The source for this record | string |
sophos.central.threat The threat associated with the record | string |
sophos.central.type The type of this record | string |
sophos.central.user_id The identifier of the user for which record is created | string |
sophos.central.when The date at which the event was created | pdate |
sophos.central.whitelist_properties.property Whitelist property | strings |
sophos.central.whitelist_properties.type Whitelist property type | strings |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.