Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (33)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.firewall.direction Traffic direction (e.g., inbound, outbound). | sophos.FTP_direction sophos.con_direction sophos.dir_disp sophos.direction | strings |
gen.severity Normalized severity field across log sources. | sophos.Severity sophos.priority sophos.severity sophos.central.severity sophos.utm.severity | strings |
gen.firewall.action Firewall action taken (e.g., allow, block, drop). | sophos.action sophos.utm.action | strings |
gen.firewall.rule Firewall rule that triggered the event. | sophos.app_filter_policy_id sophos.application_filter_policy sophos.av_policy_name sophos.fw_rule_id sophos.fw_rule_name sophos.iap sophos.idp_policy_id sophos.policy_name sophos.rule_id sophos.rule_name sophos.web_policy_id sophos.utm.fwrule | strings |
gen.firewall.bytesReceived Number of bytes received through the firewall session. | sophos.bytes_received sophos.recv_bytes | plong |
gen.firewall.bytesSent Number of bytes sent through the firewall session. | sophos.bytes_sent sophos.sent_bytes | plong |
gen.src.mac MAC address of the source device. | sophos.client_physical_address sophos.src_mac sophos.utm.srcmac | string |
gen.file.name File name associated with the event. | sophos.download_file sophos.download_file_name sophos.file_name sophos.file_path sophos.filename sophos.upload_file_name sophos.utm.file | strings |
gen.file.path Full file path associated with the event. | sophos.download_file sophos.download_file_name sophos.file_name sophos.file_path sophos.filename sophos.upload_file_name sophos.utm.file | strings |
gen.dest.ip Destination IP address. | sophos.dst_ip sophos.remote_ip sophos.reported_ip sophos.utm.dstip | text_general |
gen.dest.mac MAC address of the destination device. | sophos.dst_mac sophos.utm.dstmac | string |
gen.dest.port Destination port number. | sophos.dst_port sophos.central.ips_threat_data.localPort sophos.utm.dstport | pint |
gen.mail.size Size of the email in bytes. | sophos.email_size sophos.mailsize | plong |
gen.mail.subject Subject line of the email. | sophos.email_subject sophos.subject | strings |
gen.mail.sender Email address of the message sender. | sophos.from sophos.from_email_address sophos.sender | strings |
gen.proxy.httpStatus HTTP response status code from the proxy. | sophos.http_status sophos.status_code sophos.utm.statuscode | pint |
gen.proxy.userAgent User agent string from the HTTP request. | sophos.http_user_agent sophos.user_agent | string |
gen.src.interface Network interface used for the source connection. | sophos.in_interface sophos.utm.initf | strings |
gen.src.ip Source IP address. | sophos.ipaddress sophos.src_ip sophos.central.source_info.ip sophos.central.ips_threat_data.remoteIp sophos.utm.srcip | text_general |
gen.username Username associated with the event. | sophos.login_user sophos.name sophos.proc_user sophos.process_user sophos.reported_user sophos.user_full_name sophos.user_name sophos.utm.user | text_general |
gen.av.infectionName Name of the detected infection or malware. | sophos.malware sophos.virus | strings |
gen.proxy.method HTTP request method (e.g., GET, POST). | sophos.method sophos.utm.method | string |
gen.dest.interface Network interface used for the destination connection. | sophos.out_interface sophos.utm.outitf | strings |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | sophos.protocol sophos.utm.proto | strings |
gen.mail.receiver Email address of the message recipient. | sophos.recipient sophos.to sophos.to_email_address | strings |
gen.proxy.referrer HTTP referrer header value. | sophos.referer sophos.utm.referer | string |
gen.src.port Source port number. | sophos.src_port sophos.central.ips_threat_data.remotePort sophos.utm.srcport | pint |
gen.ssid SSID of the wireless network used. | sophos.ssid sophos.utm.ssid | strings |
gen.process.parent.pid Process ID of the parent process. | sophos.central.amsi_threat_data.parentProcessId | pint |
gen.process.parent.process Name of the parent process. | sophos.central.amsi_threat_data.parentProcessPath | string |
gen.process.pid Process ID of the running process. | sophos.central.amsi_threat_data.processId sophos.central.ips_threat_data.executablePid | pint |
gen.process.process Name of the process. | sophos.central.amsi_threat_data.processPath sophos.central.ips_threat_data.executablePath | string |
gen.hostname Normalized hostname of the system generating the log. | sophos.central.location | text_general |
Reference-Specific Fields (415)
| Field | Type |
|---|---|
sophos.FTP_direction | string |
sophos.FTP_url | text_general |
sophos.GREEN | plong |
sophos.Mode | string |
sophos.RED | plong |
sophos.Severity | string |
sophos.TOTAL | plong |
sophos.Threatfeed | string |
sophos.YELLOW | plong |
sophos.action | string |
sophos.activity_name | string |
sophos.additional_information | text_general |
sophos.ap | string |
sophos.app_category | text_general |
sophos.app_filter_policy_id | string |
sophos.app_is_cloud | string |
sophos.app_name | text_general |
sophos.app_resolved_by | string |
sophos.app_risk | plong |
sophos.app_technology | string |
sophos.appfilter_policy_id | string |
sophos.application | text_general |
sophos.application_category | text_general |
sophos.application_filter_policy | string |
sophos.application_name | text_general |
sophos.application_risk | plong |
sophos.application_technology | string |
sophos.appresolvedby | string |
sophos.auth_client | string |
sophos.auth_mechanism | string |
sophos.av_policy_name | string |
sophos.bitmask | string |
sophos.branch_name | string |
sophos.bridge_display_name | string |
sophos.bridge_name | string |
sophos.bytes_received | plong |
sophos.bytes_sent | plong |
sophos.category | string |
sophos.category_type | string |
sophos.cert_chain_served | string |
sophos.cipher_suite | string |
sophos.classification | string |
sophos.client_host_name | text_general |
sophos.client_physical | text_general |
sophos.client_physical_address | string |
sophos.client_used | string |
sophos.clients_conn_SSID | plong |
sophos.con_count | plong |
sophos.con_direction | string |
sophos.con_id | string |
sophos.con_name | string |
sophos.connectionname | string |
sophos.connectiontype | string |
sophos.connevent | string |
sophos.content_filter_key | string |
sophos.content_type | text_general |
sophos.context_match | text_general |
sophos.context_prefix | text_general |
sophos.context_suffix | text_general |
sophos.cookie | text_general |
sophos.destination | text_general |
sophos.device | string |
sophos.device_id | string |
sophos.device_model | string |
sophos.device_name | string |
sophos.device_serial_id | string |
sophos.dictionaryname | string |
sophos.dir_disp | string |
sophos.direction | string |
sophos.disable_count | plong |
sophos.disconnect_count | plong |
sophos.domain | text_general |
sophos.domainname | text_general |
sophos.download_file | text_general |
sophos.download_file_name | text_general |
sophos.download_file_type | text_general |
sophos.dst_country | string |
sophos.dst_country_code | string |
sophos.dst_domainname | text_general |
sophos.dst_host | text_general |
sophos.dst_ip | text_general |
sophos.dst_mac | text_general |
sophos.dst_port | pint |
sophos.dst_zone | string |
sophos.dst_zone_type | string |
sophos.duration | plong |
sophos.email_size | plong |
sophos.email_subject | text_general |
sophos.enable_count | plong |
sophos.end | pdate |
sophos.ep_event_time | pdate |
sophos.ep_health | string |
sophos.ep_ip | text_general |
sophos.ep_name | text_general |
sophos.ep_uuid | string |
sophos.ether_type | string |
sophos.event_id | string |
sophos.event_type | string |
sophos.eventtime | pdate |
sophos.eventtype | string |
sophos.exceptions | string |
sophos.execution_path | text_general |
sophos.extra | text_general |
sophos.file_hash | string |
sophos.file_name | text_general |
sophos.file_path | text_general |
sophos.file_size | plong |
sophos.filename | text_general |
sophos.filesize | plong |
sophos.filetype | text_general |
sophos.fingerprint | string |
sophos.flags | string |
sophos.from | text_general |
sophos.from_email_address | text_general |
sophos.ftpcommand | text_general |
sophos.fw_rule_id | string |
sophos.fw_rule_name | string |
sophos.fw_rule_section | string |
sophos.gatewayname | string |
sophos.gw_id | string |
sophos.gw_id_reply | string |
sophos.gw_id_request | string |
sophos.gw_name | string |
sophos.gw_name_reply | string |
sophos.gw_name_request | string |
sophos.gw_status | string |
sophos.hb_health | string |
sophos.host | text_general |
sophos.http_category | text_general |
sophos.http_category_type | text_general |
sophos.http_referer | text_general |
sophos.http_status | pint |
sophos.http_user_agent | text_general |
sophos.iap | string |
sophos.icmp_code | string |
sophos.icmp_type | string |
sophos.idp_policy_id | string |
sophos.in_display_interface | string |
sophos.in_interface | string |
sophos.interface | string |
sophos.ipaddress | text_general |
sophos.ipleased | string |
sophos.ips_policy_id | string |
sophos.jitter | plong |
sophos.key_param | string |
sophos.key_type | string |
sophos.latency | plong |
sophos.lease_time | plong |
sophos.localgateway | text_general |
sophos.localinterfaceip | text_general |
sophos.localip | text_general |
sophos.localnetwork | string |
sophos.log_component | string |
sophos.log_id | string |
sophos.log_occurrence | plong |
sophos.log_subtype | string |
sophos.log_type | string |
sophos.log_version | string |
sophos.login_user | string |
sophos.mailid | string |
sophos.mailsize | plong |
sophos.malware | string |
sophos.message | text_general |
sophos.message_id | string |
sophos.method | string |
sophos.mode | string |
sophos.name | string |
sophos.nat_rule_id | string |
sophos.nat_rule_name | string |
sophos.out_display_interface | string |
sophos.out_interface | string |
sophos.override_authorizer | string |
sophos.override_name | string |
sophos.override_token | string |
sophos.packet_loss | plong |
sophos.parent_app | text_general |
sophos.parent_app_category | text_general |
sophos.parent_app_risk | plong |
sophos.platform | string |
sophos.policy_name | string |
sophos.policy_type | string |
sophos.priority | string |
sophos.probe_target | string |
sophos.proc_user | text_general |
sophos.process_user | text_general |
sophos.profile_id | string |
sophos.profile_name | string |
sophos.protocol | string |
sophos.qualifier | string |
sophos.quarantine | string |
sophos.quarantine_reason | string |
sophos.queryString | text_general |
sophos.raw_data | string |
sophos.reason | string |
sophos.recipient | text_general |
sophos.recv_bytes | plong |
sophos.recv_pkts | plong |
sophos.red_id | string |
sophos.referer | text_general |
sophos.remote_ip | text_general |
sophos.remoteinterfaceip | text_general |
sophos.remotenetwork | text_general |
sophos.remotepeer | text_general |
sophos.reported | string |
sophos.reported_host | text_general |
sophos.reported_id | string |
sophos.reported_ip | text_general |
sophos.reported_user | text_general |
sophos.resource | string |
sophos.resource_type | string |
sophos.responsetime | plong |
sophos.resumed | string |
sophos.rule_id | string |
sophos.rule_name | string |
sophos.rule_priority | pint |
sophos.sdwan_profile_id_reply | string |
sophos.sdwan_profile_id_request | string |
sophos.sdwan_profile_name_reply | string |
sophos.sdwan_profile_name_request | string |
sophos.sdwan_route_id_reply | string |
sophos.sdwan_route_id_request | string |
sophos.sdwan_route_name_reply | string |
sophos.sdwan_route_name_request | string |
sophos.sender | text_general |
sophos.sent_bytes | plong |
sophos.sent_pkts | plong |
sophos.server | text_general |
sophos.sessionid | string |
sophos.severity | text_general |
sophos.sha1sum | string |
sophos.signature_id | string |
sophos.signature_msg | text_general |
sophos.sitecategory | string |
sophos.sla_status | string |
sophos.sni | string |
sophos.source | text_general |
sophos.spamaction | string |
sophos.src_country | string |
sophos.src_country_code | string |
sophos.src_domainname | text_general |
sophos.src_host | text_general |
sophos.src_ip | text_general |
sophos.src_mac | text_general |
sophos.src_port | pint |
sophos.src_zone | string |
sophos.src_zone_type | string |
sophos.ssid | string |
sophos.start | pdate |
sophos.start_time | pdate |
sophos.status | string |
sophos.status_code | pint |
sophos.subject | text_general |
sophos.target | string |
sophos.threatname | text_general |
sophos.tls_version | string |
sophos.to | string |
sophos.to_email_address | text_general |
sophos.tran_dst_ip | text_general |
sophos.tran_dst_port | pint |
sophos.tran_src_ip | text_general |
sophos.tran_src_port | pint |
sophos.transaction | string |
sophos.transaction_id | string |
sophos.updatedip | string |
sophos.upload_file_name | text_general |
sophos.upload_file_type | text_general |
sophos.url | text_general |
sophos.used_quota | plong |
sophos.user_agent | text_general |
sophos.user_full_name | text_general |
sophos.user_gp | text_general |
sophos.user_group | text_general |
sophos.user_name | text_general |
sophos.usergroupname | text_general |
sophos.vconnid | string |
sophos.virus | text_general |
sophos.vlan_id | string |
sophos.web_policy | string |
sophos.web_policy_id | string |
sophos.website | text_general |
sophos.ws_protocol | string |
sophos.central.source_info.ip IP of the Souce | string |
sophos.central.description The description of the alert that was generated | text_general |
sophos.central.event_service_event_id The Event Services event id | string |
sophos.central.threat_cleanable Is the threat automatically cleanable | boolean |
sophos.central.amsi_threat_data.parentProcessId Parent ProcessID of the AMSI Threat | pint |
sophos.central.amsi_threat_data.parentProcessPath Parent Process Path of the AMSI Threat | string |
sophos.central.amsi_threat_data.processId ProcessID of the AMSI Threat | pint |
sophos.central.amsi_threat_data.processName Process Name of the AMSI Threat | string |
sophos.central.amsi_threat_data.processPath Process Path of the AMSI Threat | string |
sophos.central.appCerts.signer Certificate Signer of the application associated with the threat | strings |
sophos.central.appCerts.thumbprint Certificate Thumbprint of the application associated with the threat | strings |
sophos.central.appSha256 SHA 256 hash of the application associated with the threat | string |
sophos.central.core_remedy_items.items.descriptor Descriptors of cleaned or restored items | strings |
sophos.central.core_remedy_items.items.processPath Process Paths of cleaned or restored items | strings |
sophos.central.core_remedy_items.items.result Results of cleaning or restoring | strings |
sophos.central.core_remedy_items.items.sophosPid Process ID of cleaned or restored items | strings |
sophos.central.core_remedy_items.items.suspendResult Suspend Results of cleaned or restored items | strings |
sophos.central.core_remedy_items.items.type Type of cleaned or restored items | strings |
sophos.central.core_remedy_items.totalItems Number of cleaned or restored items | pint |
sophos.central.created_at The date at which the event was created | pdate |
sophos.central.customer_id The identifier of the customer for which record is created | string |
sophos.central.details.property | strings |
sophos.central.details.type | strings |
sophos.central.endpoint_id The corresponding endpoint id associated with the record | string |
sophos.central.endpoint_type The corresponding endpoint type associated with the record | string |
sophos.central.group The group associated with the record | string |
sophos.central.id The Identifier for the event | string |
sophos.central.ips_threat_data.detectionType Detection type of the IPS Threat | pint |
sophos.central.ips_threat_data.executableName Executable name of the IPS Threat | string |
sophos.central.ips_threat_data.executablePath Executable path of the IPS Threat | string |
sophos.central.ips_threat_data.executablePid Executable process id of the IPS Threat | pint |
sophos.central.ips_threat_data.executableVersion Executable version of the IPS Threat | string |
sophos.central.ips_threat_data.localPort Local port of the IPS Threat | pint |
sophos.central.ips_threat_data.rawData Raw data of the IPS Threat | text_general |
sophos.central.ips_threat_data.remoteIp Remote Ip of the IPS Threat | string |
sophos.central.ips_threat_data.remotePort Remote port of the IPS Threat | pint |
sophos.central.ips_threat_data.techSupportId Tech support Id of the IPS Threat | string |
sophos.central.location The location captured for this record | string |
sophos.central.origin Originating component of a detection | string |
sophos.central.severity The severity for this event | string |
sophos.central.source The source for this record | string |
sophos.central.threat The threat associated with the record | string |
sophos.central.type The type of this record | string |
sophos.central.user_id The identifier of the user for which record is created | string |
sophos.central.when The date at which the event was created | pdate |
sophos.central.whitelist_properties.property Whitelist property | strings |
sophos.central.whitelist_properties.type Whitelist property type | strings |
sophos.utm.action | text_general |
sophos.utm.ad_domain | string |
sophos.utm.app | string |
sophos.utm.aptptime | plong |
sophos.utm.attr_active_channels | plongs |
sophos.utm.attr_address | text_general |
sophos.utm.attr_addresses | text_generals |
sophos.utm.attr_resolved | plong |
sophos.utm.attr_tunnel_state | boolean |
sophos.utm.auth | boolean |
sophos.utm.authtime | plong |
sophos.utm.avscantime | plong |
sophos.utm.bssid | string |
sophos.utm.cached | boolean |
sophos.utm.call | string |
sophos.utm.category | plong |
sophos.utm.categoryname | text_general |
sophos.utm.cattime | plong |
sophos.utm.class | string |
sophos.utm.client | string |
sophos.utm.code | plong |
sophos.utm.content_type | string |
sophos.utm.device | string |
sophos.utm.dnstime | plong |
sophos.utm.dstip | text_general |
sophos.utm.dstmac | string |
sophos.utm.dstport | pint |
sophos.utm.error | text_general |
sophos.utm.exceptions | strings |
sophos.utm.facility | string |
sophos.utm.file | string |
sophos.utm.filteraction | text_general |
sophos.utm.fullreqtime | plong |
sophos.utm.function | string |
sophos.utm.fwrule | plong |
sophos.utm.group | text_general |
sophos.utm.id | string |
sophos.utm.initf | string |
sophos.utm.length | plong |
sophos.utm.line | plong |
sophos.utm.listener | plong |
sophos.utm.message | text_general |
sophos.utm.method | string |
sophos.utm.name | text_general |
sophos.utm.node | text_general |
sophos.utm.objname | text_general |
sophos.utm.oldattr_active_channels | plongs |
sophos.utm.oldattr_address | text_general |
sophos.utm.oldattr_addresses | text_generals |
sophos.utm.oldattr_resolved | boolean |
sophos.utm.oldattr_tunnel_state | pint |
sophos.utm.oldvalue | text_general |
sophos.utm.outitf | string |
sophos.utm.pid | plong |
sophos.utm.prec | string |
sophos.utm.profile | text_general |
sophos.utm.proto | plong |
sophos.utm.rawMessage | text_general |
sophos.utm.reason | text_general |
sophos.utm.ref | string |
sophos.utm.referer | text_general |
sophos.utm.reputation | string |
sophos.utm.request | string |
sophos.utm.sandbox | string |
sophos.utm.severity | string |
sophos.utm.sid | string |
sophos.utm.size | plong |
sophos.utm.srcip | text_general |
sophos.utm.srcmac | string |
sophos.utm.srcport | pint |
sophos.utm.ssid | text_general |
sophos.utm.ssid_id | string |
sophos.utm.sta | string |
sophos.utm.status_code | plong |
sophos.utm.statuscode | pint |
sophos.utm.storage | string |
sophos.utm.sub | string |
sophos.utm.sys | string |
sophos.utm.tcpflags | strings |
sophos.utm.tos | string |
sophos.utm.ttl | plong |
sophos.utm.type | string |
sophos.utm.ua | text_general |
sophos.utm.url | string |
sophos.utm.user | text_general |
sophos.utm.value | text_general |
sophos.utm.version | plong |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.