Sophos
Sophos endpoint and firewall logs: malware detections, exploit blocks, policy enforcement and quarantine actions.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (368)
| Field | Type |
|---|---|
sophos.FTP_direction | string |
sophos.FTP_url | text_general |
sophos.GREEN | plong |
sophos.RED | plong |
sophos.TOTAL | plong |
sophos.YELLOW | plong |
sophos.action | string |
sophos.activity_name | string |
sophos.additional_information | text_general |
sophos.ap | string |
sophos.app_category | text_general |
sophos.app_filter_policy_id | string |
sophos.app_is_cloud | string |
sophos.app_name | text_general |
sophos.app_resolved_by | string |
sophos.app_risk | plong |
sophos.app_technology | string |
sophos.appfilter_policy_id | string |
sophos.application | text_general |
sophos.application_category | text_general |
sophos.application_filter_policy | string |
sophos.application_name | text_general |
sophos.application_risk | plong |
sophos.application_technology | string |
sophos.appresolvedby | string |
sophos.auth_client | string |
sophos.auth_mechanism | string |
sophos.av_policy_name | string |
sophos.bitmask | string |
sophos.branch_name | string |
sophos.bridge_display_name | string |
sophos.bridge_name | string |
sophos.bytes_received | plong |
sophos.bytes_sent | plong |
sophos.category | string |
sophos.category_type | string |
sophos.cert_chain_served | string |
sophos.cipher_suite | string |
sophos.classification | string |
sophos.client_host_name | text_general |
sophos.client_physical | text_general |
sophos.client_used | string |
sophos.clients_conn_SSID | plong |
sophos.con_direction | string |
sophos.con_id | string |
sophos.connectionname | string |
sophos.connectiontype | string |
sophos.connevent | string |
sophos.content_filter_key | string |
sophos.content_type | text_general |
sophos.context_match | text_general |
sophos.context_prefix | text_general |
sophos.context_suffix | text_general |
sophos.cookie | text_general |
sophos.destination | text_general |
sophos.device | string |
sophos.device_id | string |
sophos.device_model | string |
sophos.device_name | string |
sophos.device_serial_id | string |
sophos.dictionaryname | string |
sophos.dir_disp | string |
sophos.direction | string |
sophos.domain | text_general |
sophos.domainname | text_general |
sophos.download_file | text_general |
sophos.download_file_name | text_general |
sophos.download_file_type | text_general |
sophos.dst_country | string |
sophos.dst_country_code | string |
sophos.dst_domainname | text_general |
sophos.dst_host | text_general |
sophos.dst_ip | text_general |
sophos.dst_mac | text_general |
sophos.dst_port | pint |
sophos.dst_zone | string |
sophos.dst_zone_type | string |
sophos.duration | plong |
sophos.email_size | plong |
sophos.email_subject | text_general |
sophos.ep_health | string |
sophos.ep_ip | text_general |
sophos.ep_name | text_general |
sophos.ep_uuid | string |
sophos.ether_type | string |
sophos.event_id | string |
sophos.event_type | string |
sophos.exceptions | string |
sophos.execution_path | text_general |
sophos.extra | text_general |
sophos.file_hash | string |
sophos.file_name | text_general |
sophos.file_path | text_general |
sophos.file_size | plong |
sophos.filename | text_general |
sophos.filesize | plong |
sophos.filetype | text_general |
sophos.fingerprint | string |
sophos.flags | string |
sophos.from | text_general |
sophos.from_email_address | text_general |
sophos.ftpcommand | text_general |
sophos.fw_rule_id | string |
sophos.fw_rule_name | string |
sophos.fw_rule_section | string |
sophos.gatewayname | string |
sophos.gw_id_reply | string |
sophos.gw_id_request | string |
sophos.gw_name_reply | string |
sophos.gw_name_request | string |
sophos.hb_health | string |
sophos.host | text_general |
sophos.http_category | text_general |
sophos.http_category_type | text_general |
sophos.http_referer | text_general |
sophos.http_status | pint |
sophos.http_user_agent | text_general |
sophos.iap | string |
sophos.icmp_code | string |
sophos.icmp_type | string |
sophos.idp_policy_id | string |
sophos.in_display_interface | string |
sophos.in_interface | string |
sophos.interface | string |
sophos.ipaddress | text_general |
sophos.ipleased | string |
sophos.ips_policy_id | string |
sophos.key_param | string |
sophos.key_type | string |
sophos.localgateway | text_general |
sophos.localinterfaceip | text_general |
sophos.localip | text_general |
sophos.localnetwork | string |
sophos.log_component | string |
sophos.log_id | string |
sophos.log_occurrence | plong |
sophos.log_subtype | string |
sophos.log_type | string |
sophos.log_version | string |
sophos.login_user | string |
sophos.mailid | string |
sophos.mailsize | plong |
sophos.malware | string |
sophos.message | text_general |
sophos.message_id | string |
sophos.method | string |
sophos.mode | string |
sophos.name | string |
sophos.nat_rule_id | string |
sophos.nat_rule_name | string |
sophos.out_display_interface | string |
sophos.out_interface | string |
sophos.override_authorizer | string |
sophos.override_name | string |
sophos.override_token | string |
sophos.parent_app | text_general |
sophos.parent_app_category | text_general |
sophos.parent_app_risk | plong |
sophos.platform | string |
sophos.policy_name | string |
sophos.policy_type | string |
sophos.priority | string |
sophos.proc_user | text_general |
sophos.process_user | text_general |
sophos.profile_id | string |
sophos.profile_name | string |
sophos.protocol | string |
sophos.qualifier | string |
sophos.quarantine_reason | string |
sophos.queryString | text_general |
sophos.reason | string |
sophos.recipient | text_general |
sophos.recv_bytes | plong |
sophos.recv_pkts | plong |
sophos.red_id | string |
sophos.referer | text_general |
sophos.remote_ip | text_general |
sophos.remoteinterfaceip | text_general |
sophos.remotenetwork | text_general |
sophos.remotepeer | text_general |
sophos.reported | string |
sophos.reported_host | text_general |
sophos.reported_id | string |
sophos.reported_ip | text_general |
sophos.reported_user | text_general |
sophos.resource | string |
sophos.resource_type | string |
sophos.responsetime | plong |
sophos.resumed | string |
sophos.rule_id | string |
sophos.rule_name | string |
sophos.rule_priority | pint |
sophos.sdwan_profile_id_reply | string |
sophos.sdwan_profile_id_request | string |
sophos.sdwan_profile_name_reply | string |
sophos.sdwan_profile_name_request | string |
sophos.sdwan_route_id_reply | string |
sophos.sdwan_route_id_request | string |
sophos.sdwan_route_name_reply | string |
sophos.sdwan_route_name_request | string |
sophos.sender | text_general |
sophos.sent_bytes | plong |
sophos.sent_pkts | plong |
sophos.server | text_general |
sophos.sessionid | string |
sophos.severity | text_general |
sophos.sha1sum | string |
sophos.signature_id | string |
sophos.signature_msg | text_general |
sophos.sitecategory | string |
sophos.sni | string |
sophos.source | text_general |
sophos.spamaction | string |
sophos.src_country | string |
sophos.src_country_code | string |
sophos.src_domainname | text_general |
sophos.src_host | text_general |
sophos.src_ip | text_general |
sophos.src_mac | text_general |
sophos.src_port | pint |
sophos.src_zone | string |
sophos.src_zone_type | string |
sophos.ssid | string |
sophos.status | string |
sophos.status_code | pint |
sophos.subject | text_general |
sophos.target | string |
sophos.threatname | text_general |
sophos.tls_version | string |
sophos.to_email_address | text_general |
sophos.tran_dst_ip | text_general |
sophos.tran_dst_port | pint |
sophos.tran_src_ip | text_general |
sophos.tran_src_port | pint |
sophos.transaction | string |
sophos.transaction_id | string |
sophos.upload_file_name | text_general |
sophos.upload_file_type | text_general |
sophos.url | text_general |
sophos.used_quota | plong |
sophos.user_agent | text_general |
sophos.user_full_name | text_general |
sophos.user_gp | text_general |
sophos.user_group | text_general |
sophos.user_name | text_general |
sophos.usergroupname | text_general |
sophos.vconnid | string |
sophos.virus | text_general |
sophos.vlan_id | string |
sophos.web_policy | string |
sophos.web_policy_id | string |
sophos.website | text_general |
sophos.ws_protocol | string |
sophos.Threatfeed | string |
sophos.eventtype | string |
sophos.start | pdate |
sophos.end | pdate |
sophos.start_time | pdate |
sophos.updatedip | string |
sophos.Severity | string |
sophos.lease_time | plong |
sophos.client_physical_address | string |
sophos.raw_data | string |
sophos.quarantine | string |
sophos.to | string |
sophos.ep_event_time | pdate |
sophos.con_name | string |
sophos.disable_count | plong |
sophos.enable_count | plong |
sophos.disconnect_count | plong |
sophos.con_count | plong |
sophos.eventtime | pdate |
sophos.gw_id | string |
sophos.gw_name | string |
sophos.probe_target | string |
sophos.latency | plong |
sophos.jitter | plong |
sophos.packet_loss | plong |
sophos.gw_status | string |
sophos.sla_status | string |
sophos.Mode | string |
sophos.utm.avscantime | plong |
sophos.utm.sid | string |
sophos.utm.oldattr_tunnel_state | pint |
sophos.utm.attr_active_channels | plong [] |
sophos.utm.sub | string |
sophos.utm.authtime | plong |
sophos.utm.cached | boolean |
sophos.utm.srcmac | string |
sophos.utm.length | plong |
sophos.utm.tcpflags | string [] |
sophos.utm.facility | string |
sophos.utm.app | string |
sophos.utm.exceptions | string [] |
sophos.utm.sandbox | string |
sophos.utm.attr_resolved | plong |
sophos.utm.sys | string |
sophos.utm.storage | string |
sophos.utm.initf | string |
sophos.utm.id | string |
sophos.utm.prec | string |
sophos.utm.dstport | pint |
sophos.utm.value | text_general |
sophos.utm.objname | text_general |
sophos.utm.aptptime | plong |
sophos.utm.srcip | text_general |
sophos.utm.auth | boolean |
sophos.utm.category | plong |
sophos.utm.file | string |
sophos.utm.oldattr_addresses | text_general [] |
sophos.utm.listener | plong |
sophos.utm.name | text_general |
sophos.utm.dstip | text_general |
sophos.utm.url | string |
sophos.utm.severity | string |
sophos.utm.fwrule | plong |
sophos.utm.oldvalue | text_general |
sophos.utm.ref | string |
sophos.utm.ssid_id | string |
sophos.utm.filteraction | text_general |
sophos.utm.statuscode | pint |
sophos.utm.request | string |
sophos.utm.categoryname | text_general |
sophos.utm.tos | string |
sophos.utm.srcport | pint |
sophos.utm.version | plong |
sophos.utm.class | string |
sophos.utm.method | string |
sophos.utm.sta | string |
sophos.utm.bssid | string |
sophos.utm.size | plong |
sophos.utm.dstmac | string |
sophos.utm.pid | plong |
sophos.utm.ad_domain | string |
sophos.utm.call | string |
sophos.utm.ssid | text_general |
sophos.utm.reason | text_general |
sophos.utm.ua | text_general |
sophos.utm.action | text_general |
sophos.utm.fullreqtime | plong |
sophos.utm.ttl | plong |
sophos.utm.content_type | string |
sophos.utm.code | plong |
sophos.utm.attr_tunnel_state | boolean |
sophos.utm.referer | text_general |
sophos.utm.oldattr_active_channels | plong [] |
sophos.utm.profile | text_general |
sophos.utm.dnstime | plong |
sophos.utm.error | text_general |
sophos.utm.reputation | string |
sophos.utm.proto | plong |
sophos.utm.function | string |
sophos.utm.line | plong |
sophos.utm.attr_address | text_general |
sophos.utm.rawMessage | text_general |
sophos.utm.device | string |
sophos.utm.client | string |
sophos.utm.attr_addresses | text_general [] |
sophos.utm.status_code | plong |
sophos.utm.cattime | plong |
sophos.utm.user | text_general |
sophos.utm.outitf | string |
sophos.utm.node | text_general |
sophos.utm.message | text_general |
sophos.utm.oldattr_address | text_general |
sophos.utm.type | string |
sophos.utm.oldattr_resolved | boolean |
sophos.utm.group | text_general |
Sample Log Event
Below is a representative JSON log entry showing key fields as they’re emitted by the system. Depending on the context of the event, some fields may be omitted if they’re not applicable.