Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (19)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.firewall.action Firewall action taken (e.g., allow, block, drop). | sophos.utm.action | strings |
gen.dest.ip Destination IP address. | sophos.utm.dstip | text_general |
gen.dest.mac MAC address of the destination device. | sophos.utm.dstmac | string |
gen.dest.port Destination port number. | sophos.utm.dstport | pint |
gen.file.name File name associated with the event. | sophos.utm.file | strings |
gen.file.path Full file path associated with the event. | sophos.utm.file | strings |
gen.firewall.rule Firewall rule that triggered the event. | sophos.utm.fwrule | strings |
gen.src.interface Network interface used for the source connection. | sophos.utm.initf | strings |
gen.proxy.method HTTP request method (e.g., GET, POST). | sophos.utm.method | string |
gen.dest.interface Network interface used for the destination connection. | sophos.utm.outitf | strings |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | sophos.utm.proto | strings |
gen.proxy.referrer HTTP referrer header value. | sophos.utm.referer | string |
gen.severity Normalized severity field across log sources. | sophos.utm.severity | strings |
gen.src.ip Source IP address. | sophos.utm.srcip | text_general |
gen.src.mac MAC address of the source device. | sophos.utm.srcmac | string |
gen.src.port Source port number. | sophos.utm.srcport | pint |
gen.ssid SSID of the wireless network used. | sophos.utm.ssid | strings |
gen.proxy.httpStatus HTTP response status code from the proxy. | sophos.utm.statuscode | pint |
gen.username Username associated with the event. | sophos.utm.user | text_general |
Reference-Specific Fields (87)
| Field | Type |
|---|---|
sophos.utm.action | text_general |
sophos.utm.ad_domain | string |
sophos.utm.app | string |
sophos.utm.aptptime | plong |
sophos.utm.attr_active_channels | plongs |
sophos.utm.attr_address | text_general |
sophos.utm.attr_addresses | text_generals |
sophos.utm.attr_resolved | plong |
sophos.utm.attr_tunnel_state | boolean |
sophos.utm.auth | boolean |
sophos.utm.authtime | plong |
sophos.utm.avscantime | plong |
sophos.utm.bssid | string |
sophos.utm.cached | boolean |
sophos.utm.call | string |
sophos.utm.category | plong |
sophos.utm.categoryname | text_general |
sophos.utm.cattime | plong |
sophos.utm.class | string |
sophos.utm.client | string |
sophos.utm.code | plong |
sophos.utm.content_type | string |
sophos.utm.device | string |
sophos.utm.dnstime | plong |
sophos.utm.dstip | text_general |
sophos.utm.dstmac | string |
sophos.utm.dstport | pint |
sophos.utm.error | text_general |
sophos.utm.exceptions | strings |
sophos.utm.facility | string |
sophos.utm.file | string |
sophos.utm.filteraction | text_general |
sophos.utm.fullreqtime | plong |
sophos.utm.function | string |
sophos.utm.fwrule | plong |
sophos.utm.group | text_general |
sophos.utm.id | string |
sophos.utm.initf | string |
sophos.utm.length | plong |
sophos.utm.line | plong |
sophos.utm.listener | plong |
sophos.utm.message | text_general |
sophos.utm.method | string |
sophos.utm.name | text_general |
sophos.utm.node | text_general |
sophos.utm.objname | text_general |
sophos.utm.oldattr_active_channels | plongs |
sophos.utm.oldattr_address | text_general |
sophos.utm.oldattr_addresses | text_generals |
sophos.utm.oldattr_resolved | boolean |
sophos.utm.oldattr_tunnel_state | pint |
sophos.utm.oldvalue | text_general |
sophos.utm.outitf | string |
sophos.utm.pid | plong |
sophos.utm.prec | string |
sophos.utm.profile | text_general |
sophos.utm.proto | plong |
sophos.utm.rawMessage | text_general |
sophos.utm.reason | text_general |
sophos.utm.ref | string |
sophos.utm.referer | text_general |
sophos.utm.reputation | string |
sophos.utm.request | string |
sophos.utm.sandbox | string |
sophos.utm.severity | string |
sophos.utm.sid | string |
sophos.utm.size | plong |
sophos.utm.srcip | text_general |
sophos.utm.srcmac | string |
sophos.utm.srcport | pint |
sophos.utm.ssid | text_general |
sophos.utm.ssid_id | string |
sophos.utm.sta | string |
sophos.utm.status_code | plong |
sophos.utm.statuscode | pint |
sophos.utm.storage | string |
sophos.utm.sub | string |
sophos.utm.sys | string |
sophos.utm.tcpflags | strings |
sophos.utm.tos | string |
sophos.utm.ttl | plong |
sophos.utm.type | string |
sophos.utm.ua | text_general |
sophos.utm.url | string |
sophos.utm.user | text_general |
sophos.utm.value | text_general |
sophos.utm.version | plong |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.