Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (17)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.file.name File name associated with the event. | winlog.EventData.Path winlog.EventData.FileName winlog.EventData.KeyFilePath winlog.EventData.ProfilePath winlog.EventData.ScriptPath winlog.EventData.ServiceFileName winlog.EventData.ShareLocalPath | strings |
gen.file.path Full file path associated with the event. | winlog.EventData.Path winlog.EventData.FileName winlog.EventData.KeyFilePath winlog.EventData.ProfilePath winlog.EventData.ScriptPath winlog.EventData.ServiceFileName winlog.EventData.ShareLocalPath | strings |
gen.process.process Name of the process. | winlog.EventData.Application winlog.EventData.ProcessName | string |
gen.src.ip Source IP address. | winlog.EventData.ClientAddress winlog.EventData.IpAddress winlog.EventData.SourceAddr winlog.EventData.SourceAddress | text_general |
gen.dest.ip Destination IP address. | winlog.EventData.DestAddress | text_general |
gen.dest.port Destination port number. | winlog.EventData.DestPort | pint |
gen.firewall.direction Traffic direction (e.g., inbound, outbound). | winlog.EventData.Direction | strings |
gen.src.port Source port number. | winlog.EventData.IpPort winlog.EventData.SourcePort | pint |
gen.src.mac MAC address of the source device. | winlog.EventData.LocalMac | string |
gen.process.parent.process Name of the parent process. | winlog.EventData.ParentProcessName | string |
gen.dest.mac MAC address of the destination device. | winlog.EventData.PeerMac | string |
gen.process.pid Process ID of the running process. | winlog.EventData.ProcessID | pint |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | winlog.EventData.Protocol | strings |
gen.ssid SSID of the wireless network used. | winlog.EventData.SSID | strings |
gen.username Username associated with the event. | winlog.EventData.TargetUserName winlog.EventData.UserName | text_general |
gen.hostname Normalized hostname of the system generating the log. | winlog.System.Computer | text_general |
gen.severity Normalized severity field across log sources. | winlog.System.Level | strings |
Reference-Specific Fields (387)
| Field | Type |
|---|---|
winlog.EventData.Path | string |
winlog.DebugData.Component | text_general |
winlog.DebugData.FileLine | text_general |
winlog.DebugData.FlagsName | text_general |
winlog.DebugData.Function | text_general |
winlog.DebugData.LevelName | text_general |
winlog.DebugData.Message | text_general |
winlog.DebugData.SequenceNumber | plong |
winlog.DebugData.SubComponent | text_general |
winlog.EventData.AccessGranted | text_general |
winlog.EventData.AccessList | string |
winlog.EventData.AccessMask | string |
winlog.EventData.AccessReason | string |
winlog.EventData.AccessRemoved | text_general |
winlog.EventData.AccountDomain | string |
winlog.EventData.AccountExpires | string |
winlog.EventData.AccountName | text_general |
winlog.EventData.Action | string |
winlog.EventData.ActiveProfile | text_general |
winlog.EventData.AddedCAPs | text_general |
winlog.EventData.AdditionalInfo | string |
winlog.EventData.AdvancedOptions | string |
winlog.EventData.AlgorithmName | string |
winlog.EventData.AllowedToDelegateTo | string |
winlog.EventData.AppCorrelationID | string |
winlog.EventData.Application | text_general |
winlog.EventData.AttributeLDAPDisplayName | text_general |
winlog.EventData.AttributeSyntaxOID | string |
winlog.EventData.AttributeValue | string |
winlog.EventData.AuditPolicyChanges | strings |
winlog.EventData.AuditSourceName | text_general |
winlog.EventData.AuditStatusCode | plong |
winlog.EventData.AuthenticationPackageName | text_general |
winlog.EventData.CallerProcessId | text_general |
winlog.EventData.CallerProcessName | text_general |
winlog.EventData.CalloutKey | string |
winlog.EventData.CalloutName | text_general |
winlog.EventData.CategoryId | strings |
winlog.EventData.CertIssuerName | string |
winlog.EventData.CertSerialNumber | string |
winlog.EventData.CertThumbprint | string |
winlog.EventData.ChangeType | string |
winlog.EventData.ClassId | string |
winlog.EventData.ClassName | text_general |
winlog.EventData.ClientAddress | text_general |
winlog.EventData.ClientName | text_general |
winlog.EventData.CompatibleIds | string |
winlog.EventData.ComputerAccountChange | string |
winlog.EventData.ComputerName | text_general |
winlog.EventData.Conditions | text_general |
winlog.EventData.ConfigAccessPolicy | string |
winlog.EventData.ConfiguredNames | string |
winlog.EventData.CrashOnAuditFailValue | string |
winlog.EventData.CredType | string |
winlog.EventData.DSName | text_general |
winlog.EventData.DSType | string |
winlog.EventData.DestAddress | text_general |
winlog.EventData.DestPort | pint |
winlog.EventData.DestinationDRA | text_general |
winlog.EventData.DeviceClaims | string |
winlog.EventData.DeviceDescription | text_general |
winlog.EventData.DeviceId | text_general |
winlog.EventData.Direction | string |
winlog.EventData.DisableIntegrityChecks | string |
winlog.EventData.DisabledPrivilegeList | string |
winlog.EventData.DisplayName | text_general |
winlog.EventData.DnsHostName | text_general |
winlog.EventData.DnsName | text_general |
winlog.EventData.DomainBehaviorVersion | string |
winlog.EventData.DomainName | text_general |
winlog.EventData.DomainPolicyChanged | text_general |
winlog.EventData.DomainSid | string |
winlog.EventData.Dummy | string |
winlog.EventData.Duration | string |
winlog.EventData.EAPErrorCode | string |
winlog.EventData.EAPReasonCode | string |
winlog.EventData.ElevatedToken | string |
winlog.EventData.EnabledPrivilegeList | text_general |
winlog.EventData.EndUSN | string |
winlog.EventData.EntryType | string |
winlog.EventData.ErrorCode | string |
winlog.EventData.EventCount | plong |
winlog.EventData.EventCountTotal | plong |
winlog.EventData.EventId | plong |
winlog.EventData.EventIdx | plong |
winlog.EventData.EventSourceId | string |
winlog.EventData.FailureId | string |
winlog.EventData.FailureReason | text_general |
winlog.EventData.FileName | text_general |
winlog.EventData.FilterId | string |
winlog.EventData.FilterKey | string |
winlog.EventData.FilterName | string |
winlog.EventData.FilterRTID | plong |
winlog.EventData.FilterType | string |
winlog.EventData.Flags | string |
winlog.EventData.FlightSigning | string |
winlog.EventData.ForceLogoff | string |
winlog.EventData.ForestRoot | text_general |
winlog.EventData.ForestRootSid | string |
winlog.EventData.GPOList | text_general |
winlog.EventData.GroupMembership | string |
winlog.EventData.GroupPolicyApplied | string |
winlog.EventData.GroupTypeChange | text_general |
winlog.EventData.HandleId | string |
winlog.EventData.HardwareIds | string |
winlog.EventData.HomeDirectory | string |
winlog.EventData.HomePath | string |
winlog.EventData.HypervisorDebug | string |
winlog.EventData.HypervisorLaunchType | string |
winlog.EventData.HypervisorLoadOptions | string |
winlog.EventData.Identity | text_general |
winlog.EventData.ImpersonationLevel | string |
winlog.EventData.InterfaceName | text_general |
winlog.EventData.IntfGuid | string |
winlog.EventData.IpAddress | text_general |
winlog.EventData.IpAddresses | text_generals |
winlog.EventData.IpPort | pint |
winlog.EventData.KerberosPolicyChange | string |
winlog.EventData.KernelDebug | string |
winlog.EventData.KeyFilePath | text_general |
winlog.EventData.KeyLength | plong |
winlog.EventData.KeyName | string |
winlog.EventData.KeyType | string |
winlog.EventData.LayerId | plong |
winlog.EventData.LayerKey | string |
winlog.EventData.LayerName | string |
winlog.EventData.LayerRTID | plong |
winlog.EventData.LinkName | text_general |
winlog.EventData.LmPackageName | string |
winlog.EventData.LoadOptions | string |
winlog.EventData.LocalMac | text_general |
winlog.EventData.LocalUser | text_general |
winlog.EventData.LocationInformation | text_general |
winlog.EventData.LockoutDuration | string |
winlog.EventData.LockoutObservationWindow | string |
winlog.EventData.LockoutThreshold | string |
winlog.EventData.LogDroppedPacketsEnabled | string |
winlog.EventData.LogSuccessfulConnectionsEnabled | string |
winlog.EventData.LogonGuid | string |
winlog.EventData.LogonHours | string |
winlog.EventData.LogonID | string |
winlog.EventData.LogonProcessName | text_general |
winlog.EventData.LogonType | plong |
winlog.EventData.LogonTypeName | string |
winlog.EventData.MachineAccountQuota | string |
winlog.EventData.MandatoryLabel | string |
winlog.EventData.MasterKeyId | string |
winlog.EventData.MaxPasswordAge | string |
winlog.EventData.MemberName | text_general |
winlog.EventData.MemberSid | string |
winlog.EventData.MessageNumber | pint |
winlog.EventData.MessageTotal | pint |
winlog.EventData.MinPasswordAge | string |
winlog.EventData.MinPasswordLength | plong |
winlog.EventData.MixedDomainMode | string |
winlog.EventData.ModifiedObjectProperties | text_general |
winlog.EventData.MulticastFlowsEnabled | string |
winlog.EventData.NamingContext | text_general |
winlog.EventData.NetbiosName | text_general |
winlog.EventData.NewMaxUsers | string |
winlog.EventData.NewObjectDN | text_general |
winlog.EventData.NewProcessId | string |
winlog.EventData.NewProcessName | text_general |
winlog.EventData.NewRemark | string |
winlog.EventData.NewSD | string |
winlog.EventData.NewSd | string |
winlog.EventData.NewShareFlags | string |
winlog.EventData.NewState | string |
winlog.EventData.NewTargetUserName | text_general |
winlog.EventData.NewTime | string |
winlog.EventData.NewUacValue | string |
winlog.EventData.NewValue | text_general |
winlog.EventData.NewValueType | string |
winlog.EventData.NotificationPackageName | string |
winlog.EventData.ObjectClass | text_general |
winlog.EventData.ObjectCollectionName | text_general |
winlog.EventData.ObjectDN | text_general |
winlog.EventData.ObjectDisplayName | string |
winlog.EventData.ObjectGUID | string |
winlog.EventData.ObjectIdentifyingProperties | text_general |
winlog.EventData.ObjectName | text_general |
winlog.EventData.ObjectProperties | text_general |
winlog.EventData.ObjectServer | text_general |
winlog.EventData.ObjectType | string |
winlog.EventData.ObjectValueName | text_general |
winlog.EventData.OemInformation | string |
winlog.EventData.OldMaxUsers | string |
winlog.EventData.OldObjectDN | text_general |
winlog.EventData.OldRemark | string |
winlog.EventData.OldSD | string |
winlog.EventData.OldSd | string |
winlog.EventData.OldShareFlags | string |
winlog.EventData.OldTargetUserName | text_general |
winlog.EventData.OldUacValue | string |
winlog.EventData.OldValueType | string |
winlog.EventData.OpCorrelationID | string |
winlog.EventData.Operation | string |
winlog.EventData.OperationId | string |
winlog.EventData.OperationMode | string |
winlog.EventData.OperationType | string |
winlog.EventData.Options | plong |
winlog.EventData.Package | text_general |
winlog.EventData.PackageName | text_general |
winlog.EventData.ParentProcessName | text_general |
winlog.EventData.PasswordHistoryLength | plong |
winlog.EventData.PasswordLastSet | string |
winlog.EventData.PasswordProperties | string |
winlog.EventData.PeerMac | string |
winlog.EventData.PreAuthType | string |
winlog.EventData.PreviousTime | pdate |
winlog.EventData.PrimaryGroupId | plong |
winlog.EventData.PrivilegeList | text_general |
winlog.EventData.PrivilegeList | strings |
winlog.EventData.ProcessID | plong |
winlog.EventData.ProcessId | string |
winlog.EventData.ProcessName | text_general |
winlog.EventData.Profile | text_general |
winlog.EventData.ProfileChanged | text_general |
winlog.EventData.ProfilePath | string |
winlog.EventData.ProfileUsed | text_general |
winlog.EventData.Profiles | text_general |
winlog.EventData.Properties | string |
winlog.EventData.Protocol | string |
winlog.EventData.ProviderKey | string |
winlog.EventData.ProviderName | text_general |
winlog.EventData.PuaCount | plong |
winlog.EventData.PuaPolicyId | string |
winlog.EventData.ReasonCode | string |
winlog.EventData.ReasonForRejection | text_general |
winlog.EventData.ReasonText | text_general |
winlog.EventData.RecoveryKeyId | string |
winlog.EventData.RecoveryReason | string |
winlog.EventData.RecoveryServer | text_general |
winlog.EventData.RelativeTargetName | text_general |
winlog.EventData.RemoteAdminEnabled | string |
winlog.EventData.RemoteEventLogging | string |
winlog.EventData.RemoteID | pint |
winlog.EventData.RemoteMachineID | string |
winlog.EventData.RemoteUserID | string |
winlog.EventData.ReplicationEvent | string |
winlog.EventData.ResourceAttributes | string |
winlog.EventData.ResourceManager | string |
winlog.EventData.RestrictedAdminMode | string |
winlog.EventData.RestrictedSidCount | plong |
winlog.EventData.ReturnCode | string |
winlog.EventData.RuleAttr | string |
winlog.EventData.RuleId | string |
winlog.EventData.RuleName | text_general |
winlog.EventData.SSID | text_general |
winlog.EventData.SamAccountName | text_general |
winlog.EventData.ScriptBlockId | string |
winlog.EventData.ScriptBlockText | text_general |
winlog.EventData.ScriptPath | string |
winlog.EventData.SecurityPackageName | text_general |
winlog.EventData.ServerNames | text_generals |
winlog.EventData.Service | text_general |
winlog.EventData.ServiceAccount | string |
winlog.EventData.ServiceFileName | text_general |
winlog.EventData.ServiceName | text_general |
winlog.EventData.ServicePrincipalNames | text_general |
winlog.EventData.ServiceSid | string |
winlog.EventData.ServiceStartType | string |
winlog.EventData.ServiceType | string |
winlog.EventData.SessionID | plong |
winlog.EventData.SessionId | plong |
winlog.EventData.SessionName | text_general |
winlog.EventData.SettingType | string |
winlog.EventData.SettingValue | string |
winlog.EventData.ShareLocalPath | text_general |
winlog.EventData.ShareName | text_general |
winlog.EventData.SidFilteringEnabled | string |
winlog.EventData.SidHistory | string |
winlog.EventData.SidList | string |
winlog.EventData.SourceAddr | string |
winlog.EventData.SourceAddress | text_general |
winlog.EventData.SourceDRA | text_general |
winlog.EventData.SourceHandleId | string |
winlog.EventData.SourcePort | pint |
winlog.EventData.SourceProcessId | string |
winlog.EventData.SpnName | string |
winlog.EventData.StagingReason | text_general |
winlog.EventData.StartUSN | string |
winlog.EventData.Status | string |
winlog.EventData.StatusCode | plong |
winlog.EventData.SubStatus | string |
winlog.EventData.SubcategoryGuid | string |
winlog.EventData.SubcategoryId | string |
winlog.EventData.SubjectDomainName | text_general |
winlog.EventData.SubjectLogonId | text_general |
winlog.EventData.SubjectUserDomainName | text_general |
winlog.EventData.SubjectUserName | text_general |
winlog.EventData.SubjectUserSid | text_general |
winlog.EventData.TargetDomainName | text_general |
winlog.EventData.TargetHandleId | string |
winlog.EventData.TargetInfo | text_general |
winlog.EventData.TargetLinkedLogonId | string |
winlog.EventData.TargetLogonGuid | string |
winlog.EventData.TargetLogonId | text_general |
winlog.EventData.TargetOutboundDomainName | string |
winlog.EventData.TargetOutboundUserName | text_general |
winlog.EventData.TargetProcessId | string |
winlog.EventData.TargetProcessName | text_general |
winlog.EventData.TargetServer | text_general |
winlog.EventData.TargetServerName | text_general |
winlog.EventData.TargetSid | text_general |
winlog.EventData.TargetUserDomain | text_general |
winlog.EventData.TargetUserName | text_general |
winlog.EventData.TargetUserSid | text_general |
winlog.EventData.TaskContent | text_general |
winlog.EventData.TaskContentNew | text_general |
winlog.EventData.TaskName | text_general |
winlog.EventData.TdoAttributes | string |
winlog.EventData.TdoDirection | string |
winlog.EventData.TdoType | string |
winlog.EventData.TestSigning | string |
winlog.EventData.TicketEncryptionType | string |
winlog.EventData.TicketOptions | string |
winlog.EventData.TokenElevationType | string |
winlog.EventData.TopLevelName | string |
winlog.EventData.TransactionId | string |
winlog.EventData.TransmittedServices | string |
winlog.EventData.TreeDelete | string |
winlog.EventData.UserAccountControl | string |
winlog.EventData.UserClaims | text_general |
winlog.EventData.UserName | text_general |
winlog.EventData.UserParameters | string |
winlog.EventData.UserPrincipalName | text_general |
winlog.EventData.UserSid | string |
winlog.EventData.UserUPN | text_general |
winlog.EventData.UserWorkstations | text_general |
winlog.EventData.VendorIds | text_general |
winlog.EventData.VirtualAccount | string |
winlog.EventData.VsmLaunchType | string |
winlog.EventData.Weight | plong |
winlog.EventData.Workstation | text_general |
winlog.EventData.WorkstationName | text_general |
winlog.EventData._Data | text_generals |
winlog.EventData.param1 | text_general |
winlog.EventData.param10 | string |
winlog.EventData.param11 | string |
winlog.EventData.param12 | string |
winlog.EventData.param13 | string |
winlog.EventData.param2 | text_general |
winlog.EventData.param3 | string |
winlog.EventData.param4 | string |
winlog.EventData.param5 | string |
winlog.EventData.param6 | string |
winlog.EventData.param7 | string |
winlog.EventData.param8 | string |
winlog.EventData.param9 | string |
winlog.EventName | text_general |
winlog.EventSource | string |
winlog.ProcessingErrorData.DataItemName | text_general |
winlog.ProcessingErrorData.ErrorCode | plong |
winlog.ProcessingErrorData.EventPayload | text_general |
winlog.RenderingInfo.Channel | text_general |
winlog.RenderingInfo.CultureAttr | text_general |
winlog.RenderingInfo.Keywords.Keywords | text_generals |
winlog.RenderingInfo.Level | text_general |
winlog.RenderingInfo.Message | text_general |
winlog.RenderingInfo.Opcode | text_general |
winlog.RenderingInfo.Provider | text_general |
winlog.RenderingInfo.Task | text_general |
winlog.System.Channel | text_general |
winlog.System.Computer | text_general |
winlog.System.Correlation.ActivityID | text_general |
winlog.System.Correlation.RelatedActivityID | text_general |
winlog.System.EventID | pint |
winlog.System.EventRecordID | plong |
winlog.System.Execution.KernelTime | plong |
winlog.System.Execution.ProcessID | plong |
winlog.System.Execution.ProcessorID | plong |
winlog.System.Execution.ProcessorTime | plong |
winlog.System.Execution.SessionID | plong |
winlog.System.Execution.ThreadID | plong |
winlog.System.Execution.UserTime | plong |
winlog.System.Keywords | text_general |
winlog.System.Level | plong |
winlog.System.Opcode | plong |
winlog.System.Provider.EventSourceName | text_general |
winlog.System.Provider.Guid | text_general |
winlog.System.Provider.Name | text_general |
winlog.System.Security.UserID | text_general |
winlog.System.Task | plong |
winlog.System.TimeCreated.RawTime | plong |
winlog.System.TimeCreated.SystemTime | pdate |
winlog.System.Version | plong |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.