NGFW (Firewalls)
Version 1.1
Please check back often as new fields are often added to align with changes in vendor logs.
Column Names | Data Type |
agent.type | text |
destination.as.organization.name | text |
destination.bytes | int |
destination.domain | text |
destination.geo.city_name | text |
destination.geo.continent_code | text |
destination.geo.country_code | text |
destination.geo.country_name | text |
destination.geo.location.lat | geopoint |
destination.geo.location.lon | geopoint |
destination.geo.region_name | text |
destination.ip | ip |
destination.locality | text |
destination.mac | text |
destination.nat.ip | ip |
destination.nat.port | int |
destination.packets | int |
destination.port | int |
destination.service.name | text |
destination.user.email | text |
destination.user.id | text |
destination.user.name | text |
dns.id | int |
dns.question.name | text |
dns.question.type | text |
dns.type | text |
email.bcc.address | text |
email.cc.address | text |
email.delivery_timestamp | date/time |
email.from.address | text |
email.local_id | text |
email.message_id | text |
email.subject | text |
email.to.address | text |
error.message | text |
event.action | text |
event.category | array |
event.created | date |
event.dataset | text |
event.id | text |
event.kind | text |
event.module | text |
event.original | text |
event.outcome | text |
event.reason | text |
event.severity | text |
event.type | array |
file.hash.md5 | text |
file.hash.sha1 | text |
file.hash.sha256 | text |
file.inode | int |
file.name | text |
file.size | int |
file.type | text |
group.name | text |
host.hostname | text |
host.id | text |
host.ip | ip |
host.type | text |
http.request.method | text |
http.request.referrer | text |
log.source.address | ip |
log.source.hostname | text |
log.type | text |
message | text |
network.application | text |
network.bytes | int |
network.community_id | text |
network.direction | text |
network.iana_number | text |
network.inner.vlan.name | text |
network.name | text |
network.packets | int |
network.protocol | text |
network.transport | text |
network.type | text |
network.vlan.name | text |
observer.egress.interface.name | text |
observer.egress.zone | text |
observer.ingress.interface.name | text |
observer.ingress.zone | text |
observer.ip | text |
observer.mac | text |
observer.name | text |
observer.product | text |
observer.type | text |
observer.vendor | text |
observer.version | text |
organisation.id | text |
process.hash.md5 | text |
process.name | text |
process.parent.hash.md5 | text |
process.parent.name | text |
related.hash | array |
related.hosts | array |
related.ip | array |
related.user | array |
rule.category | text |
rule.description | text |
rule.id | text |
rule.name | text |
rule.ruleset | text |
rule.uuid | text |
sensor.id | text |
source.as.number | text |
source.as.organization.name | text |
source.bytes | int |
source.domain | text |
source.geo.city_name | text |
source.geo.continent_code | text |
source.geo.country_code | text |
source.geo.country_name | text |
source.geo.location.lat | geopoint |
source.geo.location.lon | geopoint |
source.geo.region_name | text |
source.ip | ip |
source.locality | text |
source.mac | text |
source.nat.ip | ip |
source.nat.port | int |
source.packets | int |
source.port | int |
source.user.email | text |
source.user.group.name | text |
source.user.id | text |
source.user.name | text |
threat.indicator.file.hash.sha256 | text |
threat.indicator.file.name | text |
threat.indicator.reference | text |
threatintel.days | int |
threatintel.entity | text |
threatintel.event_data | text |
threatintel.lookup | text |
threatintel.malware.malware | text |
threatintel.malware.timestamp | date/time |
threatintel.severity | text |
threatintel.tags | text |
threatintel.white_list | text |
url.domain | text |
url.original | text |
url.original.text | text |
user_agent.name | text |
user_agent.original | text |
user.name | text |
uuid | text |
vulnerability.id | text |
\