NGFW (Firewalls)
Version 1.1
Please check back often as new fields are often added to align with changes in vendor logs.
Column Names
Data Type
agent.type
text
destination.as.organization.name
text
destination.bytes
int
destination.domain
text
destination.geo.city_name
text
destination.geo.continent_code
text
destination.geo.country_code
text
destination.geo.country_name
text
destination.geo.location.lat
geopoint
destination.geo.location.lon
geopoint
destination.geo.region_name
text
destination.ip
ip
destination.locality
text
destination.mac
text
destination.nat.ip
ip
destination.nat.port
int
destination.packets
int
destination.port
int
destination.service.name
text
destination.user.email
text
destination.user.id
text
destination.user.name
text
dns.id
int
dns.question.name
text
dns.question.type
text
dns.type
text
email.bcc.address
text
email.cc.address
text
email.delivery_timestamp
date/time
email.from.address
text
email.local_id
text
email.message_id
text
email.subject
text
email.to.address
text
error.message
text
event.action
text
event.category
array
event.created
date
event.dataset
text
event.id
text
event.kind
text
event.module
text
event.original
text
event.outcome
text
event.reason
text
event.severity
text
event.type
array
file.hash.md5
text
file.hash.sha1
text
file.hash.sha256
text
file.inode
int
file.name
text
file.size
int
file.type
text
group.name
text
host.hostname
text
host.id
text
host.ip
ip
host.type
text
http.request.method
text
http.request.referrer
text
log.source.address
ip
log.source.hostname
text
log.type
text
message
text
network.application
text
network.bytes
int
network.community_id
text
network.direction
text
network.iana_number
text
network.inner.vlan.name
text
network.name
text
network.packets
int
network.protocol
text
network.transport
text
network.type
text
network.vlan.name
text
observer.egress.interface.name
text
observer.egress.zone
text
observer.ingress.interface.name
text
observer.ingress.zone
text
observer.ip
text
observer.mac
text
observer.name
text
observer.product
text
observer.type
text
observer.vendor
text
observer.version
text
organisation.id
text
process.hash.md5
text
process.name
text
process.parent.hash.md5
text
process.parent.name
text
related.hash
array
related.hosts
array
related.ip
array
related.user
array
rule.category
text
rule.description
text
rule.id
text
rule.name
text
rule.ruleset
text
rule.uuid
text
sensor.id
text
source.as.number
text
source.as.organization.name
text
source.bytes
int
source.domain
text
source.geo.city_name
text
source.geo.continent_code
text
source.geo.country_code
text
source.geo.country_name
text
source.geo.location.lat
geopoint
source.geo.location.lon
geopoint
source.geo.region_name
text
source.ip
ip
source.locality
text
source.mac
text
source.nat.ip
ip
source.nat.port
int
source.packets
int
source.port
int
source.user.email
text
source.user.group.name
text
source.user.id
text
source.user.name
text
threat.indicator.file.hash.sha256
text
threat.indicator.file.name
text
threat.indicator.reference
text
threatintel.days
int
threatintel.entity
text
threatintel.event_data
text
threatintel.lookup
text
threatintel.malware.malware
text
threatintel.malware.timestamp
date/time
threatintel.severity
text
threatintel.tags
text
threatintel.white_list
text
url.domain
text
url.original
text
url.original.text
text
user_agent.name
text
user_agent.original
text
user.name
text
uuid
text
vulnerability.id
text
\