Sophos fields
Stack
sophos Module
Stack
Module for parsing sophosxg syslog.
sophos.xg.action-
Event Action
type: keyword
sophos.xg.activityname-
Web policy activity that matched and caused the policy result.
type: keyword
sophos.xg.ap-
Access Point Serial ID or LocalWifi0 or LocalWifi1.
type: keyword
sophos.xg.app_category-
Name of the category under which application falls
type: keyword
sophos.xg.app_filter_policy_id-
Application filter policy ID applied on the traffic
type: keyword
sophos.xg.app_is_cloud-
Application is Cloud
type: keyword
sophos.xg.app_name-
Application name
type: keyword
sophos.xg.app_resolved_by-
Application is resolved by signature or synchronized application
type: keyword
sophos.xg.app_risk-
Risk level assigned to the application
type: keyword
sophos.xg.app_technology-
Technology of the application
type: keyword
sophos.xg.appfilter_policy_id-
Application Filter policy applied on the traffic
type: integer
sophos.xg.application-
Application name
type: keyword
sophos.xg.application_category-
Application is resolved by signature or synchronized application
type: keyword
sophos.xg.application_filter_policy-
Application Filter policy applied on the traffic
type: integer
sophos.xg.application_name-
Application name
type: keyword
sophos.xg.application_risk-
Risk level assigned to the application
type: keyword
sophos.xg.application_technology-
Technology of the application
type: keyword
sophos.xg.appresolvedby-
Technology of the application
type: keyword
sophos.xg.auth_client-
Auth Client
type: keyword
sophos.xg.auth_mechanism-
Auth mechanism
type: keyword
sophos.xg.av_policy_name-
Malware scanning policy name which is applied on the traffic
type: keyword
sophos.xg.backup_mode-
Backup mode
type: keyword
sophos.xg.branch_name-
Branch Name
type: keyword
sophos.xg.category-
IPS signature category.
type: keyword
sophos.xg.category_type-
Type of category under which website falls
type: keyword
sophos.xg.classification-
Signature classification
type: keyword
sophos.xg.client_host_name-
Client host name
type: keyword
sophos.xg.client_physical_address-
Client physical address
type: keyword
sophos.xg.clients_conn_ssid-
Number of client connected to the SSID.
type: long
sophos.xg.collisions-
collisions
type: long
sophos.xg.con_event-
Event Start/Stop
type: keyword
sophos.xg.con_id-
Unique identifier of connection
type: integer
sophos.xg.configuration-
Configuration
type: float
sophos.xg.conn_id-
Unique identifier of connection
type: integer
sophos.xg.connectionname-
Connectionname
type: keyword
sophos.xg.connectiontype-
Connectiontype
type: keyword
sophos.xg.connevent-
Event on which this log is generated
type: keyword
sophos.xg.connid-
Connection ID
type: keyword
sophos.xg.content_type-
Type of the content
type: keyword
sophos.xg.contenttype-
Type of the content
type: keyword
sophos.xg.context_match-
Context Match
type: keyword
sophos.xg.context_prefix-
Content Prefix
type: keyword
sophos.xg.context_suffix-
Context Suffix
type: keyword
sophos.xg.cookie-
cookie
type: keyword
sophos.xg.date-
Date (yyyy-mm-dd) when the event occurred
type: date
sophos.xg.destinationip-
Original destination IP address of traffic
type: ip
sophos.xg.device-
device
type: keyword
sophos.xg.device_id-
Serial number of the device
type: keyword
sophos.xg.device_model-
Model number of the device
type: keyword
sophos.xg.device_name-
Model number of the device
type: keyword
sophos.xg.dictionary_name-
Dictionary Name
type: keyword
sophos.xg.dir_disp-
TPacket direction. Possible values:“org”, “reply”, “”
type: keyword
sophos.xg.direction-
Direction
type: keyword
sophos.xg.domainname-
Domain from which virus was downloaded
type: keyword
sophos.xg.download_file_name-
Download file name
type: keyword
sophos.xg.download_file_type-
Download file type
type: keyword
sophos.xg.dst_country_code-
Code of the country to which the destination IP belongs
type: keyword
sophos.xg.dst_domainname-
Receiver domain name
type: keyword
sophos.xg.dst_ip-
Original destination IP address of traffic
type: ip
sophos.xg.dst_port-
Original destination port of TCP and UDP traffic
type: integer
sophos.xg.dst_zone_type-
Type of destination zone
type: keyword
sophos.xg.dstdomain-
Destination Domain
type: keyword
sophos.xg.duration-
Durability of traffic (seconds)
type: long
sophos.xg.email_subject-
Email Subject
type: keyword
sophos.xg.ep_uuid-
Endpoint UUID
type: keyword
sophos.xg.ether_type-
ethernet frame type
type: keyword
sophos.xg.eventid-
ATP Evenet ID
type: keyword
sophos.xg.eventtime-
Event time
type: date
sophos.xg.eventtype-
ATP event type
type: keyword
sophos.xg.exceptions-
List of the checks excluded by web exceptions.
type: keyword
sophos.xg.execution_path-
ATP execution path
type: keyword
sophos.xg.extra-
extra
type: keyword
sophos.xg.file_name-
Filename
type: keyword
sophos.xg.file_path-
File path
type: keyword
sophos.xg.file_size-
File Size
type: integer
sophos.xg.filename-
File name associated with the event
type: keyword
sophos.xg.filepath-
Path of the file containing virus
type: keyword
sophos.xg.filesize-
Size of the file that contained virus
type: integer
sophos.xg.free-
free
type: integer
sophos.xg.from_email_address-
Sender email address
type: keyword
sophos.xg.ftp_direction-
Direction of FTP transfer: Upload or Download
type: keyword
sophos.xg.ftp_url-
FTP URL from which virus was downloaded
type: keyword
sophos.xg.ftpcommand-
FTP command used when virus was found
type: keyword
sophos.xg.fw_rule_id-
Firewall Rule ID which is applied on the traffic
type: integer
sophos.xg.fw_rule_type-
Firewall rule type which is applied on the traffic
type: keyword
sophos.xg.hb_health-
Heartbeat status
type: keyword
sophos.xg.hb_status-
Heartbeat status
type: keyword
sophos.xg.host-
Host
type: keyword
sophos.xg.http_category-
HTTP Category
type: keyword
sophos.xg.http_category_type-
HTTP Category Type
type: keyword
sophos.xg.httpresponsecode-
code of HTTP response
type: long
sophos.xg.iap-
Internet Access policy ID applied on the traffic
type: keyword
sophos.xg.icmp_code-
ICMP code of ICMP traffic
type: keyword
sophos.xg.icmp_type-
ICMP type of ICMP traffic
type: keyword
sophos.xg.idle_cpu-
idle ##
type: float
sophos.xg.idp_policy_id-
IPS policy ID which is applied on the traffic
type: integer
sophos.xg.idp_policy_name-
IPS policy name i.e. IPS policy name which is applied on the traffic
type: keyword
sophos.xg.in_interface-
Interface for incoming traffic, e.g., Port A
type: keyword
sophos.xg.interface-
interface
type: keyword
sophos.xg.ipaddress-
Ipaddress
type: keyword
sophos.xg.ips_policy_id-
IPS policy ID applied on the traffic
type: integer
sophos.xg.lease_time-
Lease Time
type: keyword
sophos.xg.localgateway-
Localgateway
type: keyword
sophos.xg.localnetwork-
Localnetwork
type: keyword
sophos.xg.log_component-
Component responsible for logging e.g. Firewall rule
type: keyword
sophos.xg.log_id-
Unique 12 characters code (0101011)
type: keyword
sophos.xg.log_subtype-
Sub type of event
type: keyword
sophos.xg.log_type-
Type of event e.g. firewall event
type: keyword
sophos.xg.log_version-
Log Version
type: keyword
sophos.xg.login_user-
ATP login user
type: keyword
sophos.xg.mailid-
mailid
type: keyword
sophos.xg.mailsize-
mailsize
type: integer
sophos.xg.message-
Message
type: keyword
sophos.xg.mode-
Mode
type: keyword
sophos.xg.nat_rule_id-
NAT Rule ID
type: keyword
sophos.xg.newversion-
Newversion
type: keyword
sophos.xg.oldversion-
Oldversion
type: keyword
sophos.xg.out_interface-
Interface for outgoing traffic, e.g., Port B
type: keyword
sophos.xg.override_authorizer-
Override authorizer
type: keyword
sophos.xg.override_name-
Override name
type: keyword
sophos.xg.override_token-
Override token
type: keyword
sophos.xg.phpsessid-
PHP session ID
type: keyword
sophos.xg.platform-
Platform of the traffic.
type: keyword
sophos.xg.policy_type-
Policy type applied to the traffic
type: keyword
sophos.xg.priority-
Severity level of traffic
type: keyword
sophos.xg.protocol-
Protocol number of traffic
type: keyword
sophos.xg.qualifier-
Qualifier
type: keyword
sophos.xg.quarantine-
Path and filename of the file quarantined
type: keyword
sophos.xg.quarantine_reason-
Quarantine reason
type: keyword
sophos.xg.querystring-
querystring
type: keyword
sophos.xg.raw_data-
Raw data
type: keyword
sophos.xg.received_pkts-
Total number of packets received
type: long
sophos.xg.receiveddrops-
received drops
type: long
sophos.xg.receivederrors-
received errors
type: keyword
sophos.xg.receivedkbits-
received kbits
type: long
sophos.xg.recv_bytes-
Total number of bytes received
type: long
sophos.xg.red_id-
RED ID
type: keyword
sophos.xg.referer-
Referer
type: keyword
sophos.xg.remote_ip-
Remote IP
type: ip
sophos.xg.remotenetwork-
remotenetwork
type: keyword
sophos.xg.reported_host-
Reported Host
type: keyword
sophos.xg.reported_ip-
Reported IP
type: keyword
sophos.xg.reports-
Reports
type: float
sophos.xg.rule_priority-
Priority of IPS policy
type: keyword
sophos.xg.sent_bytes-
Total number of bytes sent
type: long
sophos.xg.sent_pkts-
Total number of packets sent
type: long
sophos.xg.server-
Server
type: keyword
sophos.xg.sessionid-
Sessionid
type: keyword
sophos.xg.sha1sum-
SHA1 checksum of the item being analyzed
type: keyword
sophos.xg.signature-
Signature
type: float
sophos.xg.signature_id-
Signature ID
type: keyword
sophos.xg.signature_msg-
Signature messsage
type: keyword
sophos.xg.site_category-
Site Category
type: keyword
sophos.xg.source-
Source
type: keyword
sophos.xg.sourceip-
Original source IP address of traffic
type: ip
sophos.xg.spamaction-
Spam Action
type: keyword
sophos.xg.sqli-
related SQLI caught by the WAF
type: keyword
sophos.xg.src_country_code-
Code of the country to which the source IP belongs
type: keyword
sophos.xg.src_domainname-
Sender domain name
type: keyword
sophos.xg.src_ip-
Original source IP address of traffic
type: ip
sophos.xg.src_mac-
Original source MAC address of traffic
type: keyword
sophos.xg.src_port-
Original source port of TCP and UDP traffic
type: integer
sophos.xg.src_zone_type-
Type of source zone
type: keyword
sophos.xg.ssid-
Configured SSID name.
type: keyword
sophos.xg.start_time-
Start time
type: date
sophos.xg.starttime-
Starttime
type: date
sophos.xg.status-
Ultimate status of traffic – Allowed or Denied
type: keyword
sophos.xg.status_code-
Status code
type: keyword
sophos.xg.subject-
Email subject
type: keyword
sophos.xg.syslog_server_name-
Syslog server name.
type: keyword
sophos.xg.system_cpu-
system
type: float
sophos.xg.target-
Platform of the traffic.
type: keyword
sophos.xg.temp-
Temp
type: float
sophos.xg.threatname-
ATP threatname
type: keyword
sophos.xg.timestamp-
timestamp
type: date
sophos.xg.timezone-
Time (hh:mm:ss) when the event occurred
type: keyword
sophos.xg.to_email_address-
Receipeint email address
type: keyword
sophos.xg.total_memory-
Total Memory
type: integer
sophos.xg.trans_dst_ip-
Translated destination IP address for outgoing traffic
type: ip
sophos.xg.trans_dst_port-
Translated destination port for outgoing traffic
type: integer
sophos.xg.trans_src_ip-
Translated source IP address for outgoing traffic
type: ip
sophos.xg.trans_src_port-
Translated source port for outgoing traffic
type: integer
sophos.xg.transaction_id-
Transaction ID
type: keyword
sophos.xg.transactionid-
Transaction ID of the AV scan.
type: keyword
sophos.xg.transmitteddrops-
transmitted drops
type: long
sophos.xg.transmittederrors-
transmitted errors
type: keyword
sophos.xg.transmittedkbits-
transmitted kbits
type: long
sophos.xg.unit-
unit
type: keyword
sophos.xg.updatedip-
updatedip
type: ip
sophos.xg.upload_file_name-
Upload file name
type: keyword
sophos.xg.upload_file_type-
Upload file type
type: keyword
sophos.xg.url-
URL from which virus was downloaded
type: keyword
sophos.xg.used-
used
type: integer
sophos.xg.used_quota-
Used Quota
type: keyword
sophos.xg.user-
User
type: keyword
sophos.xg.user_cpu-
system
type: float
sophos.xg.user_gp-
Group name to which the user belongs.
type: keyword
sophos.xg.user_group-
Group name to which the user belongs
type: keyword
sophos.xg.user_name-
user_name
type: keyword
sophos.xg.users-
Number of users from System Health / Live User events.
type: long
sophos.xg.vconn_id-
Connection ID of the master connection
type: integer
sophos.xg.virus-
virus name
type: keyword
sophos.xg.web_policy_id-
Web policy ID
type: keyword
sophos.xg.website-
Website
type: keyword
sophos.xg.xss-
related XSS caught by the WAF
type: keyword