sophos fields

edit

sophos Module

sophos

edit

Module for parsing sophosxg syslog.

sophos.xg.device

device

type: keyword

sophos.xg.date

Date (yyyy-mm-dd) when the event occurred

type: date

sophos.xg.timezone

Time (hh:mm:ss) when the event occurred

type: keyword

sophos.xg.device_name

Model number of the device

type: keyword

sophos.xg.device_id

Serial number of the device

type: keyword

sophos.xg.log_id

Unique 12 characters code (0101011)

type: keyword

sophos.xg.log_type

Type of event e.g. firewall event

type: keyword

sophos.xg.log_component

Component responsible for logging e.g. Firewall rule

type: keyword

sophos.xg.log_subtype

Sub type of event

type: keyword

sophos.xg.hb_health

Heartbeat status

type: keyword

sophos.xg.priority

Severity level of traffic

type: keyword

sophos.xg.status

Ultimate status of traffic – Allowed or Denied

type: keyword

sophos.xg.duration

Durability of traffic (seconds)

type: long

sophos.xg.fw_rule_id

Firewall Rule ID which is applied on the traffic

type: integer

sophos.xg.user_name

user_name

type: keyword

sophos.xg.user_group

Group name to which the user belongs

type: keyword

sophos.xg.iap

Internet Access policy ID applied on the traffic

type: keyword

sophos.xg.ips_policy_id

IPS policy ID applied on the traffic

type: integer

sophos.xg.policy_type

Policy type applied to the traffic

type: keyword

sophos.xg.appfilter_policy_id

Application Filter policy applied on the traffic

type: integer

sophos.xg.application_filter_policy

Application Filter policy applied on the traffic

type: integer

sophos.xg.application

Application name

type: keyword

sophos.xg.application_name

Application name

type: keyword

sophos.xg.application_risk

Risk level assigned to the application

type: keyword

sophos.xg.application_technology

Technology of the application

type: keyword

sophos.xg.application_category

Application is resolved by signature or synchronized application

type: keyword

sophos.xg.appresolvedby

Technology of the application

type: keyword

sophos.xg.app_is_cloud

Application is Cloud

type: keyword

sophos.xg.in_interface

Interface for incoming traffic, e.g., Port A

type: keyword

sophos.xg.out_interface

Interface for outgoing traffic, e.g., Port B

type: keyword

sophos.xg.src_ip

Original source IP address of traffic

type: ip

sophos.xg.src_mac

Original source MAC address of traffic

type: keyword

sophos.xg.src_country_code

Code of the country to which the source IP belongs

type: keyword

sophos.xg.dst_ip

Original destination IP address of traffic

type: ip

sophos.xg.dst_country_code

Code of the country to which the destination IP belongs

type: keyword

sophos.xg.protocol

Protocol number of traffic

type: keyword

sophos.xg.src_port

Original source port of TCP and UDP traffic

type: integer

sophos.xg.dst_port

Original destination port of TCP and UDP traffic

type: integer

sophos.xg.icmp_type

ICMP type of ICMP traffic

type: keyword

sophos.xg.icmp_code

ICMP code of ICMP traffic

type: keyword

sophos.xg.sent_pkts

Total number of packets sent

type: long

sophos.xg.received_pkts

Total number of packets received

type: long

sophos.xg.sent_bytes

Total number of bytes sent

type: long

sophos.xg.recv_bytes

Total number of bytes received

type: long

sophos.xg.trans_src_ ip

Translated source IP address for outgoing traffic

type: ip

sophos.xg.trans_src_port

Translated source port for outgoing traffic

type: integer

sophos.xg.trans_dst_ip

Translated destination IP address for outgoing traffic

type: ip

sophos.xg.trans_dst_port

Translated destination port for outgoing traffic

type: integer

sophos.xg.srczonetype

Type of source zone, e.g., LAN

type: keyword

sophos.xg.srczone

Name of source zone

type: keyword

sophos.xg.dstzonetype

Type of destination zone, e.g., WAN

type: keyword

sophos.xg.dstzone

Name of destination zone

type: keyword

sophos.xg.dir_disp

TPacket direction. Possible values:“org”, “reply”, “”

type: keyword

sophos.xg.connevent

Event on which this log is generated

type: keyword

sophos.xg.conn_id

Unique identifier of connection

type: integer

sophos.xg.vconn_id

Connection ID of the master connection

type: integer

sophos.xg.idp_policy_id

IPS policy ID which is applied on the traffic

type: integer

sophos.xg.idp_policy_name

IPS policy name i.e. IPS policy name which is applied on the traffic

type: keyword

sophos.xg.signature_id

Signature ID

type: keyword

sophos.xg.signature_msg

Signature messsage

type: keyword

sophos.xg.classification

Signature classification

type: keyword

sophos.xg.rule_priority

Priority of IPS policy

type: keyword

sophos.xg.platform

Platform of the traffic.

type: keyword

sophos.xg.category

IPS signature category.

type: keyword

sophos.xg.target

Platform of the traffic.

type: keyword

sophos.xg.eventid

ATP Evenet ID

type: keyword

sophos.xg.ep_uuid

Endpoint UUID

type: keyword

sophos.xg.threatname

ATP threatname

type: keyword

sophos.xg.sourceip

Original source IP address of traffic

type: ip

sophos.xg.destinationip

Original destination IP address of traffic

type: ip

sophos.xg.login_user

ATP login user

type: keyword

sophos.xg.eventtype

ATP event type

type: keyword

sophos.xg.execution_path

ATP execution path

type: keyword

sophos.xg.av_policy_name

Malware scanning policy name which is applied on the traffic

type: keyword

sophos.xg.from_email_address

Sender email address

type: keyword

sophos.xg.to_email_address

Receipeint email address

type: keyword

sophos.xg.subject

Email subject

type: keyword

sophos.xg.mailsize

mailsize

type: integer

sophos.xg.virus

virus name

type: keyword

sophos.xg.FTP_url

FTP URL from which virus was downloaded

type: keyword

sophos.xg.FTP_direction

Direction of FTP transfer: Upload or Download

type: keyword

sophos.xg.filesize

Size of the file that contained virus

type: integer

sophos.xg.filepath

Path of the file containing virus

type: keyword

sophos.xg.filename

File name associated with the event

type: keyword

sophos.xg.ftpcommand

FTP command used when virus was found

type: keyword

sophos.xg.url

URL from which virus was downloaded

type: keyword

sophos.xg.domainname

Domain from which virus was downloaded

type: keyword

sophos.xg.quarantine

Path and filename of the file quarantined

type: keyword

sophos.xg.src_domainname

Sender domain name

type: keyword

sophos.xg.dst_domainname

Receiver domain name

type: keyword

sophos.xg.reason

Reason why the record was detected as spam/malicious

type: keyword

sophos.xg.referer

Referer

type: keyword

sophos.xg.spamaction

Spam Action

type: keyword

sophos.xg.mailid

mailid

type: keyword

sophos.xg.quarantine_reason

Quarantine reason

type: keyword

sophos.xg.status_code

Status code

type: keyword

sophos.xg.override_token

Override token

type: keyword

sophos.xg.con_id

Unique identifier of connection

type: integer

sophos.xg.override_authorizer

Override authorizer

type: keyword

sophos.xg.transactionid

Transaction ID of the AV scan.

type: keyword

sophos.xg.upload_file_type

Upload file type

type: keyword

sophos.xg.upload_file_name

Upload file name

type: keyword

sophos.xg.httpresponsecode

code of HTTP response

type: long

sophos.xg.user_gp

Group name to which the user belongs.

type: keyword

sophos.xg.category_type

Type of category under which website falls

type: keyword

sophos.xg.download_file_type

Download file type

type: keyword

sophos.xg.exceptions

List of the checks excluded by web exceptions.

type: keyword

sophos.xg.contenttype

Type of the content

type: keyword

sophos.xg.override_name

Override name

type: keyword

sophos.xg.activityname

Web policy activity that matched and caused the policy result.

type: keyword

sophos.xg.download_file_name

Download file name

type: keyword

sophos.xg.sha1sum

SHA1 checksum of the item being analyzed

type: keyword

sophos.xg.message_id

Message ID

type: keyword

sophos.xg.connid

Connection ID

type: keyword

sophos.xg.message

Message

type: keyword

sophos.xg.email_subject

Email Subject

type: keyword

sophos.xg.file_path

File path

type: keyword

sophos.xg.dstdomain

Destination Domain

type: keyword

sophos.xg.file_size

File Size

type: integer

sophos.xg.transaction_id

Transaction ID

type: keyword

sophos.xg.website

Website

type: keyword

sophos.xg.file_name

Filename

type: keyword

sophos.xg.context_prefix

Content Prefix

type: keyword

sophos.xg.site_category

Site Category

type: keyword

sophos.xg.context_suffix

Context Suffix

type: keyword

sophos.xg.dictionary_name

Dictionary Name

type: keyword

sophos.xg.action

Event Action

type: keyword

sophos.xg.user

User

type: keyword

sophos.xg.context_match

Context Match

type: keyword

sophos.xg.direction

Direction

type: keyword

sophos.xg.auth_client

Auth Client

type: keyword

sophos.xg.auth_mechanism

Auth mechanism

type: keyword

sophos.xg.connectionname

Connectionname

type: keyword

sophos.xg.remotenetwork

remotenetwork

type: keyword

sophos.xg.localgateway

Localgateway

type: keyword

sophos.xg.localnetwork

Localnetwork

type: keyword

sophos.xg.connectiontype

Connectiontype

type: keyword

sophos.xg.oldversion

Oldversion

type: keyword

sophos.xg.newversion

Newversion

type: keyword

sophos.xg.ipaddress

Ipaddress

type: keyword

sophos.xg.client_physical_address

Client physical address

type: keyword

sophos.xg.client_host_name

Client host name

type: keyword

sophos.xg.raw_data

Raw data

type: keyword

sophos.xg.Mode

Mode

type: keyword

sophos.xg.sessionid

Sessionid

type: keyword

sophos.xg.starttime

Starttime

type: date

sophos.xg.remote_ip

Remote IP

type: ip

sophos.xg.timestamp

timestamp

type: date

sophos.xg.SysLog_SERVER_NAME

SysLog SERVER NAME

type: keyword

sophos.xg.backup_mode

Backup mode

type: keyword

sophos.xg.source

Source

type: keyword

sophos.xg.server

Server

type: keyword

sophos.xg.host

Host

type: keyword

sophos.xg.responsetime

Responsetime

type: long

sophos.xg.cookie

cookie

type: keyword

sophos.xg.querystring

querystring

type: keyword

sophos.xg.extra

extra

type: keyword

sophos.xg.PHPSESSID

PHPSESSID

type: keyword

sophos.xg.start_time

Start time

type: date

sophos.xg.eventtime

Event time

type: date

sophos.xg.red_id

RED ID

type: keyword

sophos.xg.branch_name

Branch Name

type: keyword

sophos.xg.updatedip

updatedip

type: ip

sophos.xg.idle_cpu

idle ##

type: float

sophos.xg.system_cpu

system

type: float

sophos.xg.user_cpu

system

type: float

sophos.xg.used

used

type: integer

sophos.xg.unit

unit

type: keyword

sophos.xg.total_memory

Total Memory

type: integer

sophos.xg.free

free

type: integer

sophos.xg.transmittederrors

transmitted errors

type: keyword

sophos.xg.receivederrors

received errors

type: keyword

sophos.xg.receivedkbits

received kbits

type: long

sophos.xg.transmittedkbits

transmitted kbits

type: long

sophos.xg.transmitteddrops

transmitted drops

type: long

sophos.xg.receiveddrops

received drops

type: long

sophos.xg.collisions

collisions

type: long

sophos.xg.interface

interface

type: keyword

sophos.xg.Configuration

Configuration

type: float

sophos.xg.Reports

Reports

type: float

sophos.xg.Signature

Signature

type: float

sophos.xg.Temp

Temp

type: float

sophos.xg.users

users

type: keyword

sophos.xg.ssid

ssid

type: keyword

sophos.xg.ap

ap

type: keyword

sophos.xg.clients_conn_ssid

clients connection ssid

type: keyword