--- title: Sophos fields description: sophos Module Module for parsing sophosxg syslog. url: https://www.elastic.co/elastic/docs-builder/docs/3016/reference/beats/filebeat/exported-fields-sophos products: - Beats - Filebeat applies_to: - Elastic Cloud Serverless: Generally available - Elastic Stack: Generally available --- # Sophos fields sophos Module ## sophos.xg - Elastic Stack: Beta Module for parsing sophosxg syslog. Event Action type: keyword Web policy activity that matched and caused the policy result. type: keyword Access Point Serial ID or LocalWifi0 or LocalWifi1. type: keyword Name of the category under which application falls type: keyword Application filter policy ID applied on the traffic type: keyword Application is Cloud type: keyword Application name type: keyword Application is resolved by signature or synchronized application type: keyword Risk level assigned to the application type: keyword Technology of the application type: keyword Application Filter policy applied on the traffic type: integer Application name type: keyword Application is resolved by signature or synchronized application type: keyword Application Filter policy applied on the traffic type: integer Application name type: keyword Risk level assigned to the application type: keyword Technology of the application type: keyword Technology of the application type: keyword Auth Client type: keyword Auth mechanism type: keyword Malware scanning policy name which is applied on the traffic type: keyword Backup mode type: keyword Branch Name type: keyword IPS signature category. type: keyword Type of category under which website falls type: keyword Signature classification type: keyword Client host name type: keyword Client physical address type: keyword Number of client connected to the SSID. type: long collisions type: long Event Start/Stop type: keyword Unique identifier of connection type: integer Configuration type: float Unique identifier of connection type: integer Connectionname type: keyword Connectiontype type: keyword Event on which this log is generated type: keyword Connection ID type: keyword Type of the content type: keyword Type of the content type: keyword Context Match type: keyword Content Prefix type: keyword Context Suffix type: keyword cookie type: keyword Date (yyyy-mm-dd) when the event occurred type: date Original destination IP address of traffic type: ip device type: keyword Serial number of the device type: keyword Model number of the device type: keyword Model number of the device type: keyword Dictionary Name type: keyword TPacket direction. Possible values:“org”, “reply”, “” type: keyword Direction type: keyword Domain from which virus was downloaded type: keyword Download file name type: keyword Download file type type: keyword Code of the country to which the destination IP belongs type: keyword Receiver domain name type: keyword Original destination IP address of traffic type: ip Original destination port of TCP and UDP traffic type: integer Type of destination zone type: keyword Destination Domain type: keyword Durability of traffic (seconds) type: long Email Subject type: keyword Endpoint UUID type: keyword ethernet frame type type: keyword ATP Evenet ID type: keyword Event time type: date ATP event type type: keyword List of the checks excluded by web exceptions. type: keyword ATP execution path type: keyword extra type: keyword Filename type: keyword File path type: keyword File Size type: integer File name associated with the event type: keyword Path of the file containing virus type: keyword Size of the file that contained virus type: integer free type: integer Sender email address type: keyword Direction of FTP transfer: Upload or Download type: keyword FTP URL from which virus was downloaded type: keyword FTP command used when virus was found type: keyword Firewall Rule ID which is applied on the traffic type: integer Firewall rule type which is applied on the traffic type: keyword Heartbeat status type: keyword Heartbeat status type: keyword Host type: keyword HTTP Category type: keyword HTTP Category Type type: keyword code of HTTP response type: long Internet Access policy ID applied on the traffic type: keyword ICMP code of ICMP traffic type: keyword ICMP type of ICMP traffic type: keyword idle ## type: float IPS policy ID which is applied on the traffic type: integer IPS policy name i.e. IPS policy name which is applied on the traffic type: keyword Interface for incoming traffic, e.g., Port A type: keyword interface type: keyword Ipaddress type: keyword IPS policy ID applied on the traffic type: integer Lease Time type: keyword Localgateway type: keyword Localnetwork type: keyword Component responsible for logging e.g. Firewall rule type: keyword Unique 12 characters code (0101011) type: keyword Sub type of event type: keyword Type of event e.g. firewall event type: keyword Log Version type: keyword ATP login user type: keyword mailid type: keyword mailsize type: integer Message type: keyword Mode type: keyword NAT Rule ID type: keyword Newversion type: keyword Oldversion type: keyword Interface for outgoing traffic, e.g., Port B type: keyword Override authorizer type: keyword Override name type: keyword Override token type: keyword PHP session ID type: keyword Platform of the traffic. type: keyword Policy type applied to the traffic type: keyword Severity level of traffic type: keyword Protocol number of traffic type: keyword Qualifier type: keyword Path and filename of the file quarantined type: keyword Quarantine reason type: keyword querystring type: keyword Raw data type: keyword Total number of packets received type: long received drops type: long received errors type: keyword received kbits type: long Total number of bytes received type: long RED ID type: keyword Referer type: keyword Remote IP type: ip remotenetwork type: keyword Reported Host type: keyword Reported IP type: keyword Reports type: float Priority of IPS policy type: keyword Total number of bytes sent type: long Total number of packets sent type: long Server type: keyword Sessionid type: keyword SHA1 checksum of the item being analyzed type: keyword Signature type: float Signature ID type: keyword Signature messsage type: keyword Site Category type: keyword Source type: keyword Original source IP address of traffic type: ip Spam Action type: keyword related SQLI caught by the WAF type: keyword Code of the country to which the source IP belongs type: keyword Sender domain name type: keyword Original source IP address of traffic type: ip Original source MAC address of traffic type: keyword Original source port of TCP and UDP traffic type: integer Type of source zone type: keyword Configured SSID name. type: keyword Start time type: date Starttime type: date Ultimate status of traffic – Allowed or Denied type: keyword Status code type: keyword Email subject type: keyword Syslog server name. type: keyword system type: float Platform of the traffic. type: keyword Temp type: float ATP threatname type: keyword timestamp type: date Time (hh:mm:ss) when the event occurred type: keyword Receipeint email address type: keyword Total Memory type: integer Translated destination IP address for outgoing traffic type: ip Translated destination port for outgoing traffic type: integer Translated source IP address for outgoing traffic type: ip Translated source port for outgoing traffic type: integer Transaction ID type: keyword Transaction ID of the AV scan. type: keyword transmitted drops type: long transmitted errors type: keyword transmitted kbits type: long unit type: keyword updatedip type: ip Upload file name type: keyword Upload file type type: keyword URL from which virus was downloaded type: keyword used type: integer Used Quota type: keyword User type: keyword system type: float Group name to which the user belongs. type: keyword Group name to which the user belongs type: keyword user_name type: keyword Number of users from System Health / Live User events. type: long Connection ID of the master connection type: integer virus name type: keyword Web policy ID type: keyword Website type: keyword related XSS caught by the WAF type: keyword