Parsers and Generated Fields
Tag Fields Created by Parser akamai-asec
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser akamai-asec
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.httpMessage.start | @timestamp | Event timestamp | Parsed from Vendor.httpMessage.start using unixtime format |
| source.address (indirect) | client.address | Client address | Copied from source.address |
| source.as.number (indirect) | client.as.number | Client autonomous system number | Copied from source.as.number |
| source.geo.city_name (indirect) | client.geo.city_name | Client city name | Copied from source.geo.city_name |
| source.geo.country_iso_code (indirect) | client.geo.country_iso_code | Client country ISO code | Copied from source.geo.country_iso_code |
| source.geo.region_iso_code (indirect) | client.geo.region_iso_code | Client region ISO code | Copied from source.geo.region_iso_code |
| source.ip (indirect) | client.ip | Client IP address | Copied from source.ip |
| Vendor.httpMessage.host | destination.address | Destination address | Copied from host field and converted to lowercase |
| destination.address (indirect) | destination.domain | Destination domain name | Copied from destination.address |
| Vendor.httpMessage.port | destination.port | Destination port number | Copied from Vendor.httpMessage.port |
| None | ecs.version | ECS schema version | Static value: 9.2.0 |
| Vendor.attackData.ruleActions.decoded | event.action | WAF action taken | Copied from decoded rule actions |
| None | event.category[] | Event category array | Array populated with network, web, intrusion_detection |
| Vendor.httpMessage.requestId | event.id | Unique event identifier | Copied from Vendor.httpMessage.requestId |
| None | event.kind | Event kind classification | Static value: event |
| None | event.module | Event module name | Static value: asec |
| None | event.outcome | Event outcome status | Static value: success |
| event.action, http.response.status_code | event.type[] | Event type array with dynamic values | Array populated with connection, access, and conditional values based on action and status |
| Vendor.httpMessage.requestHeaders.Content-Length | http.request.bytes | HTTP request size in bytes | Extracted from parsed request headers |
| Vendor.httpMessage.requestId | http.request.id | HTTP request identifier | Copied from Vendor.httpMessage.requestId |
| Vendor.httpMessage.method | http.request.method | HTTP request method | Copied from Vendor.httpMessage.method |
| Vendor.httpMessage.requestHeaders.Content-Type | http.request.mime_type | HTTP request content type | Extracted from parsed request headers |
| Vendor.httpMessage.requestHeaders.Referer | http.request.referrer | HTTP request referrer | Extracted from parsed request headers |
| Vendor.httpMessage.bytes | http.response.bytes | HTTP response size in bytes | Copied from Vendor.httpMessage.bytes |
| Vendor.httpMessage.responseHeaders.Content-Type | http.response.mime_type | HTTP response content type | Extracted from parsed response headers |
| Vendor.httpMessage.status | http.response.status_code | HTTP response status code | Copied from Vendor.httpMessage.status |
| Vendor.httpMessage.protocol | http.version | HTTP version | Extracted from protocol field or set to 2.0 for h2 |
| Vendor.httpMessage.bytes | network.bytes | Network bytes transferred | Copied from Vendor.httpMessage.bytes |
| Vendor.httpMessage.protocol | network.protocol | Network protocol | Extracted from protocol field and converted to lowercase |
| source.address (indirect) | network.type | Network address type | Set based on IP address type detection |
| Vendor.attackData.ruleTags.decoded | rule.category | Security rule category | Copied from decoded rule tags |
| Vendor.attackData.rules.decoded | rule.id | Security rule identifier | Copied from decoded rules |
| Vendor.attackData.ruleMessages.decoded | rule.name | Security rule name | Copied from decoded rule messages |
| Vendor.attackData.ruleVersions.decoded | rule.version | Security rule version | Copied from decoded rule versions |
| destination.address (indirect) | server.address | Server address | Copied from destination.address |
| destination.domain (indirect) | server.domain | Server domain name | Copied from destination.domain |
| destination.port (indirect) | server.port | Server port number | Copied from destination.port |
| Vendor.attackData.clientIP | source.address | Source IP address | Copied from client IP and converted to lowercase |
| Vendor.geo.asn | source.as.number | Source autonomous system number | Copied from Vendor.geo.asn |
| Vendor.geo.city | source.geo.city_name | Source city name | Copied from Vendor.geo.city |
| Vendor.geo.country | source.geo.country_iso_code | Source country ISO code | Copied from Vendor.geo.country |
| source.geo.country_iso_code, Vendor.geo.regionCode | source.geo.region_iso_code | Source region ISO code | Formatted as country-region when both exist |
| source.address (indirect) | source.ip | Source IP address | Set based on IP address validation |
| Vendor.httpMessage.tls | tls.version | TLS version number | Extracted from TLS field using regex pattern |
| Vendor.httpMessage.tls | tls.version_protocol | TLS protocol name | Extracted from TLS field using regex pattern |
| Vendor.httpMessage.host | url.domain | URL domain name | Copied from host field and converted to lowercase |
| Vendor.httpMessage.path | url.path | URL path component | Copied from Vendor.httpMessage.path |
| Vendor.httpMessage.port | url.port | URL port number | Copied from Vendor.httpMessage.port |
| Vendor.httpMessage.query | url.query | URL query string | Copied from Vendor.httpMessage.query |
| Vendor.httpMessage.requestHeaders.User-Agent | user_agent.original | Original user agent string | Extracted from parsed request headers |