Parsers and Generated Fields
Tag Fields Created by Parser aws-fsx
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser aws-fsx
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.Event.System.TimeCreated._SystemTime | @timestamp | Event timestamp | Parsed from Vendor.Event.System.TimeCreated._SystemTime using parseTimestamp() |
| Vendor.Event.EventData.IpAddress | client.ip | Client IP address | Copied from Vendor.Event.EventData.IpAddress |
| Vendor.Event.EventData.IpPort | client.port | Client port number | Copied from Vendor.Event.EventData.IpPort |
| None | ecs.version | ECS schema version | Static value: 8.17.0 |
| Vendor.Event.System.EventID (indirect) | event.action | Human readable event action | Mapped based on event.id using match conditions |
| None | event.category[] | Event category array | Array populated with ["file"] |
| Vendor.Event.System.EventID | event.id | Windows event ID | Copied from Vendor.Event.System.EventID |
| None | event.kind | Event categorization | Static value: event |
| None | event.module | Event module identifier | Static value: fsx |
| None | event.type[] | Event type array | Array populated with ["info"] |
| Vendor.Event.EventData.ObjectName (indirect) | file.extension | File extension | Extracted from file.name using regex pattern |
| Vendor.Event.EventData.ObjectName (indirect) | file.name | File name | Extracted from file.path using regex pattern |
| Vendor.Event.EventData.ObjectName | file.path | File path | Copied from Vendor.Event.EventData.ObjectName |
| Vendor.Event.EventData.ObjectType | file.type | File object type | Copied from Vendor.Event.EventData.ObjectType |
| Vendor.Event.System.Execution._ProcessID | process.pid | Process identifier | Copied from Vendor.Event.System.Execution._ProcessID |
| Vendor.Event.System.Execution._ThreadID | process.thread.id | Thread identifier | Copied from Vendor.Event.System.Execution._ThreadID |
| Vendor.Event.EventData.SubjectDomainName | user.domain | User domain name | Transformed from Vendor.Event.EventData.SubjectDomainName using lower() |
| Vendor.Event.EventData.SubjectUserSid | user.id | User security identifier | Copied from Vendor.Event.EventData.SubjectUserSid |
| Vendor.Event.EventData.SubjectUserName | user.name | Username | Copied from Vendor.Event.EventData.SubjectUserName |