Parsers and Generated Fields
Tag Fields Created by Parser aws-vpcflow
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser aws-vpcflow
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.start | @timestamp | Event timestamp in UTC | Parsed from Vendor.start using unixtime format |
| Vendor.account-id | cloud.account.id | AWS account identifier | Extracted using getField from Vendor.account-id |
| Vendor.dstaddr | destination.address | Destination IP address | Copied from Vendor.dstaddr |
| Vendor.dstaddr (indirect) | destination.ip | Destination IP address | Conditionally set from destination.address using CIDR validation |
| Vendor.dstport | destination.port | Destination port number | Copied from Vendor.dstport |
| None | ecs.version | ECS schema version | Static value: 9.2.0 |
| Vendor.log-status | error.message | Error message for failed logs | Lowercase transformation of Vendor.log-status when not OK |
| Vendor.action | event.action | Network action taken | Lowercase transformation of Vendor.action |
| None | event.category[] | Event category array | Array populated with network |
| Vendor.end | event.end | Event end time | Copied from Vendor.end |
| None | event.kind | Event categorization | Static value: event |
| None | event.module | Module name | Static value: vpcflow |
| Vendor.action | event.outcome | Event outcome | Mapped based on action: success for accept, failure for reject |
| Vendor.start | event.start | Event start time | Copied from Vendor.start |
| Vendor.action | event.type[] | Event type classification | Array populated with connection, and conditionally allowed/denied |
| Vendor.bytes | network.bytes | Total bytes transferred | Copied from Vendor.bytes |
| Vendor.protocol | network.iana_number | IANA protocol number | Copied from Vendor.protocol |
| Vendor.packets | network.packets | Total packets transferred | Copied from Vendor.packets |
| Vendor.protocol (indirect) | network.transport | Transport protocol name | Mapped from network.iana_number using protocol lookup |
| Vendor.interface-id | observer.ingress.interface.id | Network interface identifier | Extracted using getField from Vendor.interface-id |
| Vendor.srcaddr | source.address | Source IP address | Copied from Vendor.srcaddr |
| Vendor.srcaddr (indirect) | source.ip | Source IP address | Conditionally set from source.address using CIDR validation |
| Vendor.srcport | source.port | Source port number | Copied from Vendor.srcport |