Parsers and Generated Fields
Tag Fields Created by Parser aws-waf
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser aws-waf
| Vendor Field | CPS Field | Description |
|---|---|---|
| `event.category[]` | Array | None |
| `event.type[]` | Array | None |
| `event.action` | Copied | Vendor.action |
| `http.request.id` | Copied | Vendor.httpRequest.requestId |
| `http.request.method` | Copied | Vendor.httpRequest.httpMethod |
| `rule.category` | Copied | Vendor.terminatingRuleType |
| `rule.id` | Copied | Vendor.terminatingRuleId |
| `rule.ruleset` | Copied | Vendor.webaclId |
| `source.domain` | Copied | source.address |
| `source.geo.country_iso_code` | Copied | Vendor.httpRequest.country |
| `source.ip` | Copied | source.address |
| `source.nat.ip` | Copied | Vendor.httpRequest.clientIp |
| `tls.client.ja3` | Copied | Vendor.ja3Fingerprint |
| `url.path` | Copied | Vendor.httpRequest.uri |
| `url.query` | Copied | Vendor.httpRequest.args |
| `url.scheme` | Copied | Vendor.httpRequest.scheme |
| `cloud.account.id` | Extracted | Vendor.webaclId |
| `cloud.region` | Extracted | Vendor.webaclId |
| `http.request.referrer` | Extracted | Vendor.httpRequest.headers[] |
| `http.version` | Extracted | Vendor.httpRequest.httpVersion |
| `network.protocol` | Extracted | Vendor.httpRequest.httpVersion |
| `rule.name` | Extracted | Vendor.webaclId |
| `source.address` | Extracted | Vendor.httpRequest.headers[], Vendor.httpRequest.clientIp |
| `url.domain` | Extracted | Vendor.httpRequest.headers[] |
| `url.port` | Extracted | Vendor.httpRequest.headers[] |
| `user_agent.original` | Extracted | Vendor.httpRequest.headers[] |
| `@timestamp` | Parsed | Vendor.timestamp |
| `cloud.service.name` | Static | Vendor.httpSourceName |
| `ecs.version` | Static | None |
| `event.kind` | Static | None |
| `event.module` | Static | None |
| `event.outcome` | Static | event.action |
| `network.transport` | Static | network.protocol |
| Vendor.httpRequest.requestId | http.request.id | |
| Vendor.httpRequest.httpMethod | http.request.method | |
| Vendor.terminatingRuleType | rule.category | |
| Vendor.terminatingRuleId | rule.id | |
| Vendor.webaclId | rule.ruleset | |
| Vendor.httpRequest.country | source.geo.country_iso_code | |
| Vendor.ja3Fingerprint | tls.client.ja3 | |
| Vendor.httpRequest.uri | url.path | |
| Vendor.httpRequest.args | url.query | |
| Vendor.httpRequest.scheme | url.scheme |