Parsers and Generated Fields
Tag Fields Created by Parser aws-waf
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser aws-waf
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.timestamp | @timestamp | Event timestamp | Parsed from Vendor.timestamp using milliseconds format |
| Vendor.webaclId | cloud.account.id | AWS account ID | Extracted from Vendor.webaclId using regex pattern |
| Vendor.webaclId | cloud.region | AWS region | Extracted from Vendor.webaclId using regex pattern for regional WebACLs |
| Vendor.httpSourceName | cloud.service.name | AWS service name | Static value based on Vendor.httpSourceName match (apigateway, cloudfront, elbv2) |
| None | ecs.version | ECS schema version | Static value: 9.2.0 |
| Vendor.action | event.action | Action taken by WAF | Copied from Vendor.action and converted to lowercase |
| None | event.category[] | Event categorization | Array populated with ["web"] |
| None | event.kind | Event kind classification | Static value: event |
| None | event.module | Module identifier | Static value: waf |
| event.action | event.outcome | Event outcome | Static value based on event.action match (success for allow, failure for block) |
| None | event.type[] | Event type classification | Array populated with ["access"] |
| Vendor.httpRequest.requestId | http.request.id | Unique request identifier | Copied from Vendor.httpRequest.requestId |
| Vendor.httpRequest.httpMethod | http.request.method | HTTP method used | Copied from Vendor.httpRequest.httpMethod |
| Vendor.httpRequest.headers[] | http.request.referrer | HTTP referrer | Extracted from referer header |
| Vendor.httpRequest.httpVersion | http.version | HTTP version | Extracted from Vendor.httpRequest.httpVersion using regex pattern |
| Vendor.httpRequest.httpVersion | network.protocol | Network protocol | Extracted from Vendor.httpRequest.httpVersion using regex pattern and converted to lowercase |
| network.protocol | network.transport | Network transport protocol | Static value: tcp (when network.protocol is http) |
| Vendor.terminatingRuleType | rule.category | WAF rule category | Copied from Vendor.terminatingRuleType |
| Vendor.terminatingRuleId | rule.id | WAF rule identifier | Copied from Vendor.terminatingRuleId |
| Vendor.webaclId | rule.name | WebACL rule name | Extracted from Vendor.webaclId using regex pattern |
| Vendor.webaclId | rule.ruleset | WAF WebACL ARN | Copied from Vendor.webaclId |
| Vendor.httpRequest.headers[], Vendor.httpRequest.clientIp | source.address | Source address with X-Forwarded-For priority | Extracted from X-Forwarded-For header or copied from Vendor.httpRequest.clientIp |
| source.address | source.domain | Source domain name | Copied from source.address when not a valid IP |
| Vendor.httpRequest.country | source.geo.country_iso_code | Country code of client IP | Copied from Vendor.httpRequest.country |
| source.address | source.ip | Source IP address | Copied from source.address when valid IP |
| Vendor.httpRequest.clientIp | source.nat.ip | NAT IP address | Copied from Vendor.httpRequest.clientIp when X-Forwarded-For is present |
| Vendor.ja3Fingerprint | tls.client.ja3 | JA3 TLS fingerprint | Copied from Vendor.ja3Fingerprint |
| Vendor.httpRequest.headers[] | url.domain | URL domain | Extracted from Host header |
| Vendor.httpRequest.uri | url.path | Request URI path | Copied from Vendor.httpRequest.uri |
| Vendor.httpRequest.headers[] | url.port | URL port | Extracted from Host header when port is present |
| Vendor.httpRequest.args | url.query | URL query parameters | Copied from Vendor.httpRequest.args |
| Vendor.httpRequest.scheme | url.scheme | URL scheme | Copied from Vendor.httpRequest.scheme |
| Vendor.httpRequest.headers[] | user_agent.original | Original user agent string | Extracted from User-Agent header |