Parsers and Generated Fields

Tag Fields Created by Parser checkpoint-ngfw

  • #Cps.version

  • #Vendor

  • #ecs.version

  • #event.dataset

  • #event.kind

  • #event.module

  • #event.outcome

  • #observer.type

Fields Identified by Parser checkpoint-ngfw
Vendor FieldCPS FieldDescription
`email.bcc.address[]`ArrayVendor.bcc
`email.cc.address[]`ArrayVendor.cc
`email.from.address[]`Arraysource.user.email, Vendor.mime_from
`email.to.address[]`Arraydestination.user.email, Vendor.mime_to
`event.category[]`ArrayVarious vendor fields
`event.type[]`ArrayVarious vendor fields
`host.ip[]`ArrayVendor.endpoint_ip
`observer.ip[]`ArrayVendor.origin_ip, Vendor.endpoint_ip, Vendor.origin
`observer.mac[]`ArrayVendor.mac_address
`network.bytes`Calculatedsource.bytes, destination.bytes, Vendor.bytes
`destination.address`CopiedVendor.dst, Vendor.tls_server_host_name
`destination.bytes`CopiedVendor.server_outbound_bytes, Vendor.received_bytes
`destination.domain`CopiedVendor.destination_dns_hostname, Vendor.dst_machine_name, Vendor.http_host, Vendor.dst_domain_name
`destination.ip`Copieddestination.address
`destination.mac`CopiedVendor.mac_destination_address
`destination.nat.ip`CopiedVendor.xlatedst
`destination.nat.port`CopiedVendor.xlatedport, Vendor.xlatedport_svc
`destination.packets`CopiedVendor.server_outbound_packets
`destination.port`CopiedVendor.service, Vendor.svc, Vendor.dpt
`destination.user.email`CopiedVendor.to
`destination.user.id`CopiedVendor.usercheck_incident_uid
`destination.user.name`CopiedVendor.dst_user_name
`dns.question.name`CopiedVendor.domain_name
`dns.question.type`CopiedVendor.dns_type
`dns.type`CopiedVendor.dns_message_type
`email.delivery_timestamp`CopiedVendor.delivery_time
`email.local_id`CopiedVendor.email_queue_id
`email.message_id`CopiedVendor.email_message_id
`email.subject`CopiedVendor.email_subject
`event.end`CopiedVendor.last_detection, Vendor.lastupdatetime, Vendor.last_hit_time
`event.id`CopiedVendor.loguid
`event.reason`CopiedVendor.action_reason, Vendor.additional_info, Vendor.description, Vendor.information
`event.risk_score`CopiedVendor.app_risk, Vendor.cp_app_risk
`event.sequence`CopiedVendor.sequencenum
`event.start`CopiedVendor.start_time, Vendor.first_detection, Vendor.creation_time
`event.url`CopiedVendor.packet_capture
`file.hash.md5`CopiedVendor.file_md5
`file.hash.sha1`CopiedVendor.file_sha1
`file.hash.sha256`CopiedVendor.file_sha256
`file.inode`CopiedVendor.file_id
`file.name`CopiedVendor.file_name, Vendor.dlp_file_name
`file.size`CopiedVendor.file_size
`file.type`CopiedVendor.file_type
`group.name`CopiedVendor.user_group
`host.os.name`CopiedVendor.os_name
`host.os.version`CopiedVendor.os_version
`http.request.method`CopiedVendor.method, Vendor.requestMethod
`http.request.referrer`CopiedVendor.referrer
`network.application`CopiedVendor.application
`network.iana_number`CopiedVendor.proto
`network.name`CopiedVendor.layer_name
`network.packets`CopiedVendor.packets
`observer.egress.interface.name`CopiedVendor.server_outbound_interface, Vendor.client_outbound_interface, Vendor.ifname
`observer.egress.zone`CopiedVendor.outzone
`observer.ingress.interface.name`CopiedVendor.client_inbound_interface, Vendor.ifname
`observer.ingress.zone`CopiedVendor.inzone, Vendor.security_outzone
`observer.product`CopiedVendor.product
`observer.version`CopiedVendor.update_version
`process.hash.md5`CopiedVendor.process_md5
`process.name`CopiedVendor.process_name
`process.parent.hash.md5`CopiedVendor.parent_process_md5
`process.parent.name`CopiedVendor.parent_process_name
`rule.category`CopiedVendor.matched_category, Vendor.categories
`rule.description`CopiedVendor.malware_action
`rule.id`CopiedVendor.malware_rule_id, Vendor.app_rule_id
`rule.name`CopiedVendor.objectname, Vendor.rule_name, Vendor.malware_rule_name, Vendor.app_rule_name, Vendor.dlp_rule_name
`rule.ruleset`CopiedVendor.smartdefence_profile, Vendor.policy
`rule.uuid`CopiedVendor.rule_uid, Vendor.dlp_rule_uid
`source.address`CopiedVendor.src
`source.bytes`CopiedVendor.client_outbound_bytes, Vendor.sent_bytes
`source.domain`CopiedVendor.src_machine_name
`source.ip`CopiedVendor.src, Vendor.client_ip
`source.mac`CopiedVendor.mac_source_address
`source.nat.ip`CopiedVendor.xlatesrc, Vendor.proxy_src_ip
`source.nat.port`CopiedVendor.xlatesport, Vendor.xlatesport_svc
`source.packets`CopiedVendor.client_outbound_packets
`source.port`CopiedVendor.s_port, Vendor.spt, Vendor.sport_svc
`source.user.group.name`CopiedVendor.src_user_group
`source.user.id`CopiedVendor.uid
`source.user.name`CopiedVendor.administrator, Vendor.src_user_name
`tls.cipher`CopiedVendor.client_to_gateway_ciphers
`tls.version`CopiedVendor.client_to_gateway_tls_ver_
`transaction.id`CopiedVendor.session_uid
`url.domain`CopiedVendor.http_host
`url.original`CopiedVendor.url, Vendor.resource
`user.name`CopiedVendor.user
`user_agent.name`CopiedVendor.web_client_type
`user_agent.original`CopiedVendor.user_agent
`vulnerability.id`CopiedVendor.industry_reference
`network.protocol`DetectedVendor.protocol, Vendor.service_id
`event.outcome`DeterminedVendor.audit_status, Vendor.operation_results, Vendor.description
`observer.name`ExtractedVendor.originsicname
`source.user.email`ExtractedVendor.from
`event.dataset`GeneratedVendor.product
`event.action`MappedVendor.action, Vendor.act
`event.severity`MappedVendor.severity
`network.direction`MappedVendor.ifdir, Vendor.deviceDirection
`network.transport`Mappednetwork.iana_number
`@timestamp`ParsedVendor.time, ts, Vendor.rt
`ecs.version`StaticNone
`event.kind`StaticNone
`event.module`StaticNone
`observer.type`StaticNone
`observer.vendor`StaticNone
Vendor.mac_destination_addressdestination.mac 
Vendor.todestination.user.email 
Vendor.usercheck_incident_uiddestination.user.id 
Vendor.dst_user_namedestination.user.name 
Vendor.domain_namedns.question.name 
Vendor.dns_typedns.question.type 
Vendor.dns_message_typedns.type 
Vendor.delivery_timeemail.delivery_timestamp 
Vendor.email_queue_idemail.local_id 
Vendor.email_message_idemail.message_id 
Vendor.email_subjectemail.subject 
Vendor.loguidevent.id 
Vendor.sequencenumevent.sequence 
Vendor.packet_captureevent.url 
Vendor.file_idfile.inode 
Vendor.file_sizefile.size 
Vendor.file_typefile.type 
Vendor.user_groupgroup.name 
Vendor.os_namehost.os.name 
Vendor.os_versionhost.os.version 
Vendor.referrerhttp.request.referrer 
Vendor.bytesnetwork.bytes 
source.bytesnetwork.bytes 
Vendor.protonetwork.iana_number 
Vendor.layer_namenetwork.name 
Vendor.packetsnetwork.packets 
Vendor.protocolnetwork.protocol 
Vendor.outzoneobserver.egress.zone 
Vendor.client_inbound_interfaceobserver.ingress.interface.name 
Vendor.productobserver.product 
Vendor.update_versionobserver.version 
Vendor.process_nameprocess.name 
Vendor.parent_process_nameprocess.parent.name 
Vendor.malware_actionrule.description 
Vendor.srcsource.address 
Vendor.mac_source_addresssource.mac 
Vendor.client_outbound_packetssource.packets 
Vendor.src_user_groupsource.user.group.name 
Vendor.uidsource.user.id 
Vendor.client_to_gateway_cipherstls.cipher 
Vendor.client_to_gateway_tls_ver_tls.version 
Vendor.session_uidtransaction.id 
Vendor.useruser.name 
Vendor.web_client_typeuser_agent.name 
Vendor.user_agentuser_agent.original 
Vendor.industry_referencevulnerability.id