Parsers and Generated Fields
Tag Fields Created by Parser checkpoint-ngfw
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser checkpoint-ngfw
| Vendor Field | CPS Field | Description |
|---|---|---|
| `email.bcc.address[]` | Array | Vendor.bcc |
| `email.cc.address[]` | Array | Vendor.cc |
| `email.from.address[]` | Array | source.user.email, Vendor.mime_from |
| `email.to.address[]` | Array | destination.user.email, Vendor.mime_to |
| `event.category[]` | Array | Various vendor fields |
| `event.type[]` | Array | Various vendor fields |
| `host.ip[]` | Array | Vendor.endpoint_ip |
| `observer.ip[]` | Array | Vendor.origin_ip, Vendor.endpoint_ip, Vendor.origin |
| `observer.mac[]` | Array | Vendor.mac_address |
| `destination.address` | Copied | Vendor.dst |
| `destination.bytes` | Copied | Vendor.server_outbound_bytes, Vendor.received_bytes |
| `destination.domain` | Copied | Vendor.destination_dns_hostname, Vendor.dst_machine_name, Vendor.http_host |
| `destination.ip` | Copied | destination.address |
| `destination.mac` | Copied | Vendor.mac_destination_address |
| `destination.nat.ip` | Copied | Vendor.xlatedst |
| `destination.nat.port` | Copied | Vendor.xlatedport, Vendor.xlatedport_svc |
| `destination.packets` | Copied | Vendor.server_outbound_packets |
| `destination.port` | Copied | Vendor.service, Vendor.svc, Vendor.dpt |
| `destination.user.email` | Copied | Vendor.to |
| `destination.user.id` | Copied | Vendor.usercheck_incident_uid |
| `destination.user.name` | Copied | Vendor.dst_user_name |
| `dns.question.name` | Copied | Vendor.domain_name |
| `dns.question.type` | Copied | Vendor.dns_type |
| `dns.type` | Copied | Vendor.dns_message_type |
| `email.delivery_timestamp` | Copied | Vendor.delivery_time |
| `email.local_id` | Copied | Vendor.email_queue_id |
| `email.message_id` | Copied | Vendor.email_message_id |
| `email.subject` | Copied | Vendor.email_subject |
| `event.end` | Copied | Vendor.last_detection, Vendor.lastupdatetime, Vendor.last_hit_time |
| `event.id` | Copied | Vendor.loguid |
| `event.reason` | Copied | Vendor.description, Vendor.additional_info |
| `event.risk_score` | Copied | Vendor.app_risk, Vendor.cp_app_risk |
| `event.sequence` | Copied | Vendor.sequencenum |
| `event.start` | Copied | Vendor.start_time, Vendor.first_detection, Vendor.creation_time |
| `event.url` | Copied | Vendor.packet_capture |
| `file.hash.md5` | Copied | Vendor.file_md5 |
| `file.hash.sha1` | Copied | Vendor.file_sha1 |
| `file.hash.sha256` | Copied | Vendor.file_sha256 |
| `file.inode` | Copied | Vendor.file_id |
| `file.name` | Copied | Vendor.file_name, Vendor.dlp_file_name |
| `file.size` | Copied | Vendor.file_size |
| `file.type` | Copied | Vendor.file_type |
| `group.name` | Copied | Vendor.user_group |
| `host.os.name` | Copied | Vendor.os_name |
| `host.os.version` | Copied | Vendor.os_version |
| `http.request.method` | Copied | Vendor.method, Vendor.requestMethod |
| `http.request.referrer` | Copied | Vendor.referrer |
| `network.application` | Copied | Vendor.application |
| `network.bytes` | Copied | Vendor.bytes, source.bytes, destination.bytes |
| `network.iana_number` | Copied | Vendor.proto |
| `network.name` | Copied | Vendor.layer_name |
| `network.packets` | Copied | Vendor.packets |
| `observer.egress.interface.name` | Copied | Vendor.client_outbound_interface, Vendor.ifname |
| `observer.egress.zone` | Copied | Vendor.outzone |
| `observer.ingress.interface.name` | Copied | Vendor.client_inbound_interface, Vendor.ifname |
| `observer.ingress.zone` | Copied | Vendor.inzone, Vendor.security_outzone |
| `observer.product` | Copied | Vendor.product |
| `observer.version` | Copied | Vendor.update_version |
| `process.hash.md5` | Copied | Vendor.process_md5 |
| `process.name` | Copied | Vendor.process_name |
| `process.parent.hash.md5` | Copied | Vendor.parent_process_md5 |
| `process.parent.name` | Copied | Vendor.parent_process_name |
| `rule.category` | Copied | Vendor.matched_category, Vendor.categories |
| `rule.description` | Copied | Vendor.malware_action |
| `rule.id` | Copied | Vendor.malware_rule_id, Vendor.app_rule_id |
| `rule.name` | Copied | Vendor.objectname, Vendor.rule_name, Vendor.malware_rule_name, Vendor.app_rule_name, Vendor.dlp_rule_name |
| `rule.ruleset` | Copied | Vendor.smartdefence_profile, Vendor.policy |
| `rule.uuid` | Copied | Vendor.rule_uid, Vendor.dlp_rule_uid |
| `service.id` | Copied | Vendor.service_id |
| `service.name` | Copied | service.id |
| `source.address` | Copied | Vendor.src |
| `source.bytes` | Copied | Vendor.client_outbound_bytes, Vendor.sent_bytes |
| `source.domain` | Copied | Vendor.src_machine_name |
| `source.ip` | Copied | Vendor.src, Vendor.client_ip |
| `source.mac` | Copied | Vendor.mac_source_address |
| `source.nat.ip` | Copied | Vendor.xlatesrc, Vendor.proxy_src_ip |
| `source.nat.port` | Copied | Vendor.xlatesport, Vendor.xlatesport_svc |
| `source.packets` | Copied | Vendor.client_outbound_packets |
| `source.port` | Copied | Vendor.s_port, Vendor.spt, Vendor.sport_svc |
| `source.user.group.name` | Copied | Vendor.src_user_group |
| `source.user.id` | Copied | Vendor.uid |
| `source.user.name` | Copied | Vendor.administrator, Vendor.src_user_name |
| `transaction.id` | Copied | Vendor.session_uid |
| `url.domain` | Copied | Vendor.http_host |
| `url.original` | Copied | Vendor.url, Vendor.resource |
| `user.name` | Copied | Vendor.user |
| `user_agent.name` | Copied | Vendor.web_client_type |
| `user_agent.original` | Copied | Vendor.user_agent |
| `vulnerability.id` | Copied | Vendor.industry_reference |
| `network.protocol` | Detected | service.id |
| `event.outcome` | Determined | Vendor.audit_status, Vendor.operation_results |
| `observer.name` | Extracted | Vendor.originsicname |
| `source.user.email` | Extracted | Vendor.from |
| `event.dataset` | Generated | Vendor.product |
| `event.action` | Mapped | Vendor.action, Vendor.act |
| `event.severity` | Mapped | Vendor.severity |
| `network.direction` | Mapped | Vendor.ifdir, Vendor.deviceDirection |
| `network.transport` | Mapped | network.iana_number |
| `@timestamp` | Parsed | Vendor.time, ts, Vendor.rt |
| `ecs.version` | Static | None |
| `event.kind` | Static | None |
| `event.module` | Static | None |
| `observer.type` | Static | None |
| `observer.vendor` | Static | None |
| Vendor.dst | destination.address | |
| Vendor.mac_destination_address | destination.mac | |
| Vendor.server_outbound_packets | destination.packets | |
| Vendor.to | destination.user.email | |
| Vendor.usercheck_incident_uid | destination.user.id | |
| Vendor.dst_user_name | destination.user.name | |
| Vendor.domain_name | dns.question.name | |
| Vendor.dns_type | dns.question.type | |
| Vendor.dns_message_type | dns.type | |
| Vendor.delivery_time | email.delivery_timestamp | |
| Vendor.email_queue_id | email.local_id | |
| Vendor.email_message_id | email.message_id | |
| Vendor.email_subject | email.subject | |
| Vendor.loguid | event.id | |
| Vendor.additional_info | event.reason | |
| Vendor.description | event.reason | |
| Vendor.sequencenum | event.sequence | |
| Vendor.packet_capture | event.url | |
| Vendor.file_id | file.inode | |
| Vendor.file_size | file.size | |
| Vendor.file_type | file.type | |
| Vendor.user_group | group.name | |
| Vendor.os_name | host.os.name | |
| Vendor.os_version | host.os.version | |
| Vendor.referrer | http.request.referrer | |
| Vendor.bytes | network.bytes | |
| source.bytes | network.bytes | |
| Vendor.proto | network.iana_number | |
| Vendor.layer_name | network.name | |
| Vendor.packets | network.packets | |
| Vendor.server_outbound_interface | observer.egress.interface.name | |
| Vendor.outzone | observer.egress.zone | |
| Vendor.client_inbound_interface | observer.ingress.interface.name | |
| Vendor.product | observer.product | |
| Vendor.update_version | observer.version | |
| Vendor.process_name | process.name | |
| Vendor.parent_process_name | process.parent.name | |
| Vendor.malware_action | rule.description | |
| Vendor.service_id | service.id | |
| service.id | service.name | |
| Vendor.src | source.address | |
| Vendor.mac_source_address | source.mac | |
| Vendor.xlatesport | source.nat.port | |
| Vendor.xlatesport_svc | source.nat.port | |
| Vendor.client_outbound_packets | source.packets | |
| Vendor.src_user_group | source.user.group.name | |
| Vendor.uid | source.user.id | |
| Vendor.session_uid | transaction.id | |
| Vendor.user | user.name | |
| Vendor.web_client_type | user_agent.name | |
| Vendor.user_agent | user_agent.original | |
| Vendor.industry_reference | vulnerability.id |