Parsers and Generated Fields
Tag Fields Created by Parser checkpoint-ngfw
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser checkpoint-ngfw
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.time, ts, Vendor.rt | @timestamp | Event timestamp | Parsed from timestamp fields using various formats |
| source.ip | client.ip | Client IP address | Copied from source.ip for application control logs |
| source.port | client.port | Client port | Copied from source.port for application control logs |
| Vendor.dst, Vendor.tls_server_host_name | destination.address | Destination address | Copied from destination fields |
| Vendor.server_outbound_bytes, Vendor.received_bytes | destination.bytes | Destination byte count | Copied from byte count fields |
| Vendor.destination_dns_hostname, Vendor.dst_machine_name, Vendor.http_host, Vendor.dst_domain_name | destination.domain | Destination domain | Copied from hostname fields (lowercase) |
| destination.address | destination.ip | Destination IP address | Copied from destination address with CIDR validation |
| Vendor.mac_destination_address | destination.mac | Destination MAC | Copied from Vendor.mac_destination_address |
| Vendor.xlatedst | destination.nat.ip | Destination NAT IP | Copied from Vendor.xlatedst |
| Vendor.xlatedport, Vendor.xlatedport_svc | destination.nat.port | Destination NAT port | Copied from NAT port fields |
| Vendor.server_outbound_packets | destination.packets | Destination packet count | Copied from Vendor.server_outbound_packets |
| Vendor.service, Vendor.svc, Vendor.dpt | destination.port | Destination port | Copied from service port fields |
| Vendor.to | destination.user.email | Destination email | Copied from Vendor.to |
| Vendor.usercheck_incident_uid | destination.user.id | Destination user ID | Copied from Vendor.usercheck_incident_uid |
| Vendor.dst_user_name | destination.user.name | Destination username | Copied from Vendor.dst_user_name with regex extraction |
| Vendor.domain_name | dns.question.name | DNS query name | Copied from Vendor.domain_name |
| Vendor.dns_type | dns.question.type | DNS query type | Copied from Vendor.dns_type |
| Vendor.dns_message_type | dns.type | DNS message type | Copied from Vendor.dns_message_type |
| None | ecs.version | ECS schema version | Static value: 9.2.0 |
| Vendor.bcc | email.bcc.address[] | Email BCC addresses | Array from Vendor.bcc (lowercase) |
| Vendor.cc | email.cc.address[] | Email CC addresses | Array from Vendor.cc (lowercase) |
| Vendor.delivery_time | email.delivery_timestamp | Email delivery timestamp | Copied from Vendor.delivery_time |
| source.user.email, Vendor.mime_from | email.from.address[] | Email sender addresses | Array from email addresses (lowercase) |
| Vendor.email_queue_id | email.local_id | Email local ID | Copied from Vendor.email_queue_id |
| Vendor.email_message_id | email.message_id | Email message ID | Copied from Vendor.email_message_id |
| Vendor.email_subject | email.subject | Email subject line | Copied from Vendor.email_subject |
| destination.user.email, Vendor.mime_to | email.to.address[] | Email recipient addresses | Array from email addresses (lowercase) |
| Vendor.action, Vendor.act | event.action | Action taken | Mapped from Vendor.action or act with numeric conversion |
| Various vendor fields | event.category[] | Event categories | Array populated based on event type and action |
| Vendor.product | event.dataset | Event dataset | Generated from product name |
| Vendor.last_detection, Vendor.lastupdatetime, Vendor.last_hit_time | event.end | Event end time | Copied from end time fields |
| Vendor.loguid | event.id | Unique log identifier | Copied from Vendor.loguid |
| None | event.kind | Event kind | Static value: event |
| None | event.module | Event module | Static value: ngfw |
| Vendor.audit_status, Vendor.operation_results, Vendor.description | event.outcome | Event outcome | Determined from audit status and results |
| Vendor.action_reason, Vendor.additional_info, Vendor.description, Vendor.information | event.reason | Event reason | Copied from description or additional info |
| Vendor.app_risk, Vendor.cp_app_risk | event.risk_score | Application risk score | Copied from risk fields |
| Vendor.sequencenum | event.sequence | Event sequence number | Copied from Vendor.sequencenum |
| Vendor.severity | event.severity | Event severity level | Mapped from Vendor.severity values |
| Vendor.start_time, Vendor.first_detection, Vendor.creation_time | event.start | Event start time | Copied from start time fields |
| Various vendor fields | event.type[] | Event types | Array populated based on event action |
| Vendor.packet_capture | event.url | URL to packet capture | Copied from Vendor.packet_capture |
| Vendor.file_md5 | file.hash.md5 | File MD5 hash | Copied from Vendor.file_md5 (lowercase) |
| Vendor.file_sha1 | file.hash.sha1 | File SHA1 hash | Copied from Vendor.file_sha1 (lowercase) |
| Vendor.file_sha256 | file.hash.sha256 | File SHA256 hash | Copied from Vendor.file_sha256 (lowercase) |
| Vendor.file_id | file.inode | File inode number | Copied from Vendor.file_id |
| Vendor.file_name, Vendor.dlp_file_name | file.name | File name | Copied from file name fields |
| Vendor.file_size | file.size | File size | Copied from Vendor.file_size |
| Vendor.file_type | file.type | File type | Copied from Vendor.file_type |
| Vendor.user_group | group.name | Group name | Copied from Vendor.user_group |
| Vendor.endpoint_ip | host.ip[] | Host IP addresses | Array from Vendor.endpoint_ip |
| Vendor.os_name | host.os.name | Host OS name | Copied from Vendor.os_name |
| Vendor.os_version | host.os.version | Host OS version | Copied from Vendor.os_version |
| Vendor.method, Vendor.requestMethod | http.request.method | HTTP request method | Copied from method fields |
| Vendor.referrer | http.request.referrer | HTTP referrer | Copied from Vendor.referrer |
| Vendor.application | network.application | Network application | Copied from Vendor.application (lowercase) |
| source.bytes, destination.bytes, Vendor.bytes | network.bytes | Network bytes | Calculated from source and destination bytes |
| source.ip, destination.ip, source.port, destination.port, network.iana_number, Vendor.icmp_code, Vendor.icmp_type | network.community_id | Network community ID | Generated using communityId function |
| Vendor.ifdir, Vendor.deviceDirection | network.direction | Network direction | Mapped from direction fields |
| Vendor.proto | network.iana_number | IANA protocol number | Copied from Vendor.proto |
| Vendor.layer_name | network.name | Network layer name | Copied from Vendor.layer_name |
| Vendor.packets | network.packets | Network packets | Copied from Vendor.packets |
| Vendor.protocol, Vendor.service_id | network.protocol | Network protocol | Detected from protocol and service fields |
| network.iana_number | network.transport | Network transport protocol | Mapped from network.iana_number |
| Vendor.server_outbound_interface, Vendor.client_outbound_interface, Vendor.ifname | observer.egress.interface.name | Egress interface name | Copied from interface fields |
| Vendor.outzone | observer.egress.zone | Egress zone | Copied from Vendor.outzone |
| Vendor.client_inbound_interface, Vendor.ifname | observer.ingress.interface.name | Ingress interface name | Copied from interface fields |
| Vendor.inzone, Vendor.security_outzone | observer.ingress.zone | Ingress zone | Copied from zone fields |
| Vendor.origin_ip, Vendor.endpoint_ip, Vendor.origin | observer.ip[] | Observer IP addresses | Array from IP fields |
| Vendor.mac_address | observer.mac[] | Observer MAC addresses | Array from Vendor.mac_address (uppercase) |
| Vendor.originsicname.CN, Vendor.originsicname.cn | observer.name | Observer name | Extracted from parsed originsicname CN field |
| Vendor.product | observer.product | Observer product | Copied from Vendor.product |
| None | observer.type | Observer type | Static value: firewall |
| None | observer.vendor | Observer vendor | Static value: checkpoint |
| Vendor.update_version | observer.version | Observer version | Copied from Vendor.update_version |
| Vendor.process_md5 | process.hash.md5 | Process MD5 hash | Copied from Vendor.process_md5 (lowercase) |
| Vendor.process_name | process.name | Process name | Copied from Vendor.process_name |
| Vendor.parent_process_md5 | process.parent.hash.md5 | Parent process MD5 hash | Copied from Vendor.parent_process_md5 (lowercase) |
| Vendor.parent_process_name | process.parent.name | Parent process name | Copied from Vendor.parent_process_name |
| Vendor.matched_category, Vendor.categories | rule.category | Rule category | Copied from category fields |
| Vendor.malware_action | rule.description | Rule description | Copied from Vendor.malware_action |
| Vendor.malware_rule_id, Vendor.app_rule_id | rule.id | Rule ID | Copied from rule ID fields |
| Vendor.objectname, Vendor.rule_name, Vendor.malware_rule_name, Vendor.app_rule_name, Vendor.dlp_rule_name | rule.name | Rule name | Copied from rule name fields |
| Vendor.smartdefence_profile, Vendor.policy, Vendor.__policy_id_tag.policy_name | rule.ruleset | Rule ruleset | Copied from ruleset fields including parsed policy name |
| Vendor.rule_uid, Vendor.dlp_rule_uid, Vendor.nat_rule_uid | rule.uuid | Rule UUID | Copied from rule UID fields including NAT rule UID |
| destination.ip | server.ip | Server IP address | Copied from destination.ip for application control logs |
| destination.port | server.port | Server port | Copied from destination.port for application control logs |
| Vendor.src | source.address | Source address | Copied from Vendor.src |
| Vendor.client_outbound_bytes, Vendor.sent_bytes | source.bytes | Source byte count | Copied from byte count fields |
| Vendor.src_machine_name | source.domain | Source domain | Copied from machine name (lowercase) |
| Vendor.src, Vendor.client_ip | source.ip | Source IP address | Copied from source IP fields with CIDR validation |
| Vendor.mac_source_address | source.mac | Source MAC address | Copied from Vendor.mac_source_address |
| Vendor.xlatesrc, Vendor.proxy_src_ip | source.nat.ip | Source NAT IP | Copied from NAT source fields |
| Vendor.xlatesport, Vendor.xlatesport_svc | source.nat.port | Source NAT port | Copied from NAT port fields |
| Vendor.client_outbound_packets | source.packets | Source packet count | Copied from Vendor.client_outbound_packets |
| Vendor.s_port, Vendor.spt, Vendor.sport_svc | source.port | Source port | Copied from port fields |
| Vendor.from | source.user.email | Source email address | Extracted from Vendor.from if contains @ |
| Vendor.src_user_group | source.user.group.name | Source user group | Copied from Vendor.src_user_group |
| Vendor.uid | source.user.id | Source user ID | Copied from Vendor.uid |
| Vendor.administrator, Vendor.src_user_name | source.user.name | Source username | Copied from user name fields with regex extraction |
| Vendor.client_to_gateway_ciphers | tls.cipher | TLS cipher | Copied from Vendor.client_to_gateway_ciphers |
| Vendor.client_to_gateway_tls_ver_ | tls.version | TLS version | Copied from Vendor.client_to_gateway_tls_ver_ |
| Vendor.session_uid | transaction.id | Transaction ID | Copied from Vendor.session_uid |
| Vendor.http_host | url.domain | URL domain | Copied from Vendor.http_host (lowercase) |
| Vendor.url, Vendor.resource | url.original | Original URL | Copied from URL fields |
| Vendor.user | user.name | Username | Copied from Vendor.user with regex extraction |
| Vendor.web_client_type | user_agent.name | User agent name | Copied from Vendor.web_client_type |
| Vendor.user_agent | user_agent.original | Original user agent | Copied from Vendor.user_agent |
| Vendor.industry_reference | vulnerability.id | Vulnerability ID | Copied from Vendor.industry_reference |