Parsers and Generated Fields | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Library Guidance Release Notes Integrations Query Examples Training API GraphQL Search Archives Contact Support

Parsers and Generated Fields

Tag Fields Created by Parser cisco-duo

#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type

Fields Identified by Parser cisco-duo

Source Field	CPS Field	Description	Mapping
Browser name (activity/authentication logs)	Vendor.access_device.browser		user_agent.name
Browser version (activity/authentication logs)	Vendor.access_device.browser_version		user_agent.version
Access device hostname (activity/authentication logs)	Vendor.access_device.hostname		source.domain
Access device IP (authentication logs)	Vendor.access_device.ip		source.ip
Access device IP address (activity logs)	Vendor.access_device.ip.address		source.ip
City name from access device (activity/authentication logs)	Vendor.access_device.location.city		source.geo.city_name
Country name from access device (activity/authentication logs)	Vendor.access_device.location.country		source.geo.country_name
State/region from access device (activity/authentication logs)	Vendor.access_device.location.state		source.geo.region_name
Operating system name (activity/authentication logs)	Vendor.access_device.os		user_agent.os.name
Operating system version (activity/authentication logs)	Vendor.access_device.os_version		user_agent.os.version
Access device port (activity logs)	Vendor.access_device.port		source.port
Administrator log action	Vendor.action		event.action
Activity log action name (coalesced with Vendor.action)	Vendor.action.name		event.action
Activity log event identifier	Vendor.activity_id		event.id
Actor email (activity logs)	Vendor.actor.details.email		user.email
Actor group name (activity logs)	Vendor.actor.details.group.name		user.group.name
Actor user key (activity logs)	Vendor.actor.key		user.id
Actor username (activity logs)	Vendor.actor.name		user.name
Network application (lowercased, authentication logs)	Vendor.applications		network.application
Telephony log context	Vendor.context		event.action
User email (for non-user_/bypass_ events)	Vendor.description.email		user.email
Error message (administrator logs)	Vendor.description.error		error.message
Target user roles (for user_/bypass_ events)	Vendor.description.groups[].name		user.target.roles[]
Client hostname (administrator logs)	Vendor.description.hostname		source.domain
Client IP address (administrator logs)	Vendor.description.ip_address		source.ip
Target real name (for user_/bypass_ events)	Vendor.description.realname		user.target.full_name
Target username (for user_/bypass_ events)	Vendor.description.uname		user.target.name
Original user agent string (administrator logs)	Vendor.description.user_agent		user_agent.original
User email (authentication logs)	Vendor.email		user.email
Effective user ID (who enabled)	Vendor.enabled_by.key		user.effective.id
Effective user name (who enabled)	Vendor.enabled_by.name		user.effective.name
Target user ID (enabled for)	Vendor.enabled_for.key		user.target.id
Target user name (enabled for)	Vendor.enabled_for.name		user.target.name
Authentication log event type	Vendor.event_type		event.action
Host/observer name (authentication/administrator logs)	Vendor.host		observer.name
User name (for non-user_/bypass_ events)	Vendor.object		user.name
Activity log result (SUCCESS/FAILURE)	Vendor.outcome.result		event.outcome
Authentication failure reason	Vendor.reason		event.reason
Authentication result (success/denied/fraud)	Vendor.result		event.outcome
TrustMonitor event identifier	Vendor.sekey		event.id
TrustMonitor browser name	Vendor.surfaced_auth.access_device.browser		user_agent.name
TrustMonitor browser version	Vendor.surfaced_auth.access_device.browser_version		user_agent.version
TrustMonitor access device hostname	Vendor.surfaced_auth.access_device.hostname		source.domain
TrustMonitor access device IP	Vendor.surfaced_auth.access_device.ip		source.ip
TrustMonitor city name	Vendor.surfaced_auth.access_device.location.city		source.geo.city_name
TrustMonitor country name	Vendor.surfaced_auth.access_device.location.country		source.geo.country_name
TrustMonitor state/region	Vendor.surfaced_auth.access_device.location.state		source.geo.region_name
TrustMonitor operating system	Vendor.surfaced_auth.access_device.os		user_agent.os.name
TrustMonitor OS version	Vendor.surfaced_auth.access_device.os_version		user_agent.os.version
TrustMonitor user email	Vendor.surfaced_auth.email		user.email
TrustMonitor authentication reason	Vendor.surfaced_auth.reason		event.reason
TrustMonitor authentication result	Vendor.surfaced_auth.result		event.outcome
TrustMonitor user key	Vendor.surfaced_auth.user.key		user.id
TrustMonitor username	Vendor.surfaced_auth.user.name		user.name
Target email (when target.type = user)	Vendor.target.details.email		user.target.email
Target real name (when target.type = user)	Vendor.target.details.realname		user.target.full_name
Target username (when target.type = user)	Vendor.target.details.uname		user.target.name
Target key as email (when target.type = user)	Vendor.target.key		user.target.email
Telephony log event identifier	Vendor.telephony_id		event.id
TrustMonitor triage event URI (also mapped to url.original)	Vendor.triage_event_uri		url.original
TrustMonitor event type	Vendor.type		event.action
User group roles (authentication logs)	Vendor.user.groups[]		user.roles[]
User key/ID (authentication logs)	Vendor.user.key		user.id
Username (authentication logs)	Vendor.user.name		user.name
Administrator full name	Vendor.username		user.full_name

Enter search term