Parsers and Generated Fields
Tag Fields Created by Parser cisco-duo
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser cisco-duo
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.access_device.hostname | client.domain | Access device hostname (activity/authentication logs) |
| Vendor.description.hostname | client.domain | Client hostname (administrator logs) |
| Vendor.surfaced_auth.access_device.hostname | client.domain | TrustMonitor access device hostname |
| Vendor.access_device.location.city | client.geo.city_name | City name from access device (activity/authentication logs) |
| Vendor.surfaced_auth.access_device.location.city | client.geo.city_name | TrustMonitor city name |
| Vendor.access_device.location.country | client.geo.country_name | Country name from access device (activity/authentication logs) |
| Vendor.surfaced_auth.access_device.location.country | client.geo.country_name | TrustMonitor country name |
| Vendor.access_device.location.state | client.geo.region_name | State/region from access device (activity/authentication logs) |
| Vendor.surfaced_auth.access_device.location.state | client.geo.region_name | TrustMonitor state/region |
| Vendor.access_device.ip | client.ip | Access device IP (authentication logs) |
| Vendor.access_device.ip.address | client.ip | Access device IP address (activity logs) |
| Vendor.description.ip_address | client.ip | Client IP address (administrator logs) |
| Vendor.surfaced_auth.access_device.ip | client.ip | TrustMonitor access device IP |
| Vendor.access_device.port | client.port | Access device port (activity logs) |
| Vendor.description.error | error.message | Error message (administrator logs) |
| Vendor.action | event.action | Administrator log action |
| Vendor.action.name | event.action | Activity log action name (coalesced with Vendor.action) |
| Vendor.context | event.action | Telephony log context |
| Vendor.event_type | event.action | Authentication log event type |
| Vendor.type | event.action | TrustMonitor event type |
| Vendor.activity_id | event.id | Activity log event identifier |
| Vendor.sekey | event.id | TrustMonitor event identifier |
| Vendor.telephony_id | event.id | Telephony log event identifier |
| Vendor.outcome.result | event.outcome | Activity log result (SUCCESS/FAILURE) |
| Vendor.result | event.outcome | Authentication result (success/denied/fraud) |
| Vendor.surfaced_auth.result | event.outcome | TrustMonitor authentication result |
| Vendor.reason | event.reason | Authentication failure reason |
| Vendor.surfaced_auth.reason | event.reason | TrustMonitor authentication reason |
| Vendor.triage_event_uri | event.url | TrustMonitor triage event URI |
| Vendor.applications | network.application | Network application (lowercased, authentication logs) |
| Vendor.host | observer.name | Host/observer name (authentication/administrator logs) |
| client.address | source.address | |
| Vendor.access_device.hostname | source.domain | Access device hostname (activity/authentication logs) |
| Vendor.description.hostname | source.domain | Client hostname (administrator logs) |
| Vendor.surfaced_auth.access_device.hostname | source.domain | TrustMonitor access device hostname |
| client.domain | source.domain | |
| Vendor.access_device.location.city | source.geo.city_name | City name from access device (activity/authentication logs) |
| Vendor.surfaced_auth.access_device.location.city | source.geo.city_name | TrustMonitor city name |
| client.geo.city_name | source.geo.city_name | |
| Vendor.access_device.location.country | source.geo.country_name | Country name from access device (activity/authentication logs) |
| Vendor.surfaced_auth.access_device.location.country | source.geo.country_name | TrustMonitor country name |
| client.geo.country_name | source.geo.country_name | |
| Vendor.access_device.location.state | source.geo.region_name | State/region from access device (activity/authentication logs) |
| Vendor.surfaced_auth.access_device.location.state | source.geo.region_name | TrustMonitor state/region |
| client.geo.region_name | source.geo.region_name | |
| Vendor.access_device.ip | source.ip | Access device IP (authentication logs) |
| Vendor.access_device.ip.address | source.ip | Access device IP address (activity logs) |
| Vendor.description.ip_address | source.ip | Client IP address (administrator logs) |
| Vendor.surfaced_auth.access_device.ip | source.ip | TrustMonitor access device IP |
| client.ip | source.ip | |
| Vendor.access_device.port | source.port | Access device port (activity logs) |
| url.host | url.domain | |
| Vendor.triage_event_uri | url.original | TrustMonitor triage event URI (also mapped to url.original) |
| Vendor.enabled_by.key | user.effective.id | Effective user ID (who enabled) |
| Vendor.enabled_by.name | user.effective.name | Effective user name (who enabled) |
| Vendor.actor.details.email | user.email | Actor email (activity logs) |
| Vendor.description.email | user.email | User email (for non-user_/bypass_ events) |
| Vendor.email | user.email | User email (authentication logs) |
| Vendor.surfaced_auth.email | user.email | TrustMonitor user email |
| Vendor.username | user.full_name | Administrator full name |
| Vendor.actor.details.group.name | user.group.name | Actor group name (activity logs) |
| Vendor.actor.key | user.id | Actor user key (activity logs) |
| Vendor.surfaced_auth.user.key | user.id | TrustMonitor user key |
| Vendor.user.key | user.id | User key/ID (authentication logs) |
| Vendor.actor.name | user.name | Actor username (activity logs) |
| Vendor.object | user.name | User name (for non-user_/bypass_ events) |
| Vendor.surfaced_auth.user.name | user.name | TrustMonitor username |
| Vendor.user.name | user.name | Username (authentication logs) |
| Vendor.user.groups[] | user.roles[] | User group roles (authentication logs) |
| Vendor.description.email | user.target.email | Target email (for user_/bypass_ events) |
| Vendor.target.details.email | user.target.email | Target email (when target.type = "user") |
| Vendor.target.key | user.target.email | Target key as email (when target.type = "user") |
| Vendor.description.realname | user.target.full_name | Target real name (for user_/bypass_ events) |
| Vendor.target.details.realname | user.target.full_name | Target real name (when target.type = "user") |
| Vendor.enabled_for.key | user.target.id | Target user ID (enabled for) |
| Vendor.description.uname | user.target.name | Target username (for user_/bypass_ events) |
| Vendor.enabled_for.name | user.target.name | Target user name (enabled for) |
| Vendor.target.details.uname | user.target.name | Target username (when target.type = "user") |
| x.name | user.target.roles | |
| Vendor.description.groups[].name | user.target.roles[] | Target user roles (for user_/bypass_ events) |
| Vendor.access_device.browser | user_agent.name | Browser name (activity/authentication logs) |
| Vendor.surfaced_auth.access_device.browser | user_agent.name | TrustMonitor browser name |
| Vendor.description.user_agent | user_agent.original | Original user agent string (administrator logs) |
| Vendor.access_device.os | user_agent.os.name | Operating system name (activity/authentication logs) |
| Vendor.surfaced_auth.access_device.os | user_agent.os.name | TrustMonitor operating system |
| Vendor.access_device.os_version | user_agent.os.version | Operating system version (activity/authentication logs) |
| Vendor.surfaced_auth.access_device.os_version | user_agent.os.version | TrustMonitor OS version |
| Vendor.access_device.browser_version | user_agent.version | Browser version (activity/authentication logs) |
| Vendor.surfaced_auth.access_device.browser_version | user_agent.version | TrustMonitor browser version |