Parsers and Generated Fields
Tag Fields Created by Parser cisco-duo
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser cisco-duo
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Browser name (activity/authentication logs) | Vendor.access_device.browser | user_agent.name | |
| Browser version (activity/authentication logs) | Vendor.access_device.browser_version | user_agent.version | |
| Access device hostname (activity/authentication logs) | Vendor.access_device.hostname | source.domain | |
| Access device IP (authentication logs) | Vendor.access_device.ip | source.ip | |
| Access device IP address (activity logs) | Vendor.access_device.ip.address | source.ip | |
| City name from access device (activity/authentication logs) | Vendor.access_device.location.city | source.geo.city_name | |
| Country name from access device (activity/authentication logs) | Vendor.access_device.location.country | source.geo.country_name | |
| State/region from access device (activity/authentication logs) | Vendor.access_device.location.state | source.geo.region_name | |
| Operating system name (activity/authentication logs) | Vendor.access_device.os | user_agent.os.name | |
| Operating system version (activity/authentication logs) | Vendor.access_device.os_version | user_agent.os.version | |
| Access device port (activity logs) | Vendor.access_device.port | source.port | |
| Administrator log action | Vendor.action | event.action | |
| Activity log action name (coalesced with Vendor.action) | Vendor.action.name | event.action | |
| Activity log event identifier | Vendor.activity_id | event.id | |
| Actor email (activity logs) | Vendor.actor.details.email | user.email | |
| Actor group name (activity logs) | Vendor.actor.details.group.name | user.group.name | |
| Actor user key (activity logs) | Vendor.actor.key | user.id | |
| Actor username (activity logs) | Vendor.actor.name | user.name | |
| Network application (lowercased, authentication logs) | Vendor.applications | network.application | |
| Telephony log context | Vendor.context | event.action | |
| User email (for non-user_/bypass_ events) | Vendor.description.email | user.email | |
| Error message (administrator logs) | Vendor.description.error | error.message | |
| Target user roles (for user_/bypass_ events) | Vendor.description.groups[].name | user.target.roles[] | |
| Client hostname (administrator logs) | Vendor.description.hostname | source.domain | |
| Client IP address (administrator logs) | Vendor.description.ip_address | source.ip | |
| Target real name (for user_/bypass_ events) | Vendor.description.realname | user.target.full_name | |
| Target username (for user_/bypass_ events) | Vendor.description.uname | user.target.name | |
| Original user agent string (administrator logs) | Vendor.description.user_agent | user_agent.original | |
| User email (authentication logs) | Vendor.email | user.email | |
| Effective user ID (who enabled) | Vendor.enabled_by.key | user.effective.id | |
| Effective user name (who enabled) | Vendor.enabled_by.name | user.effective.name | |
| Target user ID (enabled for) | Vendor.enabled_for.key | user.target.id | |
| Target user name (enabled for) | Vendor.enabled_for.name | user.target.name | |
| Authentication log event type | Vendor.event_type | event.action | |
| Host/observer name (authentication/administrator logs) | Vendor.host | observer.name | |
| User name (for non-user_/bypass_ events) | Vendor.object | user.name | |
| Activity log result (SUCCESS/FAILURE) | Vendor.outcome.result | event.outcome | |
| Authentication failure reason | Vendor.reason | event.reason | |
| Authentication result (success/denied/fraud) | Vendor.result | event.outcome | |
| TrustMonitor event identifier | Vendor.sekey | event.id | |
| TrustMonitor browser name | Vendor.surfaced_auth.access_device.browser | user_agent.name | |
| TrustMonitor browser version | Vendor.surfaced_auth.access_device.browser_version | user_agent.version | |
| TrustMonitor access device hostname | Vendor.surfaced_auth.access_device.hostname | source.domain | |
| TrustMonitor access device IP | Vendor.surfaced_auth.access_device.ip | source.ip | |
| TrustMonitor city name | Vendor.surfaced_auth.access_device.location.city | source.geo.city_name | |
| TrustMonitor country name | Vendor.surfaced_auth.access_device.location.country | source.geo.country_name | |
| TrustMonitor state/region | Vendor.surfaced_auth.access_device.location.state | source.geo.region_name | |
| TrustMonitor operating system | Vendor.surfaced_auth.access_device.os | user_agent.os.name | |
| TrustMonitor OS version | Vendor.surfaced_auth.access_device.os_version | user_agent.os.version | |
| TrustMonitor user email | Vendor.surfaced_auth.email | user.email | |
| TrustMonitor authentication reason | Vendor.surfaced_auth.reason | event.reason | |
| TrustMonitor authentication result | Vendor.surfaced_auth.result | event.outcome | |
| TrustMonitor user key | Vendor.surfaced_auth.user.key | user.id | |
| TrustMonitor username | Vendor.surfaced_auth.user.name | user.name | |
| Target email (when target.type = user) | Vendor.target.details.email | user.target.email | |
| Target real name (when target.type = user) | Vendor.target.details.realname | user.target.full_name | |
| Target username (when target.type = user) | Vendor.target.details.uname | user.target.name | |
| Target key as email (when target.type = user) | Vendor.target.key | user.target.email | |
| Telephony log event identifier | Vendor.telephony_id | event.id | |
| TrustMonitor triage event URI (also mapped to url.original) | Vendor.triage_event_uri | url.original | |
| TrustMonitor event type | Vendor.type | event.action | |
| User group roles (authentication logs) | Vendor.user.groups[] | user.roles[] | |
| User key/ID (authentication logs) | Vendor.user.key | user.id | |
| Username (authentication logs) | Vendor.user.name | user.name | |
| Administrator full name | Vendor.username | user.full_name |