Parsers and Generated Fields
Tag Fields Created by Parser cisco-ise
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser cisco-ise
| Vendor Field | CPS Field | Description |
|---|---|---|
| `event.category[]` | Array | Vendor.category, Vendor.code |
| `event.type[]` | Array | Vendor.category, Vendor.code |
| `tls.client.x509.issuer.country[]` | Array | Vendor.Issuer - Country |
| `tls.client.x509.issuer.locality[]` | Array | Vendor.Issuer - Location |
| `tls.client.x509.issuer.organization[]` | Array | Vendor.Issuer - Organization |
| `tls.client.x509.issuer.organizational_unit[]` | Array | Vendor.Issuer - Organization Unit |
| `tls.client.x509.issuer.state_or_province[]` | Array | Vendor.Issuer - State or Province |
| `tls.client.x509.subject.common_name[]` | Array | Vendor.Subject - Common Name |
| `tls.client.x509.subject.organizational_unit[]` | Array | Vendor.Subject - Organization Unit |
| `user.full_name` | Concatenated | Vendor.Firstname, Vendor.Lastname |
| `client.address` | Copied | Vendor.IpAddress, Vendor.AdminIPAddress, Vendor.DestinationIPAddress, Vendor.Remote-Address, Vendor.Framed-IP-Address |
| `client.domain` | Copied | Vendor.NetworkDeviceName, Vendor.AD-Host-DNS-Domain |
| `client.mac` | Copied | Vendor.EndPointMACAddress, Vendor.EPMacAddress |
| `client.port` | Copied | Vendor.DestinationPort, client.address |
| `event.reason` | Copied | Vendor.AD-Error-Details, Vendor.FailureReason, Vendor.Detail, Vendor.Failure Reason |
| `event.sequence` | Copied | Vendor.log.segment.number |
| `network.protocol` | Copied | Vendor.Protocol |
| `observer.name` | Copied | log.syslog.hostname |
| `server.address` | Copied | Vendor.EndpointNADAddress, Vendor.PsnHostName, Vendor.Device IP Address |
| `server.port` | Copied | Vendor.Device Port |
| `service.name` | Copied | Vendor.ISEServiceName, Vendor.Service-Argument |
| `tls.cipher` | Copied | Vendor.TLSCipher |
| `tls.version` | Copied | Vendor.TLSVersion |
| `user.email` | Copied | Vendor.EmailAddress |
| `user.group.name` | Copied | Vendor.AD-Groups-Names |
| `user.name` | Copied | Vendor.UserName, Vendor.OriginalUserName, Vendor.User, Vendor.AdminName, Vendor.User-Name, Vendor.AD-User-SamAccount-Name, Vendor.AD-User-Qualified-Name |
| `event.outcome` | Determined | Vendor.AuthenticationStatus, Vendor.log.message.description, Vendor.FailureReason, Vendor.Response.AcctReply-Status |
| `client.ip` | Extracted | client.address |
| `event.action` | Extracted | Vendor.category, Vendor.log.message.description, Vendor.Action |
| `event.dataset` | Extracted | Vendor.category |
| `event.id` | Extracted | event.id |
| `log.syslog.hostname` | Extracted | syslog hostname |
| `log.syslog.priority` | Extracted | syslog priority |
| `log.syslog.severity.name` | Extracted | Vendor.log.syslog.severity.name |
| `server.domain` | Extracted | server.address |
| `server.ip` | Extracted | server.address |
| `user.domain` | Extracted | user.name, Vendor.AD-User-DNS-Domain |
| `@timestamp` | Parsed | event.created, @timestamp |
| `event.created` | Parsed | syslog timestamp |
| `process.command_line` | Parsed | Vendor.CmdSet |
| `ecs.version` | Static | None |
| `event.kind` | Static | None |
| `event.module` | Static | None |
| `observer.type` | Static | None |
| Vendor.Response | __tmpResponse | |
| Vendor.DestinationPort | client.port | |
| Vendor.log.segment.number | event.sequence | |
| log.syslog.hostname | observer.name | |
| Vendor.TLSCipher | tls.cipher | |
| Vendor.TLSVersion | tls.version | |
| Vendor.EmailAddress | user.email |