Parsers and Generated Fields
Tag Fields Created by Parser cisco-meraki
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser cisco-meraki
| Vendor Field | CPS Field | Description |
|---|---|---|
| `event.category[]` | Array | None |
| `event.type[]` | Array | None |
| `host.ip[]` | Array | Vendor.eventData.client_ip, Vendor.clientIp, Vendor.eventData.ip |
| `host.mac[]` | Array | Vendor.clientMac, temp_mac |
| `observer.mac[]` | Array | temp_mac |
| `network.bytes` | Calculated | Vendor.sent, Vendor.recv |
| `client.address` | Copied | Vendor.clientDescription |
| `client.ip` | Copied | Vendor.client_ip, Vendor.clientIp, Vendor.eventData.client_ip, Vendor.eventData.ip |
| `client.mac` | Copied | Vendor.client_mac, Vendor.clientMac |
| `destination.as.number` | Copied | Vendor.eventData.local_as |
| `destination.mac` | Copied | Vendor.dst |
| `error.code` | Copied | Vendor.eventData.error_code |
| `error.message` | Copied | Vendor.eventData.desc |
| `event.duration` | Copied | Vendor.activeTime |
| `event.original` | Copied | Vendor.description, Vendor.message, syslog.message |
| `file.hash.sha256` | Copied | Vendor.sha256, Vendor.fileHash |
| `file.name` | Copied | Vendor.name |
| `file.size` | Copied | Vendor.fileSizeBytes |
| `file.type` | Copied | Vendor.fileType |
| `host.hostname` | Copied | Vendor.clientDescription |
| `host.id` | Copied | Vendor.clientId |
| `http.request.method` | Copied | Vendor.http_method |
| `network.application` | Copied | Vendor.application |
| `network.direction` | Copied | Vendor.direction |
| `network.forwarded_ip` | Copied | Vendor.forwarded_ip |
| `network.name` | Copied | Vendor.ssid, Vendor.networkId |
| `network.packets` | Copied | Vendor.flows |
| `network.protocol` | Copied | Vendor.protocol, network.protocol |
| `network.vlan.id` | Copied | Vendor.vlan_id, Vendor.eventData.vlan |
| `observer.name` | Copied | Vendor.deviceName |
| `observer.serial_number` | Copied | Vendor.deviceSerial |
| `rule.category` | Copied | Vendor.classification |
| `rule.description` | Copied | Vendor.message |
| `rule.id` | Copied | Vendor.signature |
| `rule.name` | Copied | Vendor.message |
| `rule.reference` | Copied | Vendor.ruleId |
| `server.ip` | Copied | Vendor.server, Vendor.original_server_ip |
| `server.mac` | Copied | Vendor.server_mac, Vendor.original_server_mac |
| `server.port` | Copied | Vendor.serverport |
| `source.as.number` | Copied | Vendor.eventData.remote_as |
| `source.ip` | Copied | Vendor.src, Vendor.srcIp, Vendor.translated_src_ip |
| `source.mac` | Copied | Vendor.mac, Vendor.src, Vendor.clientMac |
| `source.port` | Copied | Vendor.sport, Vendor.translated_port |
| `threat.indicator.description` | Copied | Vendor.message |
| `threat.indicator.ip` | Copied | destination.ip |
| `url.original` | Copied | Vendor.url, Vendor.uri |
| `user.name` | Copied | Vendor.username, user.name |
| `user_agent.original` | Copied | Vendor.agent |
| `event.action` | Derived | event_subtype, Vendor.type, Vendor.eventType |
| `event.outcome` | Derived | Vendor.connectivity, Vendor.blocked, _outcome |
| `network.type` | Determined | source.ip |
| `destination.ip` | Extracted | Vendor.dst, Vendor.destIp, Vendor.eventData.router, destination.ip |
| `destination.port` | Extracted | Vendor.dport, Vendor.destIp, destination.port |
| `log.syslog.appname` | Extracted | @rawstring |
| `log.syslog.hostname` | Extracted | @rawstring |
| `log.syslog.priority` | Extracted | @rawstring |
| `log.syslog.version` | Extracted | @rawstring |
| `network.transport` | Extracted | network.transport |
| `tls.version` | Extracted | network.transport |
| `event.severity` | Mapped | Vendor.priority |
| `@timestamp` | Parsed | @rawstring, Vendor.ts, Vendor.occurredAt |
| `server.address` | Parsed | Vendor.url |
| `url.domain` | Parsed | url.original |
| `url.path` | Parsed | url.original |
| `url.query` | Parsed | url.original |
| `url.scheme` | Parsed | url.original |
| `action` | Static | None |
| `ecs.version` | Static | None |
| `event.dataset` | Static | None |
| `event.kind` | Static | None |
| `event.module` | Static | None |
| `observer.type` | Static | None |
| Vendor.eventData.channel | Vendor.channel | |
| Vendor.eventData.connection_status | Vendor.connection_status | |
| Vendor.eventData.dns | Vendor.dns | |
| Vendor.eventData.duration | Vendor.lease_duration | |
| Vendor.eventData.new_state | Vendor.new_state | |
| Vendor.eventData.peer_contact | Vendor.peer_contact | |
| Vendor.eventData.peer_type | Vendor.peer_type | |
| Vendor.eventData.rssi | Vendor.signal_strength | |
| Vendor.eventData.vpn_type | Vendor.vpn_type | |
| Vendor.clientDescription | client.address | |
| Vendor.client_ip | client.ip | |
| Vendor.eventData.client_ip | client.ip | |
| Vendor.eventData.ip | client.ip | |
| Vendor.client_mac | client.mac | |
| Vendor.eventData.local_as | destination.as.number | |
| Vendor.destination | destination.ip | |
| Vendor.dst | destination.ip | |
| Vendor.eventData.peer_ip | destination.ip | |
| Vendor.eventData.router | destination.ip | |
| Vendor.translated_dst_ip | destination.ip | |
| Vendor.dst | destination.mac | |
| Vendor.dport | destination.port | |
| Vendor.port | destination.port | |
| Vendor.eventData.error_code | error.code | |
| Vendor.eventData.desc | error.message | |
| Vendor.action | event.action | |
| Vendor.eventType | event.action | |
| Vendor.type | event.action | |
| Vendor.description | event.original | |
| Vendor.message | event.original | |
| Vendor.type | event_subtype | |
| log.syslog.appname | event_subtype | |
| Vendor.name | file.name | |
| Vendor.fileSizeBytes | file.size | |
| Vendor.fileType | file.type | |
| Vendor.clientDescription | host.hostname | |
| Vendor.clientName | host.hostname | |
| Vendor.clientId | host.id | |
| Vendor.http_method | http.request.method | |
| Vendor.application | network.application | |
| Vendor.sent | network.bytes | |
| Vendor.direction | network.direction | |
| Vendor.forwarded_ip | network.forwarded_ip | |
| Vendor.networkId | network.name | |
| Vendor.ssid | network.name | |
| Vendor.flows | network.packets | |
| Vendor.protocol | network.protocol | |
| Vendor.eventData.vlan | network.vlan.id | |
| Vendor.deviceName | observer.name | |
| Vendor.deviceSerial | observer.serial_number | |
| Vendor.classification | rule.category | |
| Vendor.message | rule.description | |
| Vendor.signature | rule.id | |
| Vendor.message | rule.name | |
| Vendor.ruleId | rule.reference | |
| Vendor.url.host | server.address | |
| Vendor.server | server.ip | |
| Vendor.original_server_mac | server.mac | |
| Vendor.server_mac | server.mac | |
| Vendor.serverport | server.port | |
| Vendor.eventData.remote_as | source.as.number | |
| Vendor.eventData.client_ip | source.ip | |
| Vendor.eventData.ip | source.ip | |
| Vendor.eventData.peer_ip | source.ip | |
| Vendor.src | source.ip | |
| Vendor.srcIp | source.ip | |
| Vendor.translated_src_ip | source.ip | |
| Vendor.clientMac | source.mac | |
| Vendor.mac | source.mac | |
| Vendor.src | source.mac | |
| Vendor.sport | source.port | |
| destination.ip | threat.indicator.ip | |
| Vendor.uri | url.original | |
| Vendor.url | url.original | |
| Vendor.username | user.name | |
| Vendor.agent | user_agent.original |