Parsers and Generated Fields
Tag Fields Created by Parser cisco-umbrella
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser cisco-umbrella
| Vendor Field | CPS Field | Description |
|---|---|---|
| `event.category[]` | Array | None |
| `event.type[]` | Array | Vendor.action |
| `event.dataset` | Conditional | None |
| `source.ip` | Conditional | source.address |
| `cloud.region` | Copied | Vendor.aws_region |
| `destination.address` | Copied | Vendor.destination_ip |
| `destination.domain` | Copied | Vendor.destination |
| `destination.ip` | Copied | Vendor.destination_ip |
| `destination.port` | Copied | Vendor.destination_port |
| `dns.question.name` | Copied | Vendor.domain |
| `dns.question.type` | Copied | Vendor.query_type |
| `dns.response_code` | Copied | Vendor.response_code |
| `error.message` | Copied | Vendor.certificate_errors |
| `event.action` | Copied | Vendor.action |
| `event.id` | Copied | Vendor.id, Vendor.unique_event_id |
| `file.hash.sha256` | Copied | Vendor.sha256 |
| `file.mime_type` | Copied | Vendor.content_type |
| `file.name` | Copied | Vendor.filename, Vendor.name |
| `file.owner` | Copied | Vendor.owner |
| `file.size` | Copied | Vendor.file_size |
| `http.request.bytes` | Copied | Vendor.request_size |
| `http.request.method` | Copied | Vendor.request_method |
| `http.request.mime_type` | Copied | Vendor.content_type |
| `http.request.referrer` | Copied | Vendor.referer |
| `http.response.body.bytes` | Copied | Vendor.response_body_size |
| `http.response.bytes` | Copied | Vendor.response_size |
| `http.response.status_code` | Copied | Vendor.status_code |
| `message` | Copied | Vendor.signature_message |
| `network.application` | Copied | Vendor.application |
| `network.bytes` | Copied | Vendor.packet_size |
| `network.transport` | Copied | Vendor.protocol, Vendor.ip_protocol |
| `observer.egress.interface.id` | Copied | Vendor.origin_ids |
| `observer.ingress.interface.id` | Copied | Vendor.origin_ids |
| `process.entity_id` | Copied | Vendor.session_id |
| `rule.category` | Copied | Vendor.attack_classification |
| `rule.description` | Copied | Vendor.signature_method |
| `rule.id` | Copied | Vendor.rule_id, Vendor.signature_id, Vendor.firewall_rule_id |
| `rule.name` | Copied | Vendor.rule |
| `rule.uuid` | Copied | Vendor.ruleset_id, Vendor.signature_list_id |
| `source.address` | Copied | Vendor.internal_ip, Vendor.internal_client_ip |
| `source.geo.name` | Copied | Vendor.data_center |
| `source.nat.ip` | Copied | Vendor.external_ip, Vendor.external_client_ip |
| `source.port` | Copied | Vendor.source_port |
| `url.original` | Copied | Vendor.url |
| `user.email` | Copied | Vendor.email |
| `user.name` | Copied | Vendor.user |
| `user_agent.original` | Copied | Vendor.user_agent |
| `vulnerability.reference` | Copied | Vendor.cves |
| `@timestamp` | Extracted | Vendor.timestamp |
| `network.direction` | Mapped | Vendor.direction |
| `ecs.version` | Static | None |
| `event.kind` | Static | None |
| `event.module` | Static | None |
| Vendor.aws_region | cloud.region | |
| Vendor.destination | destination.domain | |
| Vendor.destination_ip | destination.ip | |
| Vendor.destination_port | destination.port | |
| Vendor.domain | dns.question.name | |
| Vendor.query_type | dns.question.type | |
| Vendor.response_code | dns.response_code | |
| Vendor.certificate_errors | error.message | |
| Vendor.id | event.id | |
| Vendor.unique_event_id | event.id | |
| @s3.object.key | eventType | |
| Vendor.event_type | eventType | |
| Vendor.content_type | file.mime_type | |
| Vendor.filename | file.name | |
| Vendor.name | file.name | |
| Vendor.owner | file.owner | |
| Vendor.file_size | file.size | |
| Vendor.request_size | http.request.bytes | |
| Vendor.request_method | http.request.method | |
| Vendor.content_type | http.request.mime_type | |
| Vendor.referer | http.request.referrer | |
| Vendor.response_body_size | http.response.body.bytes | |
| Vendor.response_size | http.response.bytes | |
| Vendor.status_code | http.response.status_code | |
| Vendor.signature_message | message | |
| Vendor.application | network.application | |
| Vendor.packet_size | network.bytes | |
| Vendor.ip_protocol | network.transport | |
| Vendor.protocol | network.transport | |
| Vendor.session_id | process.entity_id | |
| Vendor.attack_classification | rule.category | |
| Vendor.signature_method | rule.description | |
| Vendor.firewall_rule_id | rule.id | |
| Vendor.rule_id | rule.id | |
| Vendor.signature_id | rule.id | |
| Vendor.rule | rule.name | |
| Vendor.ruleset_id | rule.uuid | |
| Vendor.signature_list_id | rule.uuid | |
| Vendor.data_center | source.geo.name | |
| Vendor.source_ip | source.ip | |
| Vendor.external_client_ip | source.nat.ip | |
| Vendor.external_ip | source.nat.ip | |
| Vendor.source_port | source.port | |
| Vendor.url | url.original | |
| Vendor.email | user.email | |
| Vendor.user | user.name | |
| Vendor.user_agent | user_agent.original | |
| Vendor.cves | vulnerability.reference |