Parsers and Generated Fields
Tag Fields Created by Parser cisco-umbrella
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser cisco-umbrella
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.aws_region | cloud.region | |
| Vendor.csv_row; | csvData | |
| Vendor.destination_ip | destination.address | Destination IP mapping |
| Vendor.destination | destination.domain | Destination domain mapping |
| Vendor.destination_ip | destination.ip | |
| Vendor.destination_port | destination.port | |
| Vendor.domain | dns.question.name | DNS domain name mapping |
| Vendor.query_type | dns.question.type | DNS query type mapping |
| Vendor.response_code | dns.response_code | DNS response code mapping |
| Vendor.certificate_errors | error.message | Certificate error messages |
| Vendor.action | event.action | Action taken, converted to lowercase |
| Vendor.id | event.id | |
| Vendor.unique_event_id | event.id | |
| @s3.object.key | eventType | |
| Vendor.event_type | eventType | |
| Vendor.sha256 | file.hash.sha256 | SHA256 hash mapping |
| Vendor.content_type | file.mime_type | |
| Vendor.filename | file.name | Filename mapping |
| Vendor.name | file.name | |
| Vendor.owner | file.owner | |
| Vendor.file_size | file.size | |
| Vendor.request_size | http.request.bytes | Request size in bytes |
| Vendor.request_method | http.request.method | HTTP method mapping |
| Vendor.content_type | http.request.mime_type | Content type mapping |
| Vendor.referer | http.request.referrer | HTTP referrer mapping |
| Vendor.response_body_size | http.response.body.bytes | Response body size |
| Vendor.response_size | http.response.bytes | Response size in bytes |
| Vendor.status_code | http.response.status_code | HTTP status code mapping |
| Vendor.signature_message | message | |
| Vendor.application | network.application | |
| Vendor.packet_size | network.bytes | Packet size mapping |
| Vendor.direction | network.direction | Network traffic direction |
| Vendor.ip_protocol | network.transport | |
| Vendor.protocol | network.transport | Network protocol mapping |
| Vendor.origin_ids; | observer.egress.interface.id | |
| Vendor.origin_ids; | observer.ingress.interface.id | |
| Vendor.session_id | process.entity_id | |
| Vendor.attack_classification | rule.category | |
| Vendor.signature_method | rule.description | |
| Vendor.firewall_rule_id | rule.id | |
| Vendor.rule_id | rule.id | Rule ID mapping |
| Vendor.signature_id | rule.id | |
| Vendor.rule | rule.name | |
| Vendor.ruleset_id | rule.uuid | Rule UUID mapping |
| Vendor.signature_list_id | rule.uuid | |
| Vendor.internal_client_ip | source.address | Client IP address mapping |
| Vendor.internal_ip | source.address | Direct mapping for internal IP address |
| Vendor.data_center | source.geo.name | |
| Vendor.source_ip | source.ip | |
| source.address; | source.ip | |
| Vendor.external_client_ip | source.nat.ip | External client IP mapping |
| Vendor.external_ip | source.nat.ip | NAT IP mapping |
| Vendor.source_port | source.port | |
| Vendor.url | url.original | URL mapping |
| Vendor.email | user.email | |
| Vendor.user | user.name | |
| Vendor.user_agent | user_agent.original | User agent string mapping |
| Vendor.cves | vulnerability.reference |