Parsers and Generated Fields
Tag Fields Created by Parser cisco-umbrella
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser cisco-umbrella
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.timestamp | @timestamp | Event timestamp in UTC | Parsed from Vendor.timestamp using parseTimestamp() with format detection |
| Vendor.internal_ip, Vendor.internal_client_ip | client.address | Client IP address | Copied from Vendor.internal_ip or Vendor.internal_client_ip, converted to lowercase |
| client.address | client.domain | Client domain when not IP | Conditional assignment when client.address is not valid IP |
| client.address | client.ip | Client IP when valid | Conditional assignment when client.address is valid IPv4/IPv6 |
| source.port | client.port | Client port number | Copied from source.port |
| Vendor.aws_region | cloud.region | Cloud region | Copied from Vendor.aws_region |
| Vendor.destination_ip | destination.address | Destination IP address | Copied from Vendor.destination_ip, converted to lowercase |
| Vendor.destination, Vendor.fqdns | destination.domain | Destination domain name | Copied from Vendor.destination or Vendor.fqdns, converted to lowercase |
| destination.address | destination.ip | Destination IP when valid | Conditional assignment when destination.address is valid IPv4/IPv6 |
| Vendor.destination_port | destination.port | Destination port number | Copied from Vendor.destination_port when numeric |
| Vendor.domain | dns.question.name | DNS query domain | Copied from Vendor.domain |
| Vendor.query_type | dns.question.type | DNS query type | Copied from Vendor.query_type |
| Vendor.response_code | dns.response_code | DNS response code | Copied from Vendor.response_code |
| None | ecs.version | ECS schema version | Static value: 9.2.0 |
| Vendor.certificate_errors | error.message | Error message | Copied from Vendor.certificate_errors |
| Vendor.action | event.action | Action taken by the system | Copied from Vendor.action, converted to lowercase |
| None | event.category[] | Event categorization array | Array populated based on log type |
| None | event.dataset | Dataset identifier for log type | Conditional assignment based on log type |
| Vendor.id, Vendor.unique_event_id | event.id | Unique event identifier | Copied from Vendor.id or Vendor.unique_event_id |
| None | event.kind | Event classification | Static value: event |
| None | event.module | Module name | Static value: umbrella |
| Vendor.amp_score | event.risk_score | Risk score | Copied from Vendor.amp_score |
| Vendor.severity | event.severity | Event severity level | Mapped from Vendor.severity to numeric values |
| Vendor.action | event.type[] | Event type classification | Array populated based on action and log type |
| Vendor.sha256 | file.hash.sha256 | SHA256 hash of file | Copied from Vendor.sha256, converted to lowercase |
| Vendor.content_type | file.mime_type | File MIME type | Copied from Vendor.content_type |
| Vendor.filename, Vendor.name | file.name | File name | Copied from Vendor.filename or Vendor.name |
| Vendor.owner | file.owner | File owner | Copied from Vendor.owner |
| Vendor.file_size | file.size | File size in bytes | Copied from Vendor.file_size |
| Vendor.request_size | http.request.bytes | HTTP request size in bytes | Copied from Vendor.request_size |
| Vendor.request_method | http.request.method | HTTP request method | Copied from Vendor.request_method |
| Vendor.content_type | http.request.mime_type | HTTP request content type | Copied from Vendor.content_type |
| Vendor.referer | http.request.referrer | HTTP referrer header | Copied from Vendor.referer |
| Vendor.response_body_size | http.response.body.bytes | HTTP response body size | Copied from Vendor.response_body_size |
| Vendor.response_size | http.response.bytes | HTTP response size in bytes | Copied from Vendor.response_size |
| Vendor.status_code | http.response.status_code | HTTP response status code | Copied from Vendor.status_code |
| Vendor.signature_message | message | Event message | Copied from Vendor.signature_message |
| Vendor.application, Vendor.application_entity_name | network.application | Network application | Copied from Vendor.application or Vendor.application_entity_name |
| Vendor.packet_size | network.bytes | Network packet size | Copied from Vendor.packet_size |
| Vendor.direction, Vendor.traffic_direction | network.direction | Network traffic direction | Mapped from Vendor.direction or Vendor.traffic_direction |
| Vendor.protocol | network.iana_number | IANA protocol number | Copied from Vendor.protocol |
| Vendor.ip_protocol | network.transport | Network transport protocol | Copied from Vendor.ip_protocol, converted to lowercase |
| None | network.type | Network type (ipv4/ipv6) | Conditional assignment based on IP address validation |
| Vendor.origin_ids | observer.egress.interface.id | Egress interface ID | Copied from Vendor.origin_ids when direction is outbound |
| Vendor.origin_ids | observer.ingress.interface.id | Ingress interface ID | Copied from Vendor.origin_ids when direction is inbound |
| Vendor.organization_id | organization.id | Organization identifier | Copied from Vendor.organization_id |
| Vendor.attack_classification | rule.category | Rule category | Copied from Vendor.attack_classification |
| Vendor.signature_method | rule.description | Rule description | Copied from Vendor.signature_method |
| Vendor.rule_id, Vendor.signature_id, Vendor.firewall_rule_id | rule.id | Rule identifier | Copied from Vendor.rule_id, Vendor.signature_id, or Vendor.firewall_rule_id using coalesce |
| Vendor.rule | rule.name | Rule name | Copied from Vendor.rule |
| Vendor.ruleset_id, Vendor.signature_list_id | rule.ruleset | Rule ruleset | Copied from Vendor.ruleset_id or Vendor.signature_list_id |
| destination.address | server.address | Server IP address | Copied from destination.address |
| server.address | server.domain | Server domain when not IP | Conditional assignment when server.address is not valid IP |
| server.address | server.ip | Server IP when valid | Conditional assignment when server.address is valid IPv4/IPv6 |
| destination.port | server.port | Server port number | Copied from destination.port |
| Vendor.source_ip, Vendor.internal_client_ip, Vendor.external_client_ip | source.address | Source IP address | Copied from Vendor.source_ip or Vendor.internal_client_ip, with fallback to Vendor.external_client_ip, converted to lowercase |
| source.address | source.domain | Source domain when not IP | Conditional assignment when source.address is not valid IP |
| Vendor.data_center | source.geo.name | Source geographic location | Copied from Vendor.data_center |
| source.address | source.ip | Source IP when valid | Conditional assignment when source.address is valid IPv4/IPv6 |
| Vendor.egress_ip, Vendor.external_client_ip | source.nat.ip | Source NAT IP address | Copied from Vendor.egress_ip or Vendor.external_client_ip |
| Vendor.source_port | source.port | Source port number | Copied from Vendor.source_port |
| Vendor.amp_malware_name | threat.software.name | Threat software name | Copied from Vendor.amp_malware_name |
| Vendor.amp_malware_name | threat.software.type | Threat software type | Static value: Malware when amp_malware_name exists |
| Vendor.url | url.original | Original URL | Copied from Vendor.url |
| Vendor.identity, Vendor.email | user.email | User email address | Extracted from Vendor.identity using regex or copied from Vendor.email |
| Vendor.identity | user.full_name | User full name | Extracted from Vendor.identity using regex |
| Vendor.identity, Vendor.user | user.name | User name | Extracted from Vendor.identity using regex or copied from Vendor.user |
| Vendor.user_agent | user_agent.original | User agent string | Copied from Vendor.user_agent using coalesce function |
| Vendor.cves | vulnerability.id | CVE reference | Copied from Vendor.cves |