Parsers and Generated Fields | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Search Archives Contacting Support

Parsers and Generated Fields

Tag Fields Created by Parser claroty-ctd

#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type

Fields Identified by Parser claroty-ctd

Source Field	CPS Field	Description	Mapping
Vendor.ext.CtdDestinationHost	destination.domain	Destination hostname (converted to lowercase)	Copied with lowercase conversion
Vendor.ext.CtdDestinationIp	destination.ip	Destination IP address	Direct assignment
Vendor.ext.CtdDestinationMac	destination.mac	Destination MAC address (reformatted with hyphens)	Copied with colon-to-hyphen replacement
None	ecs.version	ECS schema version	Static value: 8.17.0
Vendor.event_class_id	event.category[]	Event categorization (Alert*=threat, others=network)	Array populated based on event_class_id conditions
Vendor.event_class_id	event.kind	Event classification (Alert*=alert, others=event)	Conditional assignment based on event_class_id
None	event.module	Event module identifier	Static value: ctd
Vendor.severity	event.severity	Numeric severity (2=30, 5=50, 7=70, 10=90)	Mapped from severity with numeric conversion
Vendor.event_class_id	event.type[]	Event type (Alert*=indicator, others=info)	Array populated based on event_class_id conditions
Vendor.ext.CtdFilePath	file.path	File path (only for Insight events)	Conditional assignment for Insight events
Vendor.severity	log.level	Severity level mapping (2=low, 5=medium, 7=high, 10=critical)	Mapped from severity with text conversion
None	log.syslog.appname	Syslog application name	Extracted from rawstring using regex pattern
None	log.syslog.hostname	Syslog hostname	Extracted from rawstring using regex pattern
None	log.syslog.msgid	Syslog message ID	Extracted from rawstring using regex pattern
None	log.syslog.priority	Syslog priority value	Extracted from rawstring using regex pattern
None	log.syslog.procid	Syslog process ID	Extracted from rawstring using regex pattern
None	log.syslog.structured_data	Syslog structured data	Extracted from rawstring using regex pattern
Vendor.ext.CtdMessage	message	Message content	Conditional assignment from CtdMessage
Vendor.ext.CtdSourceHost	source.domain	Source hostname (converted to lowercase)	Copied with lowercase conversion
Vendor.ext.CtdSourceIp	source.ip	Source IP address	Direct assignment
Vendor.ext.CtdSourceMac	source.mac	Source MAC address (reformatted with hyphens)	Copied with colon-to-hyphen replacement
Vendor.ext.CtdCveId	vulnerability.id	CVE identifier (only for Insight events)	Conditional assignment for Insight events
Vendor.ext.CtdCveScore	vulnerability.score.base	CVE score (only for Insight events)	Conditional assignment for Insight events

Enter search term