Parsers and Generated Fields
Tag Fields Created by Parser claroty-ctd
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser claroty-ctd
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.ext.CtdDestinationHost | destination.domain | Destination hostname (converted to lowercase) |
| Vendor.ext.CtdDestinationIp | destination.ip | Destination IP address |
| Vendor.ext.CtdDestinationMac | destination.mac | Destination MAC address (reformatted with hyphens) |
| Vendor.event_class_id | event.category[] | Event categorization (Alert*=threat, others=network) |
| Vendor.event_class_id | event.kind | Event classification (Alert*=alert, others=event) |
| Vendor.severity | event.severity | Numeric severity (2=30, 5=50, 7=70, 10=90) |
| Vendor.event_class_id | event.type[] | Event type (Alert*=indicator, others=info) |
| Vendor.ext.CtdFilePath | file.path | File path (only for Insight events) |
| Vendor.severity | log.level | Severity level mapping (2=low, 5=medium, 7=high, 10=critical) |
| Vendor.ext.CtdMessage | message | Message content |
| Vendor.ext.CtdSourceHost | source.domain | Source hostname (converted to lowercase) |
| Vendor.ext.CtdSourceIp | source.ip | Source IP address |
| Vendor.ext.CtdSourceMac | source.mac | Source MAC address (reformatted with hyphens) |
| Vendor.ext.CtdCveId | vulnerability.id | CVE identifier (only for Insight events) |
| Vendor.ext.CtdCveScore | vulnerability.score.base | CVE score (only for Insight events) |