Parsers and Generated Fields | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support

Parsers and Generated Fields

Tag Fields Created by Parser cloudflare-one

#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type

Fields Identified by Parser cloudflare-one

Vendor Field	CPS Field	Description
__tmp_event	@rawstring	Renamed temporary event field
__tmp_event	@rawstring
x.content_type_computed	_emailattachments
x.md5	_emailattachments
x.name	_emailattachments
x.sha1	_emailattachments
x.sha256	_emailattachments
Vendor.ClientASN	client.as.number	Client ASN
Vendor.ClientRequestHost	client.domain	Client request host (converted to lowercase)
Vendor.ClientIP	client.ip	Client IP
Vendor.IPAddress	client.ip	Client IP address
Vendor.ClientSrcPort	client.port	Client source port
Vendor.BytesReceived	destination.bytes	Bytes received
Vendor.SNI	destination.domain,	Server Name Indication
Vendor.DestinationIP	destination.ip	Destination IP for HTTP logs
Vendor.DstIP	destination.ip	Destination IP address for DNS logs
Vendor.IPDestinationAddress	destination.ip	IP destination address
Vendor.OriginIP	destination.ip	Origin IP
Vendor.DestinationPort	destination.port	Destination port
Vendor.DstPort	destination.port	Destination port for DNS logs when > 0
Vendor.OriginPort	destination.port	Origin port
host.id	device.id
host.name	device.model.identifier
Vendor.RData[0].data	dns.answers[0].data
Vendor.RData[0].type	dns.answers[0].type
Vendor.RData[1].data	dns.answers[1].data
Vendor.RData[1].type	dns.answers[1].type
Vendor.RData[2].data	dns.answers[2].data
Vendor.RData[2].type	dns.answers[2].type
Vendor.RData[3].data	dns.answers[3].data
Vendor.RData[3].type	dns.answers[3].type
Vendor.RData[4].data	dns.answers[4].data
Vendor.RData[4].type	dns.answers[4].type
Vendor.RData[n].data	dns.answers[n].data	DNS answer data
Vendor.RData[n].type	dns.answers[n].type	DNS answer type
Vendor.QueryName	dns.question.name	DNS query name
Vendor.QueryTypeName	dns.question.type	DNS query type
Vendor.ResolvedIPs	dns.resolved_ip	Resolved IP addresses
Vendor.RCode	dns.response_code	DNS response code (0=success, >0=failure)
Vendor.event.attachments[].md5	email.attachments[].file.hash.md5	Email attachment MD5 hash
Vendor.event.attachments[].sha1	email.attachments[].file.hash.sha1	Email attachment SHA1 hash
Vendor.event.attachments[].sha256	email.attachments[].file.hash.sha256	Email attachment SHA256 hash
Vendor.event.attachments[].content_type_computed	email.attachments[].file.mime_type	Email attachment MIME type
Vendor.event.attachments[].name	email.attachments[].file.name	Email attachment name
Vendor.event.from	email.from.address[0]	Email from address (converted to lowercase)
Vendor.event.envelope_from	email.sender.address	Email sender address (converted to lowercase)
Vendor.event.subject	email.subject	Email subject
Vendor.event.to[n]	email.to.address[n]	Email to address
Vendor.Action	event.action	Action taken
Vendor.ActionType	event.action	Action type for audit logs
Vendor.ConnectionCloseReason	event.action	Connection close reason (coalesced with ResolverDecision)
Vendor.ResolverDecision	event.action	Resolver decision (coalesced with ConnectionCloseReason)
Vendor.SecurityAction	event.action	Security action for zone-scoped-http-requests
Vendor.SessionID	event.id	Session ID
Vendor.event.alert_id	event.id	Alert ID
@rawstring	event.original	Original raw string for first event in batch
@rawstring	event.original.hash.sha256	SHA256 hash for batched event tracking
Vendor.ActionResult	event.outcome	Action result (true=success, false=failure)
Vendor.Allowed	event.outcome	Whether access was allowed (true=success, false=failure)
Vendor.DevicePostureEvaluationResult	event.outcome	Device posture evaluation result
Vendor.Interface	event.provider	Interface
Vendor.PurposeJustificationPrompt	event.reason	Purpose justification prompt
Vendor.event.alert_reasons	event.reason,	Alert reasons (concatenated)
Vendor.WAFAttackScore	event.risk_score	WAF attack score
Vendor.FindingTypeSeverity	event.severity,	Finding severity (Low=1, Medium=2, High=3, Critical=4)
Vendor.BlockedFileHash	file.hash.sha256	Blocked file hash (converted to lowercase)
Vendor.BlockedFileName	file.name	Blocked file name
Vendor.BlockedFileSize	file.size	Blocked file size
Vendor.DeviceID	host.id
Vendor.DeviceID	host.id,	Device identifier
Vendor.DeviceName	host.name
Vendor.DeviceName	host.name,	Device name
Vendor.DeviceType	host.os.family	Device type
Vendor.OSVersion	host.os.version	OS version
Vendor.ClientRequestMethod	http.request.method	Client request method
Vendor.HTTPMethod	http.request.method	HTTP method
Vendor.ClientRequestReferer	http.request.referrer	Client request referrer
Vendor.Referer	http.request.referrer	HTTP referrer
Vendor.EdgeResponseStatus	http.response.status_code	Edge response status
Vendor.HTTPStatusCode	http.response.status_code	HTTP status code
Vendor.HTTPVersion	http.version	HTTP version
Vendor.SignatureMessage	message	Signature message
Vendor.Direction	network.direction	Network direction
Vendore.Direction	network.direction
Vendor.ClientRequestScheme	network.protocol	Client request scheme (converted to lowercase)
Vendor.Protocol	network.protocol	Network protocol
Vendor.Protocol	network.transport
Vendor.Transport	network.transport	Transport protocol
Vendor.VirtualNetworkID	network.vlan.id	Virtual network ID
Vendor.Offramp	observer.egress.interface.name	Egress interface name
Vendor.host	observer.name	Observer name
Vendor.PostureCheckType	rule.category	Posture check type
Vendor.PolicyID	rule.id	Policy ID
Vendor.PostureCheckName	rule.name	Posture check name
Vendor.event.smtp_helo_server_name	server.address	SMTP server name (converted to lowercase)
Vendor.event.smtp_helo_server_ip_geo	server.geo.country_iso_code,	SMTP server geo information
Vendor.event.smtp_helo_server_ip	server.ip	SMTP server IP
Vendor.AppUUID	service.id	Application UUID
Vendor.BytesSent	source.bytes	Bytes sent
Vendor.ColoCity	source.geo.city_name	Colo city
Vendor.ClientCountry	source.geo.country_iso_code	Client country
Vendor.Country	source.geo.country_iso_code	Country
Vendor.ColoCode	source.geo.region_name	Colo code
Vendor.ActorIP	source.ip	Actor IP for audit logs
Vendor.IPSourceAddress	source.ip	IP source address
Vendor.SourceIP	source.ip	Source IP for HTTP logs
Vendor.SrcIP	source.ip	Source IP address for DNS logs
Vendor.SourcePort	source.port	Source port for HTTP logs when > 0
Vendor.SrcPort	source.port	Source port for DNS logs when > 0
event.reason	threat.indicator.description
Vendor.ClientSSLCipher	tls.cipher	Client SSL cipher
Vendor.ClientTLSCipher	tls.cipher	Client TLS cipher
Vendor.SNI	tls.client.server_name
Vendor.OriginTLSCertificateIssuer	tls.server.issuer	Origin TLS certificate issuer
Vendor.ClientTLSVersion	tls.version	Client TLS version
Vendor.ClientSSLProtocol	tls.version_protocol	Client SSL protocol
Vendor.CreatedAt	ts
Vendor.Datetime	ts
Vendor.DetectedTimestamp	ts
Vendor.EdgeStartTimestamp	ts
Vendor.SessionStartTime	ts
Vendor.Timestamp	ts
Vendor.When	ts
Vendor.time	ts
Vendor.AppDomain	url.domain	Application domain (converted to lowercase)
Vendor.AssetLink	url.original	Asset link
Vendor.URL	url.original	Original URL
Vendor.ActorEmail	user.email	Actor email for audit logs (converted to lowercase)
Vendor.Email	user.email	User email address (converted to lowercase)
Vendor.ActorID	user.id	Actor ID for audit logs
Vendor.UserID	user.id	User identifier
Vendor.UserUID	user.id	User UID
Vendor.ClientRequestUserAgent	user_agent.original	Client request user agent
Vendor.UserAgent	user_agent.original	User agent string
Vendor.ClientVersion	user_agent.version	Client version
Vendor.FindingTypeDisplayName	vulnerability.description	Finding description

Enter search term