Parsers and Generated Fields
Tag Fields Created by Parser cloudflare-one
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser cloudflare-one
| Vendor Field | CPS Field | Description |
|---|---|---|
| Event | @rawstring | |
| Vendor.ClientASN | client.as.number | |
| Vendor.ClientRequestHost | client.domain | |
| Vendor.ClientIP | client.ip | |
| Vendor.IPAddress | client.ip | |
| Vendor.ClientSrcPort | client.port | |
| Vendor.BytesReceived | destination.bytes | |
| Vendor.DestinationIP | destination.ip | |
| Vendor.DstIP | destination.ip | |
| Vendor.IPDestinationAddress | destination.ip | |
| Vendor.OriginIP | destination.ip | |
| Vendor.DestinationPort | destination.port | |
| Vendor.DestinationPort; | destination.port | |
| Vendor.DstPort; | destination.port | |
| Vendor.OriginPort | destination.port | |
| host.id | device.id | |
| host.name | device.model.identifier | |
| Vendor.RData[0].data | dns.answers[0].data | |
| Vendor.RData[0].type | dns.answers[0].type | |
| Vendor.RData[1].data | dns.answers[1].data | |
| Vendor.RData[1].type | dns.answers[1].type | |
| Vendor.RData[2].data | dns.answers[2].data | |
| Vendor.RData[2].type | dns.answers[2].type | |
| Vendor.RData[3].data | dns.answers[3].data | |
| Vendor.RData[3].type | dns.answers[3].type | |
| Vendor.RData[4].data | dns.answers[4].data | |
| Vendor.RData[4].type | dns.answers[4].type | |
| Vendor.QueryName | dns.question.name | |
| Vendor.QueryTypeName | dns.question.type | |
| Vendor.event.subject | email.subject | |
| Vendor.event.to[0] | email.to.address[0] | |
| Vendor.event.to[1] | email.to.address[1] | |
| Vendor.event.to[2] | email.to.address[2] | |
| Vendor.event.to[3] | email.to.address[3] | |
| Vendor.event.to[4] | email.to.address[4] | |
| Vendor.Action | event.action | |
| Vendor.ActionType | event.action | |
| Vendor.ConnectionCloseReason | event.action | |
| Vendor.SessionID | event.id | |
| Vendor.Interface | event.provider | |
| Vendor.PurposeJustificationPrompt | event.reason | |
| Vendor.event.alert_reasons[0]; | event.reason | |
| Vendor.WAFAttackScore | event.risk_score | |
| Vendor.BlockedFileName | file.name | |
| Vendor.BlockedFileSize | file.size | |
| Vendor.DeviceID | host.id | |
| Vendor.DeviceName | host.name | |
| Vendor.DeviceType | host.os.family | |
| Vendor.OSVersion | host.os.version | |
| Vendor.ClientRequestMethod | http.request.method | |
| Vendor.HTTPMethod | http.request.method | |
| Vendor.ClientRequestReferer | http.request.referrer | |
| Vendor.Referer | http.request.referrer | |
| Vendor. | http.response.status_code | |
| Vendor.HTTPStatusCode | http.response.status_code | |
| Vendor.HTTPVersion | http.version | |
| Vendor.SignatureMessage | message | |
| Vendore.Direction | network.direction | |
| Vendor.Protocol | network.protocol | |
| Vendor.Protocol | network.transport | |
| Vendor.Transport | network.transport | |
| Vendor.VirtualNetworkID | network.vlan.id | |
| Vendor.Offramp | observer.egress.interface.name | |
| Vendor.PostureCheckType | rule.category | |
| Vendor.PolicyID | rule.id | |
| Vendor.PostureCheckName | rule.name | |
| Vendor.AppUUID | service.id | |
| Vendor.BytesSent | source.bytes | |
| Vendor.ColoCity | source.geo.city_name | |
| Vendor.ClientCountry | source.geo.country_iso_code | |
| Vendor.Country | source.geo.country_iso_code | |
| Vendor.ColoCode | source.geo.region_name | |
| Vendor.ActorIP | source.ip | |
| Vendor.IPSourceAddress | source.ip | |
| Vendor.SourceIP | source.ip | |
| Vendor.SrcIP | source.ip | |
| Vendor.SourcePort | source.port | |
| Vendor.SourcePort; | source.port | |
| Vendor.SrcPort; | source.port | |
| Vendor.ClientSSLCipher; | tls.cipher | |
| Vendor.ClientTLSCipher; | tls.cipher | |
| Vendor.SNI | tls.client.server_name | |
| Vendor.OriginTLSCertificateIssuer | tls.server.issuer | |
| Vendor.ClientTLSVersion | tls.version | |
| Vendor.ClientSSLProtocol | tls.version_protocol | |
| Vendor.CreatedAt | ts | |
| Vendor.Datetime | ts | |
| Vendor.DetectedTimestamp | ts | |
| Vendor.EdgeStartTimestamp | ts | |
| Vendor.SessionStartTime | ts | |
| Vendor.Timestamp | ts | |
| Vendor.When | ts | |
| Vendor.time | ts | |
| Vendor.AssetLink | url.original | |
| Vendor.URL | url.original | |
| Vendor.ActorEmail | user.email | |
| Vendor.Email | user.email | |
| Vendor.ActorID | user.id | |
| Vendor.UserID | user.id | |
| Vendor.UserUID | user.id | |
| Vendor.ClientRequestUserAgent | user_agent.original | |
| Vendor.UserAgent | user_agent.original | |
| Vendor.ClientVersion | user_agent.version | |
| Vendor.FindingTypeDisplayName | vulnerability.description | |
| Vendor.FindingTypeSeverity | vulnerability.severity |