Parsers and Generated Fields

Tag Fields Created by Parser cloudflare-one

  • #Cps.version

  • #Vendor

  • #ecs.version

  • #event.dataset

  • #event.kind

  • #event.module

  • #event.outcome

  • #observer.type

Fields Identified by Parser cloudflare-one
Source FieldCPS FieldDescriptionMapping
Vendor.Datetime, Vendor.When, Vendor.CreatedAt, Vendor.DetectedTimestamp, Vendor.Timestamp, Vendor.SessionStartTime, Vendor.EdgeStartTimestamp, Vendor.time, Vendor.EventTimestampMs, Vendor.ActionTimestamp@timestampEvent timestampParsed from multiple timestamp fields using coalesce and conditional logic
Vendor.IPAddress, Vendor.ClientIP, Vendor.ClientAddress, Vendor.HTTPClientIPAddress, Vendor.ISPIPv4Addressclient.addressClient addressCopied from vendor client fields
Vendor.ClientASN, Vendor.HTTPClientIPASNclient.as.numberClient AS numberCopied from vendor AS number fields
Vendor.HTTPClientIPASOclient.as.organization.nameClient AS organizationCopied from Vendor.HTTPClientIPASO
Vendor.NetworkSentBPSclient.bytesClient bytes sentCopied from Vendor.NetworkSentBPS
Vendor.ClientRequestHostclient.domainClient domainCopied from Vendor.ClientRequestHost and converted to lowercase
Vendor.HTTPClientIPCity, Vendor.ISPIPv4Cityclient.geo.city_nameClient cityCopied from vendor city fields
Vendor.HTTPClientIPCountryISO, Vendor.ISPIPv4CountryISOclient.geo.country_iso_codeClient country codeCopied from vendor country fields
Vendor.HTTPClientIPZip, Vendor.ISPIPv4Zipclient.geo.postal_codeClient postal codeCopied from vendor postal fields
Vendor.HTTPClientIPStateISO, Vendor.ISPIPv4StateISOclient.geo.region_iso_codeClient region codeCopied from vendor region fields
client.addressclient.ipClient IP addressExtracted when client.address is valid IP
Vendor.ClientSrcPortclient.portClient portCopied from Vendor.ClientSrcPort
Vendor.AccountIDcloud.account.idCloud account IDCopied from Vendor.AccountID
Vendor.DstIP, Vendor.DestinationIP, Vendor.OriginIP, Vendor.IPDestinationAddress, Vendor.RemoteIP, Vendor.DestAddrdestination.addressDestination addressCopied from vendor destination fields with IP/port parsing
Vendor.BytesReceiveddestination.bytesDestination bytes receivedCopied from Vendor.BytesReceived
Vendor.SNIdestination.domainDestination domainCopied from vendor domain fields and converted to lowercase
destination.addressdestination.ipDestination IP addressExtracted when destination.address is valid IP
Vendor.DstPort, Vendor.DestinationPort, Vendor.OriginPort, Vendor.RemotePortdestination.portDestination portCopied from vendor destination port fields or extracted from address
host.iddevice.idDevice identifierCopied from host.id
Vendor.RData[].datadns.answers[].dataDNS answer dataCopied from Vendor.RData[].data
Vendor.RData[].typedns.answers[].typeDNS answer typesCopied from Vendor.RData[].type
Vendor.QueryNamedns.question.nameDNS question nameCopied from Vendor.QueryName
Vendor.QueryTypeName, Vendor.QueryTypedns.question.typeDNS question typeCopied from vendor query type fields
Vendor.ResolvedIPsdns.resolved_ipDNS resolved IPsParsed from concatenated Vendor.ResolvedIPs
Vendor.RCode, Vendor.ClientResponseCodedns.response_codeDNS response codeMapped from vendor response codes
Noneecs.versionECS versionStatic value: 9.2.0
Vendor.event.attachments[].md5, Vendor.Attachments[].Md5email.attachments[].file.hash.md5Email attachment MD5 hashesExtracted from vendor attachment arrays and converted to lowercase
Vendor.event.attachments[].sha1, Vendor.Attachments[].Sha1email.attachments[].file.hash.sha1Email attachment SHA1 hashesExtracted from vendor attachment arrays and converted to lowercase
Vendor.event.attachments[].sha256, Vendor.Attachments[].Sha256email.attachments[].file.hash.sha256Email attachment SHA256 hashesExtracted from vendor attachment arrays and converted to lowercase
Vendor.event.attachments[].content_type_computed, Vendor.Attachments[].ContentTypeComputedemail.attachments[].file.mime_typeEmail attachment MIME typesExtracted from vendor attachment arrays
Vendor.event.attachments[].name, Vendor.Attachments[].Nameemail.attachments[].file.nameEmail attachment namesExtracted from vendor attachment arrays
Vendor.event.from, Vendor.Fromemail.from.address[]Email from addressesCopied from vendor from fields and converted to lowercase
Vendor.event.message_id, Vendor.MessageIDemail.message_idEmail message IDCopied from vendor message ID fields
Vendor.event.replytoemail.reply_to.address[]Email reply-to addressesCopied from Vendor.event.replyto
Vendor.event.envelope_fromemail.sender.addressEmail sender addressCopied from Vendor.event.envelope_from and converted to lowercase
Vendor.event.subject, Vendor.Subjectemail.subjectEmail subjectCopied from vendor subject fields
Vendor.event.to[], Vendor.To[]email.to.address[]Email to addressesCopied from vendor to arrays and converted to lowercase
Vendor.Errorerror.messageError messageCopied from Vendor.Error
Vendor.Action, Vendor.SecurityAction, Vendor.ActionType, Vendor.ConnectionCloseReason, Vendor.ResolverDecisionevent.actionAction takenCopied from vendor action fields or coalesced values
event.datasetevent.category[]Event categoriesArray populated based on dataset conditions
@s3.object.key, various Vendor fieldsevent.datasetEvent datasetExtracted from S3 object key or determined by vendor fields
Vendor.HTTPResponseEndMs, Vendor.HTTPRequestStartMsevent.durationEvent durationCalculated from HTTPResponseEndMs - HTTPRequestStartMs
Vendor.HTTPResponseEndMsevent.endEvent end timeCopied from Vendor.HTTPResponseEndMs
Vendor.SessionID, Vendor.event.alert_id, Vendor.AlertIDevent.idEvent identifierCopied from vendor session or alert IDs
Noneevent.kindEvent kindStatic value: event (or alert for email-security-alerts, state for dex-device-state)
Noneevent.moduleEvent moduleStatic value: zerotrust
Vendor.ActionResult, Vendor.Allowed, Vendor.HTTPStatusCode, Vendor.EdgeResponseStatus, Vendor.ConnectionCloseReason, Vendor.ClientResponseCode, Vendor.Exceptionsevent.outcomeEvent outcomeDetermined by action results and status codes
Vendor.Interfaceevent.providerEvent providerCopied from Vendor.Interface
Vendor.PurposeJustificationPrompt, Vendor.event.alert_reasons, Vendor.AlertReasonsevent.reasonEvent reasonCopied from vendor fields or concatenated alert reasons
Vendor.WAFAttackScoreevent.risk_scoreWAF attack scoreCopied from Vendor.WAFAttackScore
event.risk_score, Vendor.FindingTypeSeverityevent.severityEvent severityMapped from risk score ranges or finding severity
Vendor.HTTPRequestStartMsevent.startEvent start timeCopied from Vendor.HTTPRequestStartMs
event.dataset, Vendor.Action, Vendor.HTTPStatusCode, Vendor.EdgeResponseStatusevent.type[]Event typesArray populated based on dataset and action conditions
Vendor.BlockedFileTypefile.extensionFile extensionCopied from Vendor.BlockedFileType
Vendor.BlockedFileHashfile.hash.sha256File SHA256 hashCopied from Vendor.BlockedFileHash and converted to lowercase
Vendor.BlockedFileNamefile.nameFile nameCopied from vendor file name fields
Vendor.BlockedFileSizefile.sizeFile sizeCopied from Vendor.BlockedFileSize
Vendor.DeviceIDhost.idHost identifierCopied from Vendor.DeviceID
Vendor.DeviceIPv4Address, Vendor.DeviceIPv6Addresshost.ip[]Host IP addressesArray populated from device IP addresses
Vendor.DeviceName, Vendor.Hostname, Vendor.TracerouteDestinationHostnamehost.nameHost nameCopied from vendor hostname fields
Vendor.DeviceTypehost.os.familyHost OS familyCopied from Vendor.DeviceType
Vendor.ClientPlatformhost.os.typeHost OS typeCopied from Vendor.ClientPlatform
Vendor.OSVersion, Vendor.ClientVersionhost.os.versionHost OS versionCopied from vendor version fields
Vendor.HTTPMethod, Vendor.ClientRequestMethod, Vendor.Event.Request.Method, Vendor.Methodhttp.request.methodHTTP request methodCopied from vendor HTTP method fields
Vendor.Headers.Content-Typehttp.request.mime_typeHTTP request MIME typeExtracted from Vendor.Headers.Content-Type for request phase
Vendor.Referer, Vendor.ClientRequestRefererhttp.request.referrerHTTP request referrerCopied from vendor referrer fields
Vendor.HTTPResponseBodyByteshttp.response.body.bytesHTTP response body bytesCopied from Vendor.HTTPResponseBodyBytes
Vendor.Headers.Content-Typehttp.response.mime_typeHTTP response MIME typeExtracted from Vendor.Headers.Content-Type for response phase
Vendor.HTTPStatusCode, Vendor.EdgeResponseStatus, Vendor.Event.Response.Statushttp.response.status_codeHTTP response statusCopied from vendor status code fields
Vendor.HTTPVersionhttp.versionHTTP versionExtracted from Vendor.HTTPVersion using regex
Vendor.Levellog.levelLog levelCopied from Vendor.Level
Vendor.SignatureMessage, Vendor.MessagemessageMessage contentCopied from vendor message fields
source.bytes, destination.bytesnetwork.bytesTotal network bytesCalculated from source.bytes + destination.bytes
Vendor.Directionnetwork.directionNetwork directionCopied from Vendor.Direction
Vendor.Protocol, Vendor.ClientRequestSchemenetwork.protocolNetwork protocolCopied from vendor protocol fields and converted to lowercase
Vendor.Transport, Vendor.Protocol, Vendor.QueryTCPnetwork.transportNetwork transportCopied from vendor transport fields or determined by query type
Vendor.HTTPServerIPVersionnetwork.typeNetwork typeCopied from Vendor.HTTPServerIPVersion and converted to lowercase
Vendor.VirtualNetworkIDnetwork.vlan.idNetwork VLAN IDCopied from Vendor.VirtualNetworkID
Vendor.Offrampobserver.egress.interface.nameObserver egress interfaceCopied from Vendor.Offramp
Vendor.hostobserver.nameObserver nameCopied from Vendor.host
Vendor.SessionEndDatetimeprocess.endProcess end timeCopied from Vendor.SessionEndDatetime
Vendor.SessionStartDatetimeprocess.startProcess start timeCopied from Vendor.SessionStartDatetime
Vendor.PTYprocess.ttyProcess TTYCopied from Vendor.PTY
Vendor.PostureCheckTyperule.categoryRule categoryCopied from Vendor.PostureCheckType
Vendor.WAFRuleMessagerule.descriptionRule descriptionCopied from Vendor.WAFRuleMessage
Vendor.PolicyID, Vendor.TriggeredRuleIDrule.idRule IDCopied from vendor rule fields
Vendor.PostureCheckName, Vendor.PolicyNamerule.nameRule nameCopied from vendor rule fields
Vendor.event.smtp_helo_server_name, Vendor.ServerAddress, Vendor.HTTPServerIPAddressserver.addressServer addressCopied from vendor server fields
Vendor.event.smtp_helo_server_ip_as_number, Vendor.HTTPServerIPASNserver.as.numberServer AS numberCopied from vendor AS fields
Vendor.HTTPServerIPASOserver.as.organization.nameServer AS organizationCopied from Vendor.HTTPServerIPASO
Vendor.NetworkReceivedBPSserver.bytesServer bytes receivedCopied from Vendor.NetworkReceivedBPS
server.addressserver.domainServer domainExtracted when server.address is not valid IP
Vendor.HTTPServerIPCityserver.geo.city_nameServer cityCopied from Vendor.HTTPServerIPCity
Vendor.HTTPServerIPCountryISOserver.geo.country_iso_codeServer country codeCopied from vendor country fields
Vendor.HTTPServerIPZipserver.geo.postal_codeServer postal codeCopied from Vendor.HTTPServerIPZip
Vendor.HTTPServerIPStateISOserver.geo.region_iso_codeServer region codeCopied from Vendor.HTTPServerIPStateISO
server.addressserver.ipServer IP addressExtracted when server.address is valid IP
Vendor.AppUUIDservice.idService IDCopied from Vendor.AppUUID
Vendor.SrcIP, Vendor.SourceIP, Vendor.ActorIP, Vendor.ActorIPAddress, Vendor.IPSourceAddress, Vendor.LocalIP, Vendor.SrcAddrsource.addressSource addressCopied from vendor source fields with IP/port parsing
Vendor.BytesSentsource.bytesSource bytes sentCopied from Vendor.BytesSent
Vendor.ColoCitysource.geo.city_nameSource city nameCopied from Vendor.ColoCity
Vendor.Country, Vendor.ClientCountrysource.geo.country_iso_codeSource country codeCopied from vendor country fields
Vendor.ColoCodesource.geo.region_nameSource region nameCopied from Vendor.ColoCode
source.addresssource.ipSource IP addressExtracted when source.address is valid IP
Vendor.SrcPort, Vendor.SourcePort, VendorLocalPortsource.portSource portCopied from vendor source port fields or extracted from address
event.risk_scorethreat.indicator.confidenceThreat indicator confidenceMapped from event.risk_score ranges
event.reasonthreat.indicator.descriptionThreat indicator descriptionCopied from event.reason
Vendor.ClientSSLCipher, Vendor.ClientTLSCiphertls.cipherTLS cipherCopied from vendor cipher fields
Vendor.SNItls.client.server_nameTLS server nameCopied from Vendor.SNI
Vendor.OriginTLSCertificateIssuertls.server.issuerTLS server issuerCopied from Vendor.OriginTLSCertificateIssuer
Vendor.ClientTLSVersiontls.versionTLS versionExtracted from Vendor.ClientTLSVersion using regex
Vendor.ClientSSLProtocoltls.version_protocolTLS version protocolCopied from Vendor.ClientSSLProtocol
url.original, Vendor.AppDomainurl.domainURL domainParsed from URL and converted to lowercase
Vendor.URL, Vendor.AssetLink, Vendor.HTTPURL, Vendor.Event.Request.URLurl.originalOriginal URLCopied from vendor URL fields
Vendor.Email, Vendor.ActorEmail, Vendor.UserEmailuser.emailUser email addressCopied from vendor email fields and converted to lowercase
Vendor.UserID, Vendor.ActorID, Vendor.UserUIDuser.idUser identifierCopied from vendor user ID fields
Vendor.Usernameuser.nameUser nameCopied from Vendor.Username
Vendor.UserAgent, Vendor.ClientRequestUserAgent, Vendor.Event.Request.Headers.User-Agentuser_agent.originalUser agent stringCopied from vendor user agent fields
Vendor.ClientVersionuser_agent.versionUser agent versionCopied from Vendor.ClientVersion
Vendor.FindingTypeDisplayNamevulnerability.descriptionVulnerability descriptionCopied from Vendor.FindingTypeDisplayName
Vendor.FindingTypeSeverityvulnerability.severityVulnerability severityCopied from Vendor.FindingTypeSeverity