Parsers and Generated Fields
Tag Fields Created by Parser cloudflare-one
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser cloudflare-one
| Vendor Field | CPS Field | Description |
|---|---|---|
| __tmp_event | @rawstring | |
| `event.category[]` | Array | event.dataset |
| `event.type[]` | Array | event.dataset, Vendor.Action, Vendor.HTTPStatusCode, Vendor.EdgeResponseStatus |
| `host.ip[]` | Array | Vendor.DeviceIPv4Address, Vendor.DeviceIPv6Address |
| `event.duration` | Calculated | Vendor.HTTPResponseEndMs, Vendor.HTTPRequestStartMs |
| `network.bytes` | Calculated | source.bytes, destination.bytes |
| `client.address` | Copied | Vendor.IPAddress, Vendor.ClientIP, Vendor.ClientAddress, Vendor.HTTPClientIPAddress, Vendor.ISPIPv4Address |
| `client.as.number` | Copied | Vendor.ClientASN, Vendor.HTTPClientIPASN |
| `client.as.organization.name` | Copied | Vendor.HTTPClientIPASO |
| `client.bytes` | Copied | Vendor.NetworkSentBPS |
| `client.domain` | Copied | Vendor.ClientRequestHost |
| `client.geo.city_name` | Copied | Vendor.HTTPClientIPCity, Vendor.ISPIPv4City |
| `client.geo.country_iso_code` | Copied | Vendor.HTTPClientIPCountryISO, Vendor.ISPIPv4CountryISO |
| `client.geo.postal_code` | Copied | Vendor.HTTPClientIPZip, Vendor.ISPIPv4Zip |
| `client.geo.region_iso_code` | Copied | Vendor.HTTPClientIPStateISO, Vendor.ISPIPv4StateISO |
| `client.port` | Copied | Vendor.ClientSrcPort |
| `cloud.account.id` | Copied | Vendor.AccountID |
| `destination.address` | Copied | Vendor.DstIP, Vendor.DestinationIP, Vendor.OriginIP, Vendor.IPDestinationAddress, Vendor.RemoteIP, Vendor.DestAddr |
| `destination.bytes` | Copied | Vendor.BytesReceived |
| `destination.domain` | Copied | Vendor.SNI |
| `destination.port` | Copied | Vendor.DstPort, Vendor.DestinationPort, Vendor.OriginPort, Vendor.RemotePort |
| `device.id` | Copied | host.id |
| `dns.answers[].data` | Copied | Vendor.RData[].data |
| `dns.answers[].type` | Copied | Vendor.RData[].type |
| `dns.question.name` | Copied | Vendor.QueryName |
| `dns.question.type` | Copied | Vendor.QueryTypeName, Vendor.QueryType |
| `email.from.address[]` | Copied | Vendor.event.from, Vendor.From |
| `email.message_id` | Copied | Vendor.event.message_id, Vendor.MessageID |
| `email.reply_to.address[]` | Copied | Vendor.event.replyto |
| `email.sender.address` | Copied | Vendor.event.envelope_from |
| `email.subject` | Copied | Vendor.event.subject, Vendor.Subject |
| `email.to.address[]` | Copied | Vendor.event.to[], Vendor.To[] |
| `error.message` | Copied | Vendor.Error |
| `event.action` | Copied | Vendor.Action, Vendor.SecurityAction, Vendor.ActionType, Vendor.ConnectionCloseReason, Vendor.ResolverDecision |
| `event.end` | Copied | Vendor.HTTPResponseEndMs |
| `event.id` | Copied | Vendor.SessionID, Vendor.event.alert_id, Vendor.AlertID |
| `event.provider` | Copied | Vendor.Interface |
| `event.reason` | Copied | Vendor.PurposeJustificationPrompt, Vendor.event.alert_reasons, Vendor.AlertReasons |
| `event.risk_score` | Copied | Vendor.WAFAttackScore |
| `event.start` | Copied | Vendor.HTTPRequestStartMs |
| `file.extension` | Copied | Vendor.BlockedFileType |
| `file.hash.sha256` | Copied | Vendor.BlockedFileHash |
| `file.name` | Copied | Vendor.BlockedFileName |
| `file.size` | Copied | Vendor.BlockedFileSize |
| `host.id` | Copied | Vendor.DeviceID |
| `host.name` | Copied | Vendor.DeviceName, Vendor.Hostname, Vendor.TracerouteDestinationHostname |
| `host.os.family` | Copied | Vendor.DeviceType |
| `host.os.type` | Copied | Vendor.ClientPlatform |
| `host.os.version` | Copied | Vendor.OSVersion, Vendor.ClientVersion |
| `http.request.method` | Copied | Vendor.HTTPMethod, Vendor.ClientRequestMethod, Vendor.Event.Request.Method, Vendor.Method |
| `http.request.referrer` | Copied | Vendor.Referer, Vendor.ClientRequestReferer |
| `http.response.body.bytes` | Copied | Vendor.HTTPResponseBodyBytes |
| `http.response.status_code` | Copied | Vendor.HTTPStatusCode, Vendor.EdgeResponseStatus, Vendor.Event.Response.Status |
| `log.level` | Copied | Vendor.Level |
| `message` | Copied | Vendor.SignatureMessage, Vendor.Message |
| `network.direction` | Copied | Vendor.Direction |
| `network.protocol` | Copied | Vendor.Protocol, Vendor.ClientRequestScheme |
| `network.transport` | Copied | Vendor.Transport, Vendor.Protocol, Vendor.QueryTCP |
| `network.type` | Copied | Vendor.HTTPServerIPVersion |
| `network.vlan.id` | Copied | Vendor.VirtualNetworkID |
| `observer.egress.interface.name` | Copied | Vendor.Offramp |
| `observer.name` | Copied | Vendor.host |
| `process.end` | Copied | Vendor.SessionEndDatetime |
| `process.start` | Copied | Vendor.SessionStartDatetime |
| `process.tty` | Copied | Vendor.PTY |
| `rule.category` | Copied | Vendor.PostureCheckType |
| `rule.description` | Copied | Vendor.WAFRuleMessage |
| `rule.id` | Copied | Vendor.PolicyID, Vendor.TriggeredRuleID |
| `rule.name` | Copied | Vendor.PostureCheckName, Vendor.PolicyName |
| `server.address` | Copied | Vendor.event.smtp_helo_server_name, Vendor.ServerAddress, Vendor.HTTPServerIPAddress |
| `server.as.number` | Copied | Vendor.event.smtp_helo_server_ip_as_number, Vendor.HTTPServerIPASN |
| `server.as.organization.name` | Copied | Vendor.HTTPServerIPASO |
| `server.bytes` | Copied | Vendor.NetworkReceivedBPS |
| `server.geo.city_name` | Copied | Vendor.HTTPServerIPCity |
| `server.geo.country_iso_code` | Copied | Vendor.HTTPServerIPCountryISO |
| `server.geo.postal_code` | Copied | Vendor.HTTPServerIPZip |
| `server.geo.region_iso_code` | Copied | Vendor.HTTPServerIPStateISO |
| `service.id` | Copied | Vendor.AppUUID |
| `source.address` | Copied | Vendor.SrcIP, Vendor.SourceIP, Vendor.ActorIP, Vendor.ActorIPAddress, Vendor.IPSourceAddress, Vendor.LocalIP, Vendor.SrcAddr |
| `source.bytes` | Copied | Vendor.BytesSent |
| `source.geo.city_name` | Copied | Vendor.ColoCity |
| `source.geo.country_iso_code` | Copied | Vendor.Country, Vendor.ClientCountry |
| `source.geo.region_name` | Copied | Vendor.ColoCode |
| `source.port` | Copied | Vendor.SrcPort, Vendor.SourcePort, VendorLocalPort |
| `threat.indicator.description` | Copied | event.reason |
| `tls.cipher` | Copied | Vendor.ClientSSLCipher, Vendor.ClientTLSCipher |
| `tls.client.server_name` | Copied | Vendor.SNI |
| `tls.server.issuer` | Copied | Vendor.OriginTLSCertificateIssuer |
| `tls.version_protocol` | Copied | Vendor.ClientSSLProtocol |
| `url.original` | Copied | Vendor.URL, Vendor.AssetLink, Vendor.HTTPURL, Vendor.Event.Request.URL |
| `user.email` | Copied | Vendor.Email, Vendor.ActorEmail, Vendor.UserEmail |
| `user.id` | Copied | Vendor.UserID, Vendor.ActorID, Vendor.UserUID |
| `user.name` | Copied | Vendor.Username |
| `user_agent.original` | Copied | Vendor.UserAgent, Vendor.ClientRequestUserAgent, Vendor.Event.Request.Headers.User-Agent |
| `user_agent.version` | Copied | Vendor.ClientVersion |
| `vulnerability.description` | Copied | Vendor.FindingTypeDisplayName |
| `vulnerability.severity` | Copied | Vendor.FindingTypeSeverity |
| `event.outcome` | Determined | Vendor.ActionResult, Vendor.Allowed, Vendor.HTTPStatusCode, Vendor.EdgeResponseStatus, Vendor.ConnectionCloseReason, Vendor.ClientResponseCode, Vendor.Exceptions |
| `client.ip` | Extracted | client.address |
| `destination.ip` | Extracted | destination.address |
| `email.attachments[].file.hash.md5` | Extracted | Vendor.event.attachments[].md5, Vendor.Attachments[].Md5 |
| `email.attachments[].file.hash.sha1` | Extracted | Vendor.event.attachments[].sha1, Vendor.Attachments[].Sha1 |
| `email.attachments[].file.hash.sha256` | Extracted | Vendor.event.attachments[].sha256, Vendor.Attachments[].Sha256 |
| `email.attachments[].file.mime_type` | Extracted | Vendor.event.attachments[].content_type_computed, Vendor.Attachments[].ContentTypeComputed |
| `email.attachments[].file.name` | Extracted | Vendor.event.attachments[].name, Vendor.Attachments[].Name |
| `event.dataset` | Extracted | @s3.object.key, various Vendor fields |
| `http.request.mime_type` | Extracted | Vendor.Headers.Content-Type |
| `http.response.mime_type` | Extracted | Vendor.Headers.Content-Type |
| `http.version` | Extracted | Vendor.HTTPVersion |
| `server.domain` | Extracted | server.address |
| `server.ip` | Extracted | server.address |
| `source.ip` | Extracted | source.address |
| `tls.version` | Extracted | Vendor.ClientTLSVersion |
| `dns.response_code` | Mapped | Vendor.RCode, Vendor.ClientResponseCode |
| `event.severity` | Mapped | event.risk_score, Vendor.FindingTypeSeverity |
| `threat.indicator.confidence` | Mapped | event.risk_score |
| `@timestamp` | Parsed | Vendor.Datetime, Vendor.When, Vendor.CreatedAt, Vendor.DetectedTimestamp, Vendor.Timestamp, Vendor.SessionStartTime, Vendor.EdgeStartTimestamp, Vendor.time, Vendor.EventTimestampMs, Vendor.ActionTimestamp |
| `dns.resolved_ip` | Parsed | Vendor.ResolvedIPs |
| `url.domain` | Parsed | url.original, Vendor.AppDomain |
| `ecs.version` | Static | None |
| `event.kind` | Static | None |
| `event.module` | Static | None |
| x.data | __dnsanswers | |
| x.type | __dnsanswers | |
| x.ContentTypeComputed | _emailattachments | |
| x.Md5 | _emailattachments | |
| x.Name | _emailattachments | |
| x.Sha1 | _emailattachments | |
| x.Sha256 | _emailattachments | |
| x.content_type_computed | _emailattachments | |
| x.md5 | _emailattachments | |
| x.name | _emailattachments | |
| x.sha1 | _emailattachments | |
| x.sha256 | _emailattachments | |
| Vendor.ClientIP | client.address | |
| Vendor.HTTPClientIPAddress | client.address | |
| Vendor.IP | client.address | |
| Vendor.ISPIPv4Address | client.address | |
| Vendor.ClientASN | client.as.number | |
| Vendor.HTTPClientIPASN | client.as.number | |
| Vendor.HTTPClientIPASO | client.as.organization.name | |
| Vendor.NetworkSentBPS | client.bytes | |
| Vendor.ClientRequestHost | client.domain | |
| Vendor.HTTPClientIPCity | client.geo.city_name | |
| Vendor.ISPIPv4City | client.geo.city_name | |
| Vendor.ClientCountry | client.geo.country_iso_code | |
| Vendor.ClientIPCountry | client.geo.country_iso_code | |
| Vendor.HTTPClientIPCountryISO | client.geo.country_iso_code | |
| Vendor.ISPIPv4CountryISO | client.geo.country_iso_code | |
| Vendor.HTTPClientIPZip | client.geo.postal_code | |
| Vendor.ISPIPv4Zip | client.geo.postal_code | |
| Vendor.HTTPClientIPStateISO | client.geo.region_iso_code | |
| Vendor.ISPIPv4StateISO | client.geo.region_iso_code | |
| Vendor.ColoCode | client.geo.region_name | |
| Vendor.ClientPort | client.port | |
| Vendor.ClientSrcPort | client.port | |
| Vendor.AccountID | cloud.account.id | |
| Vendor.DestAddr | destination.address | |
| Vendor.DstIP | destination.address | |
| Vendor.IPDestinationAddress | destination.address | |
| Vendor.RemoteIP | destination.address | |
| Vendor.DestinationASN | destination.as.number | |
| Vendor.BytesReceived | destination.bytes | |
| Vendor.DestinationPort | destination.port | |
| Vendor.RemotePort | destination.port | |
| Vendor.DeviceID | device.id | |
| Vendor.QueryName | dns.question.name | |
| Vendor.QueryType | dns.question.type | |
| Vendor.QueryTypeName | dns.question.type | |
| Vendor.ClientResponseCode | dns.response_code | |
| Vendor.MessageID | email.message_id | |
| Vendor.event.message_id | email.message_id | |
| Vendor.Subject | email.subject | |
| Vendor.event.subject | email.subject | |
| Vendor.Error | error.message | |
| Vendor.type | error.message | |
| Vendor.Action | event.action | |
| Vendor.ActionType | event.action | |
| Vendor.Event | event.action | |
| Vendor.SecurityAction | event.action | |
| Vendor.eventType | event.action | |
| Vendor.type | event.action | |
| Vendor.HTTPResponseEndMs | event.end | |
| Vendor.AlertID | event.id | |
| Vendor.event.alert_id | event.id | |
| Vendor.Interface | event.provider | |
| Vendor.BlockedFileReason | event.reason | |
| Vendor.MitigationReason | event.reason | |
| Vendor.PurposeJustificationPrompt | event.reason | |
| Vendor.WAFAttackScore | event.risk_score | |
| Vendor.HTTPRequestStartMs | event.start | |
| Vendor.BlockedFileType | file.extension | |
| Vendor.BlockedFileSize | file.size | |
| Vendor.DeviceID | host.id | |
| Vendor.DeviceId | host.id | |
| Vendor.DeviceName | host.name | |
| Vendor.Host | host.name | |
| Vendor.Hostname | host.name | |
| Vendor.TracerouteDestinationHostname | host.name | |
| Vendor.DeviceType | host.os.family | |
| Vendor.ClientPlatform | host.os.type | |
| Vendor.ClientVersion | host.os.version | |
| Vendor.OSVersion | host.os.version | |
| Vendor.Method | http.request.method | |
| Vendor.ClientRefererHost | http.request.referrer | |
| Vendor.ClientRequestReferer | http.request.referrer | |
| Vendor.Referer | http.request.referrer | |
| Vendor.HTTPResponseBodyBytes | http.response.body.bytes | |
| Vendor.HTTPResponseHeaderBytes | http.response.headers.bytes | |
| Vendor.Level | log.level | |
| Vendor.Message | message | |
| Vendor.SignatureMessage | message | |
| source.bytes | network.bytes | |
| Vendor.Direction | network.direction | |
| Vendor.IPProtocol | network.iana_number | |
| Vendor.VirtualNetworkID | network.vlan.id | |
| Vendor.Offramp | observer.egress.interface.name | |
| Vendor.host | observer.name | |
| Vendor.SessionEndDatetime | process.end | |
| Vendor.SessionStartDatetime | process.start | |
| Vendor.PTY | process.tty | |
| Vendor.PostureCheckType | rule.category | |
| Vendor.Description | rule.description | |
| Vendor.WAFRuleMessage | rule.description | |
| Vendor.PolicyID | rule.id | |
| Vendor.RuleID | rule.id | |
| Vendor.TriggeredRuleID | rule.id | |
| Vendor.WAFRuleID | rule.id | |
| Vendor.PolicyName | rule.name | |
| Vendor.PostureCheckName | rule.name | |
| Vendor.RuleName | rule.name | |
| Vendor.RulesetID | rule.ruleset | |
| Vendor.HTTPServerIPAddress | server.address | |
| Vendor.ServerAddress | server.address | |
| Vendor.HTTPServerIPASN | server.as.number | |
| Vendor.event.smtp_helo_server_ip_as_number | server.as.number | |
| Vendor.HTTPServerIPASO | server.as.organization.name | |
| Vendor.NetworkReceivedBPS | server.bytes | |
| Vendor.HTTPServerIPCity | server.geo.city_name | |
| Vendor.HTTPServerIPCountryISO | server.geo.country_iso_code | |
| Vendor.HTTPServerIPZip | server.geo.postal_code | |
| Vendor.HTTPServerIPStateISO | server.geo.region_iso_code | |
| Vendor.event.smtp_helo_server_ip | server.ip | |
| Vendor.AppUUID | service.id | |
| Vendor.IPSourceAddress | source.address | |
| Vendor.LocalIP | source.address | |
| Vendor.SourceInternalIP | source.address | |
| Vendor.SrcAddr | source.address | |
| Vendor.SrcIP | source.address | |
| Vendor.SourceASN | source.as.number | |
| Vendor.BytesSent | source.bytes | |
| Vendor.ColoCity | source.geo.city_name | |
| Vendor.ClientCountry | source.geo.country_iso_code | |
| Vendor.Country | source.geo.country_iso_code | |
| Vendor.ColoCode | source.geo.region_name | |
| event.reason | threat.indicator.description | |
| Vendor.SNI | tls.client.server_name | |
| Vendor.OriginTLSCertificateIssuer | tls.server.issuer | |
| Vendor.AssetLink | url.original | |
| Vendor.HTTPURL | url.original | |
| Vendor.PageURL | url.original | |
| Vendor.ActorID | user.id | |
| Vendor.Username | user.name | |
| Vendor.ClientVersion | user_agent.version | |
| Vendor.FindingTypeDisplayName | vulnerability.description | |
| Vendor.FindingTypeSeverity | vulnerability.severity |