Parsers and Generated Fields | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Search Archives Contacting Support

Parsers and Generated Fields

Tag Fields Created by Parser darktrace-detect

#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type

Fields Identified by Parser darktrace-detect

Source Field	CPS Field	Description	Mapping
ts, Vendor.createdAt, Vendor.time, Vendor.last_updated, Vendor.ms_ts, Vendor.start	@timestamp	Event timestamp	Parsed from timestamp fields based on event type
Vendor.dst	destination.address	Destination address	Copied from vendor field
Vendor.mac	destination.mac	Destination MAC address	Copied from vendor field
None	ecs.version	ECS schema version	Static value: 9.1.0
Vendor.attachment_sha1s[]	email.attachments[].file.hash.sha1	Email attachment SHA1 hashes	Parsed from JSON transformation of vendor field
Vendor.attachment_sha256s[]	email.attachments[].file.hash.sha256	Email attachment SHA256 hashes	Parsed from JSON transformation of vendor field
Vendor.direction	email.direction	Email direction	Copied from vendor field
Vendor.from	email.from.address[]	Email sender addresses	Array populated with lowercase transformation
Vendor.message_id	email.message_id	Email message identifier	Extracted using regex from vendor field
Vendor.subject	email.subject	Email subject	Copied from vendor field
Vendor.recipients[]	email.to.address[]	Email recipient addresses	Array populated using objectArray from vendor field
Vendor.type, Vendor.model	event.action	Event action	Copied from vendor fields
event.dataset	event.category[]	Event categorization	Array populated based on event.dataset conditions
Vendor.codeid	event.code	Event code	Copied from vendor field
Vendor.creationTime	event.created	Event creation time	Copied from vendor field
Vendor.summariser, Vendor.model.name, Vendor.alert_name, Vendor.ms_ts, Vendor.iris-event-type, Vendor.device.product, Vendor.direction	event.dataset	Dataset classification	Extracted based on message content patterns
Vendor.periods[0].end, Vendor.end	event.end	Event end time	Copied from vendor fields
Vendor.id, Vendor.uuid, Vendor.codeuuid	event.id	Event identifier	Copied from vendor fields
Vendor.category, Vendor.status	event.kind	Event kind classification	Static value: event, conditionally set to alert
None	event.module	Event module identifier	Static value: detect
Vendor.reason, http.response.status_code, Vendor.inhibitor	event.outcome	Event outcome	Mapped from event conditions
Vendor.title, Vendor.description, Vendor.message, Vendor.reason, Vendor.name	event.reason	Event reason or description	Copied from vendor fields
Vendor.aiaScore, Vendor.score, Vendor.anomaly_score, Vendor.priority	event.risk_score	Event risk score	Copied from vendor fields
Vendor.aiaScore, Vendor.score, Vendor.model.priority, Vendor.priority, Vendor.severity	event.severity	Event severity level	Mapped based on score thresholds and conditions
Vendor.periods[0].start, Vendor.start	event.start	Event start time	Copied from vendor fields
event.dataset, Vendor.inhibitor, Vendor.reason	event.type[]	Event type classification	Array populated based on event.dataset and conditions
Vendor.incidentEventUrl, Vendor.breachUrl, Vendor.url, Vendor.darktraceUrl	event.url	Event URL	Copied from vendor fields
Vendor.currentGroup	group.id	Group identifier	Copied from vendor field
Vendor.device.hostname, Vendor.hostname	host.hostname	Host hostname	Copied from vendor fields or derived from IP
Vendor.device.did	host.id	Host device identifier	Copied from vendor field
Vendor.device.ip, Vendor.device.ip6, Vendor.ip_address, Vendor.hostname, Vendor.dvc	host.ip[]	Host IP addresses	Array populated from vendor fields with CIDR validation
Vendor.device.macaddress, Vendor.deviceMacAddress, host.mac	host.mac[0]	Host MAC address	Transformed from vendor field (colon to dash, uppercase)
Vendor.dvchost	host.name	Host name	Copied from vendor field
Vendor.device.os	host.os.type	Host operating system type	Transformed to lowercase from vendor field
Vendor.device.typename	host.type	Host device type	Copied from vendor field
Vendor.method	http.request.method	HTTP request method	Copied from vendor field
Vendor.status	http.response.status_code	HTTP response status code	Copied from vendor field
@rawstring	log.syslog.appname	Syslog application name	Extracted from syslog header
@rawstring	log.syslog.hostname	Syslog hostname	Extracted from syslog header
@rawstring	log.syslog.priority	Syslog priority	Extracted from syslog header
Vendor.name	message	Message content	Copied from vendor field
None	observer.type	Observer type	Static value: ndr, conditionally email-scanning
Vendor.pdid	process.pid	Process identifier	Copied from vendor field
Vendor.model.created.by	rule.author[]	Rule author	Array populated from vendor field
Vendor.model.category, Vendor.action_family	rule.category	Rule category	Copied from vendor fields
Vendor.model.description, Vendor.inhibitor	rule.description	Rule description	Copied from vendor fields
Vendor.model.name, Vendor.model	rule.name	Rule name	Copied from vendor fields
Vendor.model.uuid	rule.uuid	Rule UUID	Copied from vendor field
Vendor.model.version	rule.version	Rule version	Copied from vendor field
Vendor.sourceIP, Vendor.ip	source.ip	Source IP address	Copied from vendor fields with CIDR validation
Vendor.activityId, Vendor.currentGroup	threat.group.id	Threat group identifier	Copied from vendor fields
Vendor.mitreTactics[]	threat.tactic.name[]	MITRE ATT&CK tactic names	Array populated using objectArray from vendor field
Vendor.mitreTechniques[].techniqueID, Vendor.mitreId	threat.technique.id[]	MITRE ATT&CK technique IDs	Array populated using objectArray from vendor fields
Vendor.mitreTechniques[].technique	threat.technique.name[]	MITRE ATT&CK technique names	Array populated using objectArray from vendor field
Vendor.username	user.name	Username	Copied from vendor field

Enter search term