Parsers and Generated Fields

Tag Fields Created by Parser darktrace-detect

  • #Cps.version

  • #Vendor

  • #ecs.version

  • #event.dataset

  • #event.kind

  • #event.module

  • #event.outcome

  • #observer.type

Fields Identified by Parser darktrace-detect
Source FieldCPS Field
Vendor.modelevent.action
Vendor.codeidevent.code
Vendor.creationTimeevent.created
Vendor.endevent.end
Vendor.periods[0].endevent.end
Vendor.codeuuidevent.id
Vendor.idevent.id
Vendor.uuidevent.id
Vendor.messageevent.reason
Vendor.reasonevent.reason
Vendor.titleevent.reason
Vendor.aiaScoreevent.risk_score
Vendor.priorityevent.risk_score
Vendor.scoreevent.risk_score
Vendor.model.priorityevent.severity
Vendor.periods[0].startevent.start
Vendor.startevent.start
Vendor.breachUrlevent.url
Vendor.incidentEventUrlevent.url
Vendor.urlevent.url
Vendor.device.hostnamehost.hostname
Vendor.hostnamehost.hostname
Vendor.device.didhost.id
Vendor.device.hostnamehost.ip[0]
Vendor.device.iphost.ip[0]
Vendor.hostnamehost.ip[0]
Vendor.ip_addresshost.ip[0]
Vendor.device.ip6host.ip[1]
Vendor.device.typenamehost.type
Vendor.pdidprocess.pid
Vendor.model.created.byrule.author
Vendor.action_familyrule.category
Vendor.model.categoryrule.category
Vendor.inhibitorrule.description
Vendor.model.descriptionrule.description
Vendor.modelrule.name
Vendor.model.namerule.name
Vendor.model.uuidrule.uuid
Vendor.model.versionrule.version
Vendor.activityIdthreat.group.id
Vendor.mitreTactics[0].tacticIDthreat.tactic.id[0]
Vendor.mitreTactics[1].tacticIDthreat.tactic.id[1]
Vendor.mitreTactics[1].techniqueIDthreat.tactic.id[1]
Vendor.mitreTactics[0].tacticthreat.tactic.name[0]
Vendor.mitreTactics[1].tacticthreat.tactic.name[1]
Vendor.mitreTactics[1].tacticIDthreat.tactic.name[1]
Vendor.mitreTechniques[0].techniqueIDthreat.technique.id[0]
Vendor.mitreTechniques[1].techniqueIDthreat.technique.id[1]
Vendor.mitreTechniques[0].techniquethreat.technique.name[0]
Vendor.mitreTechniques[1].techniquethreat.technique.name[1]
Vendor.usernameuser.name