Parsers and Generated Fields
Tag Fields Created by Parser darktrace-detect
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser darktrace-detect
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.dst | destination.address | Destination address for CEF DCIP logs |
| Vendor.mac | destination.mac | Destination MAC for CEF DCIP logs |
| Vendor.attachment_sha1s[] | email.attachments[].file.hash.sha1 | Email attachment SHA1 hashes |
| Vendor.attachment_sha256s[] | email.attachments[].file.hash.sha256 | Email attachment SHA256 hashes |
| Vendor.direction | email.direction | Email direction |
| Vendor.from | email.from.address[0] | Email sender address |
| Vendor.message_id | email.message_id | Email message ID |
| Vendor.subject | email.subject | Email subject |
| Vendor.recipients[] | email.to.address[] | Email recipient addresses |
| Vendor.model | event.action | Event action for Antigena events |
| Vendor.type | event.action | Event action for audit events |
| Vendor.codeid | event.code | Event code for Antigena events |
| Vendor.creationTime | event.created | Event creation time |
| Vendor.end | event.end | Event end time for Antigena events |
| Vendor.periods[0].end | event.end | Event end time |
| Vendor.codeuuid | event.id | Event ID for Antigena events |
| Vendor.id | event.id | Event identifier for AI Analyst events |
| Vendor.uuid | event.id | Event identifier for email events |
| Vendor.description | event.reason | Event description for audit events |
| Vendor.message | event.reason | Event message for system status events |
| Vendor.name | event.reason | Event reason for CEF DCIP logs |
| Vendor.reason | event.reason | Event reason for Antigena events |
| Vendor.title | event.reason | Event title/reason |
| Vendor.aiaScore | event.risk_score | AI Analyst score |
| Vendor.anomaly_score | event.risk_score | Email anomaly score |
| Vendor.priority | event.risk_score | Priority for system status events |
| Vendor.score | event.risk_score | Model breach score |
| Vendor.aiaScore | event.severity | Severity for AI Analyst events when category is critical or suspicious |
| Vendor.model.priority | event.severity | Severity for model breach events based on priority thresholds |
| Vendor.priority | event.severity | Severity for system status events |
| Vendor.score | event.severity | Severity for model breach events based on score thresholds |
| Vendor.severity | event.severity | Severity mapping for CEF DCIP logs |
| Vendor.periods[0].start | event.start | Event start time |
| Vendor.start | event.start | Event start time for Antigena events |
| Vendor.breachUrl | event.url | Breach URL |
| Vendor.darktraceUrl | event.url | Darktrace URL for CEF DCIP logs |
| Vendor.incidentEventUrl | event.url | Event URL |
| Vendor.url | event.url | Event URL for Antigena events |
| Vendor.currentGroup | group.id | Current group ID for CEF DCIP logs |
| Vendor.device.hostname | host.hostname | |
| Vendor.device.hostname | host.hostname/host.ip[0] | Hostname or IP based on format |
| Vendor.hostname | host.hostname/host.ip[0] | Hostname for system status events |
| Vendor.device.did | host.id | Device identifier |
| Vendor.device.ip | host.ip[0] | Device IP address |
| Vendor.dvc | host.ip[0] | Device IP for CEF DCIP logs |
| Vendor.ip_address | host.ip[0] | IP address for system status events |
| Vendor.device.ip6 | host.ip[1] | Device IPv6 address |
| Vendor.deviceMacAddress | host.mac | Device MAC address for CEF DCIP logs |
| Vendor.device.macaddress | host.mac[0] | Device MAC address |
| Vendor.dvchost | host.name | Device hostname for CEF DCIP logs |
| Vendor.device.os | host.os.type | Host OS type for Antigena events |
| Vendor.device.typename | host.type | Device type |
| Vendor.method | http.request.method | HTTP method for audit events |
| Vendor.status | http.response.status_code | HTTP status code for audit events |
| Vendor.name | message | Message for CEF DCIP logs |
| Vendor.pdid | process.pid | Process ID for Antigena events |
| Vendor.model.created.by | rule.author[0] | Model creator |
| Vendor.action_family | rule.category | Rule category for Antigena events |
| Vendor.model.category | rule.category | Model category |
| Vendor.inhibitor | rule.description | Rule description for Antigena events |
| Vendor.model.description | rule.description | Model description |
| Vendor.model | rule.name | |
| Vendor.model.name | rule.name | Model name |
| Vendor.model.uuid | rule.uuid | Model UUID |
| Vendor.model.version | rule.version | Model version |
| Vendor.ip | source.ip | Source IP for audit events |
| Vendor.sourceIP | source.ip | Source IP address (only if valid IP) |
| Vendor.activityId | threat.group.id | Threat group identifier |
| Vendor.mitreTactics[] | threat.tactic.name[] | MITRE ATT&CK tactic names |
| x.techniqueID | threat.technique.id | |
| Vendor.mitreId | threat.technique.id[] | MITRE technique IDs for CEF DCIP logs |
| Vendor.mitreTechniques[].techniqueID | threat.technique.id[] | MITRE ATT&CK technique IDs |
| x.technique | threat.technique.name | |
| Vendor.mitreTechniques[].technique | threat.technique.name[] | MITRE ATT&CK technique names |
| Vendor.username | user.name | Username for audit events |