Parsers and Generated Fields
Tag Fields Created by Parser darktrace-detect
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser darktrace-detect
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.model | event.action | Event action for Antigena events |
| Vendor.codeid | event.code | Event code for Antigena events |
| Vendor.creationTime | event.created | |
| Vendor.end | event.end | Event end time for Antigena events |
| Vendor.periods[0].end | event.end | Event end time |
| Vendor.codeuuid | event.id | Event ID for Antigena events |
| Vendor.id | event.id | Event identifier for AI Analyst events |
| Vendor.uuid | event.id | Event identifier for audit events |
| Vendor.message | event.reason | |
| Vendor.reason | event.reason | Event reason for Antigena events |
| Vendor.title | event.reason | Event title/reason |
| Vendor.type | event.reason | Event reason for audit events |
| Vendor.aiaScore | event.risk_score | AI Analyst score |
| Vendor.priority | event.risk_score | |
| Vendor.score | event.risk_score | |
| Vendor.model.priority | event.severity | |
| Vendor.periods[0].start | event.start | Event start time |
| Vendor.start | event.start | Event start time for Antigena events |
| Vendor.breachUrl | event.url | |
| Vendor.incidentEventUrl | event.url | Event URL |
| Vendor.url | event.url | Event URL for Antigena events |
| Vendor.device.hostname | host.hostname | |
| Vendor.device.hostname; | host.hostname | |
| Vendor.hostname; | host.hostname | |
| Vendor.device.hostname | host.hostname/host.ip[0] | Hostname or IP based on format |
| Vendor.device.did | host.id | Device identifier |
| Vendor.device.ip | host.ip[0] | Device IP address |
| Vendor.device.ip6 | host.ip[1] | Device IPv6 address |
| Vendor.device.macaddress | host.mac[0] | Device MAC address |
| Vendor.device.os | host.os.type | Host OS type for Antigena events |
| Vendor.device.typename | host.type | Device type |
| Vendor.pdid | process.pid | Process ID for Antigena events |
| Vendor.model.created.by | rule.author[0] | Model creator |
| Vendor.action_family | rule.category | Rule category for Antigena events |
| Vendor.model.category | rule.category | Model category |
| Vendor.inhibitor | rule.description | Rule description for Antigena events |
| Vendor.model.description | rule.description | |
| Vendor.model | rule.name | |
| Vendor.model.name | rule.name | |
| Vendor.model.uuid | rule.uuid | |
| Vendor.model.version | rule.version | |
| Vendor.description | source.ip | Source IP extracted from description for login events |
| Vendor.sourceIP | source.ip | Source IP address |
| Vendor.activityId | threat.group.id | Threat group identifier |
| Vendor.username | user.name | Username for audit events |
| Vendor.username; | user.name |