Parsers and Generated Fields | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support

Parsers and Generated Fields

Tag Fields Created by Parser darktrace-detect

#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type

Fields Identified by Parser darktrace-detect

Vendor Field	CPS Field	Description
`email.from.address[]`	Array	Vendor.from
`email.to.address[]`	Array	Vendor.recipients[]
`event.category[]`	Array	event.dataset
`event.type[]`	Array	event.dataset, Vendor.inhibitor, Vendor.reason
`host.ip[]`	Array	Vendor.device.ip, Vendor.device.ip6, Vendor.ip_address, Vendor.hostname, Vendor.dvc
`rule.author[]`	Array	Vendor.model.created.by
`threat.tactic.name[]`	Array	Vendor.mitreTactics[]
`threat.technique.id[]`	Array	Vendor.mitreTechniques[].techniqueID, Vendor.mitreId
`threat.technique.name[]`	Array	Vendor.mitreTechniques[].technique
`destination.address`	Copied	Vendor.dst
`destination.mac`	Copied	Vendor.mac
`email.direction`	Copied	Vendor.direction
`email.subject`	Copied	Vendor.subject
`event.action`	Copied	Vendor.type, Vendor.model
`event.code`	Copied	Vendor.codeid
`event.created`	Copied	Vendor.creationTime
`event.end`	Copied	Vendor.periods[0].end, Vendor.end
`event.id`	Copied	Vendor.id, Vendor.uuid, Vendor.codeuuid
`event.reason`	Copied	Vendor.title, Vendor.description, Vendor.message, Vendor.reason, Vendor.name
`event.risk_score`	Copied	Vendor.aiaScore, Vendor.score, Vendor.anomaly_score, Vendor.priority
`event.start`	Copied	Vendor.periods[0].start, Vendor.start
`event.url`	Copied	Vendor.incidentEventUrl, Vendor.breachUrl, Vendor.url, Vendor.darktraceUrl
`group.id`	Copied	Vendor.currentGroup
`host.hostname`	Copied	Vendor.device.hostname, Vendor.hostname
`host.id`	Copied	Vendor.device.did
`host.name`	Copied	Vendor.dvchost
`host.type`	Copied	Vendor.device.typename
`http.request.method`	Copied	Vendor.method
`http.response.status_code`	Copied	Vendor.status
`message`	Copied	Vendor.name
`process.pid`	Copied	Vendor.pdid
`rule.category`	Copied	Vendor.model.category, Vendor.action_family
`rule.description`	Copied	Vendor.model.description, Vendor.inhibitor
`rule.name`	Copied	Vendor.model.name, Vendor.model
`rule.uuid`	Copied	Vendor.model.uuid
`rule.version`	Copied	Vendor.model.version
`source.ip`	Copied	Vendor.sourceIP, Vendor.ip
`threat.group.id`	Copied	Vendor.activityId, Vendor.currentGroup
`user.name`	Copied	Vendor.username
`email.message_id`	Extracted	Vendor.message_id
`event.dataset`	Extracted	Vendor.summariser, Vendor.model.name, Vendor.alert_name, Vendor.ms_ts, Vendor.iris-event-type, Vendor.device.product, Vendor.direction
`log.syslog.appname`	Extracted	@rawstring
`log.syslog.hostname`	Extracted	@rawstring
`log.syslog.priority`	Extracted	@rawstring
`event.outcome`	Mapped	Vendor.reason, http.response.status_code, Vendor.inhibitor
`event.severity`	Mapped	Vendor.aiaScore, Vendor.score, Vendor.model.priority, Vendor.priority, Vendor.severity
`@timestamp`	Parsed	ts, Vendor.createdAt, Vendor.time, Vendor.last_updated, Vendor.ms_ts, Vendor.start
`email.attachments[].file.hash.sha1`	Parsed	Vendor.attachment_sha1s[]
`email.attachments[].file.hash.sha256`	Parsed	Vendor.attachment_sha256s[]
`ecs.version`	Static	None
`event.kind`	Static	Vendor.category, Vendor.status
`event.module`	Static	None
`observer.type`	Static	None
`host.mac[0]`	Transformed	Vendor.device.macaddress, Vendor.deviceMacAddress, host.mac
`host.os.type`	Transformed	Vendor.device.os
Vendor.dst	destination.address
Vendor.mac	destination.mac
Vendor.direction	email.direction
Vendor.subject	email.subject
Vendor.model	event.action
Vendor.type	event.action
Vendor.codeid	event.code
Vendor.creationTime	event.created
Vendor.end	event.end
Vendor.periods[0].end	event.end
Vendor.codeuuid	event.id
Vendor.id	event.id
Vendor.uuid	event.id
Vendor.description	event.reason
Vendor.message	event.reason
Vendor.name	event.reason
Vendor.reason	event.reason
Vendor.title	event.reason
Vendor.aiaScore	event.risk_score
Vendor.anomaly_score	event.risk_score
Vendor.priority	event.risk_score
Vendor.score	event.risk_score
Vendor.periods[0].start	event.start
Vendor.start	event.start
Vendor.breachUrl	event.url
Vendor.darktraceUrl	event.url
Vendor.incidentEventUrl	event.url
Vendor.url	event.url
Vendor.device.hostname	host.hostname
Vendor.device.did	host.id
Vendor.deviceMacAddress	host.mac
Vendor.dvchost	host.name
Vendor.device.typename	host.type
Vendor.method	http.request.method
Vendor.name	message
Vendor.pdid	process.pid
Vendor.action_family	rule.category
Vendor.model.category	rule.category
Vendor.inhibitor	rule.description
Vendor.model.description	rule.description
Vendor.model	rule.name
Vendor.model.name	rule.name
Vendor.model.uuid	rule.uuid
Vendor.model.version	rule.version
Vendor.ip	source.ip
Vendor.activityId	threat.group.id
x.techniqueID	threat.technique.id
x.technique	threat.technique.name
Vendor.username	user.name

Enter search term