Parsers and Generated Fields
Tag Fields Created by Parser f5networks-bigip
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser f5networks-bigip
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.timestamp, _ts | @timestamp | Event timestamp | Parsed from timestamp fields using various formats |
| Vendor.ip_client | client.address | Client address for ASM events | Copied from Vendor.ip_client |
| Vendor.message | client.domain | Client hostname | Extracted from regex patterns |
| Vendor.client_ip_geo_location | client.geo.country_iso_code | Client geographic location | Copied from Vendor.client_ip_geo_location |
| Vendor.client_ip, client.address | client.ip | Client IP address | Copied from various vendor fields |
| Vendor.client_port | client.port | Client port number | Copied from Vendor.client_port |
| Vendor.dest_ip, Vendor.dest_fqdn | destination.address | Destination address | Copied from various vendor fields |
| Vendor.bytes_out | destination.bytes | Destination bytes transferred | Copied from Vendor.bytes_out |
| Vendor.dest_ip, destination.address | destination.ip | Destination IP address | Copied from various vendor fields |
| Vendor.translated_dest_ip | destination.nat.ip | Translated destination IP | Copied from Vendor.translated_dest_ip |
| Vendor.translated_dest_port | destination.nat.port | Translated destination port | Copied from Vendor.translated_dest_port |
| Vendor.dest_port | destination.port | Destination port number | Copied from Vendor.dest_port |
| Vendor.device_id | device.id | Device identifier | Copied from Vendor.device_id |
| Vendor.device_vendor | device.manufacturer | Device manufacturer | Copied from Vendor.device_vendor |
| Vendor.answer | dns.answers[] | DNS response answers | Parsed from Vendor.answer using JSON formatting |
| Vendor.question_class | dns.question.class | DNS question class | Copied from Vendor.question_class |
| Vendor.question_name | dns.question.name | DNS question name | Copied from Vendor.question_name |
| Vendor.wideip | dns.question.registered_domain | DNS registered domain | Copied from Vendor.wideip |
| Vendor.question_type | dns.question.type | DNS question type | Copied from Vendor.question_type |
| None | ecs.version | ECS schema version | Static value: 9.2.0 |
| Vendor.message | error.code | Error code | Extracted from regex patterns |
| Vendor.message | error.message | Error message | Extracted from regex patterns |
| log.syslog.msgid, Vendor.message | event.action | Event action | Static values based on log type and message ID |
| log.syslog.appname, log.syslog.msgid | event.category[] | Event categories | Array populated based on log type |
| log.syslog.appname, log.syslog.msgid | event.dataset | Event dataset | Static values based on log source |
| Vendor.req_elapsed_time | event.duration | Event duration in microseconds | Calculated from Vendor.req_elapsed_time * 1000000 |
| Vendor.support_id | event.id | Event identifier | Copied from Vendor.support_id |
| Vendor.attack_type | event.kind | Event kind | Static value: event (conditional: alert for ASM threats) |
| None | event.module | Event module | Static value: bigip |
| Vendor.action, Vendor.status, etc. | event.outcome | Event outcome | Conditional based on various vendor fields |
| Vendor.drop_reason, Vendor.anomalies | event.reason | Event reason | Copied from various vendor fields |
| Vendor.severity | event.severity | Event severity level | Mapped from Vendor.severity values |
| log.syslog.msgid, Vendor.message | event.type[] | Event types | Array populated based on event context |
| file.path | file.name | File name | Extracted from file.path using regex |
| Vendor.message | file.path | File path | Extracted from regex patterns |
| Vendor.message | geo.continent_code | Geographic continent code | Extracted from regex patterns |
| Vendor.message | geo.country_iso_code | Geographic country code | Extracted from regex patterns |
| Vendor.message | geo.region_name | Geographic region name | Extracted from regex patterns |
| Vendor.hostname | host.hostname | Host hostname | Copied from Vendor.hostname (lowercased) |
| Vendor.host | host.ip[] | Host IP addresses | Array populated from Vendor.host |
| Vendor.hostname, log.syslog.hostname | host.name | Host name | Copied from coalesced vendor fields |
| Vendor.bytes_in | http.request.body.bytes | HTTP request body size | Copied from Vendor.bytes_in |
| Vendor.req | http.request.body.content | HTTP request content | Copied from Vendor.req |
| Vendor.method, Vendor.http_method | http.request.method | HTTP request method | Copied from Vendor.method |
| Vendor.http_content_type | http.request.mime_type | HTTP request MIME type | Copied from Vendor.http_content_type |
| Vendor.message | http.request.referrer | HTTP request referrer | Extracted from regex patterns |
| Vendor.bytes_out | http.response.body.bytes | HTTP response body size | Copied from Vendor.bytes_out |
| Vendor.resp | http.response.body.content | HTTP response content | Copied from Vendor.resp |
| Vendor.resp_code, Vendor.HTTP status | http.response.status_code | HTTP response status code | Copied from Vendor.resp_code |
| Vendor.req, Vendor.http_version | http.version | HTTP version | Extracted from regex patterns |
| log.syslog.severity.name, Vendor.severity | log.level | Log level | Copied from log.syslog.severity.name (lowercased) |
| @rawstring | log.syslog.appname | Syslog application name | Extracted from syslog parsing |
| log.syslog.priority | log.syslog.facility.code | Syslog facility code | Calculated from log.syslog.priority / 8 |
| @rawstring | log.syslog.hostname | Syslog hostname | Extracted from syslog parsing |
| @rawstring | log.syslog.msgid | Syslog message ID | Extracted from syslog parsing |
| @rawstring | log.syslog.priority | Syslog priority | Extracted from syslog parsing |
| @rawstring | log.syslog.procid | Syslog process ID | Extracted from syslog parsing |
| @rawstring | log.syslog.severity.code | Syslog severity code | Extracted from syslog parsing |
| @rawstring | log.syslog.severity.name | Syslog severity name | Extracted from syslog parsing |
| Vendor.bytes_in, Vendor.bytes_out | network.bytes | Total network bytes | Calculated from Vendor.bytes_in + Vendor.bytes_out |
| Vendor.x_fwd_hdr_val | network.forwarded_ip | Forwarded IP address | Copied from Vendor.x_fwd_hdr_val |
| Vendor.ip_protocol, Vendor.http_protocol_indication | network.protocol | Network protocol | Copied from Vendor.ip_protocol (lowercased) |
| Vendor.message | network.transport | Network transport protocol | Copied from Vendor.message (lowercased) |
| client.address, destination.address, etc. | network.type | Network type (ipv4/ipv6) | Conditional based on IP address validation |
| Vendor.dest_vlan | network.vlan.id | VLAN ID | Copied from Vendor.dest_vlan |
| Vendor.vlan | network.vlan.name | VLAN name | Copied from Vendor.vlan |
| Vendor.message | observer.egress.vlan.id | Observer egress VLAN ID | Extracted from regex patterns |
| Vendor.hostname | observer.hostname | Observer hostname | Copied from Vendor.hostname |
| Vendor.message | observer.ingress.vlan.id | Observer ingress VLAN ID | Extracted from regex patterns |
| Vendor.context_name | observer.ingress.zone | Observer ingress zone | Copied from Vendor.context_name |
| Vendor.bigip_mgmt_ip, Vendor.manage_ip_addr | observer.ip[] | Observer IP addresses | Array populated from various vendor fields |
| Vendor.device_product | observer.product | Observer product | Copied from Vendor.device_product |
| None | observer.vendor | Observer vendor | Static value: F5 |
| Vendor.device_version | observer.version | Observer version | Copied from Vendor.device_version |
| Vendor.message | process.command_line | Process command line | Extracted from regex patterns |
| Vendor.message | process.name | Process name | Extracted from regex patterns |
| Vendor.pid | process.pid | Process ID | Copied from Vendor.pid |
| Vendor.acl_policy_name | rule.category | Rule category | Copied from Vendor.acl_policy_name |
| Vendor.acl_rule_uuid | rule.id | Rule identifier | Copied from Vendor.acl_rule_uuid |
| Vendor.violations, Vendor.acl_rule_name | rule.name | Rule names | Copied from Vendor.violations |
| Vendor.enforced_by, Vendor.acl_policy_type | rule.ruleset | Rule ruleset | Copied from Vendor.enforced_by |
| Vendor.node, server.ip | server.address | Server address | Copied from various vendor fields |
| Vendor.message | server.domain | Server domain | Extracted from regex patterns (lowercased) |
| server.address | server.ip | Server IP address | Copied from server.address when valid IP |
| Vendor.message, Vendor.node_port | server.port | Server port | Extracted from regex patterns |
| Vendor.source_fqdn, Vendor.src_ip | source.address | Source address | Copied from various vendor fields |
| Vendor.bytes_in | source.bytes | Source bytes transferred | Copied from Vendor.bytes_in |
| Vendor.src_geo, Vendor.geo_info | source.geo.country_iso_code | Source geographic location | Copied from various vendor fields |
| Vendor.source_ip, source.address | source.ip | Source IP address | Copied from various vendor fields |
| Vendor.translated_source_ip | source.nat.ip | Translated source IP | Copied from Vendor.translated_source_ip |
| Vendor.translated_source_port | source.nat.port | Translated source port | Copied from Vendor.translated_source_port |
| Vendor.source_port, Vendor.src_port | source.port | Source port number | Copied from Vendor.source_port |
| Vendor.source_user_group | source.user.group.name | Source user group | Copied from Vendor.source_user_group |
| Vendor.source_user | source.user.name | Source username | Copied from Vendor.source_user |
| None | threat.framework | Threat framework | Static value: F5 |
| Vendor.threat_campaign_names | threat.group.alias[] | Threat group aliases | Array from Vendor.threat_campaign_names split by comma |
| Vendor.attack_type | threat.technique.name[] | Threat technique names | Array from Vendor.attack_type split by comma |
| Vendor.sig_ids | threat.technique.subtechnique.id[] | Threat subtechnique IDs | Array from Vendor.sig_ids split by comma |
| Vendor.sig_names | threat.technique.subtechnique.name[] | Threat subtechnique names | Array from Vendor.sig_names split by comma |
| Vendor.message | tls.cipher | TLS cipher suite | Extracted from regex patterns |
| Vendor.message | tls.version | TLS version | Extracted from regex patterns |
| Vendor.message | tls.version_protocol | TLS protocol version | Extracted from regex patterns |
| Vendor.http_host | url.domain | URL domain | Extracted from Vendor.http_host (lowercased) |
| Vendor.http_url, Vendor.HTTP URI | url.original | Original URL | Copied from Vendor.http_url |
| Vendor.http_uri, Vendor.client_request_uri | url.path | URL path | Copied from Vendor.http_uri |
| Vendor.http_host | url.port | URL port | Extracted from Vendor.http_host |
| Vendor.http_referrer | url.scheme | URL scheme | Extracted from Vendor.http_referrer |
| Vendor.message | user.email | User email | Extracted from regex patterns |
| Vendor.username, user.name, Vendor.user | user.name | Username | Copied from various vendor fields |
| Vendor.message | user.roles[] | User roles | Array populated from regex patterns |
| user_agent.original | user_agent.name | User agent name | Extracted from user_agent.original |
| Vendor.http_user_agent, user_agent.original | user_agent.original | User agent string | Copied from various vendor fields |
| user_agent.original | user_agent.version | User agent version | Extracted from user_agent.original |