Parsers and Generated Fields
Tag Fields Created by Parser f5networks-bigip
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser f5networks-bigip
| Vendor Field | CPS Field | Description |
|---|---|---|
| `event.category[]` | Array | log.syslog.appname, log.syslog.msgid |
| `event.type[]` | Array | log.syslog.msgid, Vendor.message |
| `host.ip[]` | Array | Vendor.host |
| `observer.ip[]` | Array | Vendor.bigip_mgmt_ip, Vendor.manage_ip_addr |
| `rule.name[]` | Array | Vendor.violations, Vendor.acl_rule_name |
| `threat.group.alias[]` | Array | Vendor.threat_campaign_names |
| `threat.technique.name[]` | Array | Vendor.attack_type |
| `threat.technique.subtechnique.id[]` | Array | Vendor.sig_ids |
| `threat.technique.subtechnique.name[]` | Array | Vendor.sig_names |
| `user.roles[]` | Array | Vendor.message |
| `event.duration` | Calculated | Vendor.req_elapsed_time |
| `log.syslog.facility.code` | Calculated | log.syslog.priority |
| `network.bytes` | Calculated | Vendor.bytes_in, Vendor.bytes_out |
| `event.outcome` | Conditional | Vendor.action, Vendor.status, etc. |
| `network.type` | Conditional | client.address, destination.address, etc. |
| `client.address` | Copied | Vendor.ip_client |
| `client.geo.country_iso_code` | Copied | Vendor.client_ip_geo_location |
| `client.ip` | Copied | Vendor.client_ip, client.address |
| `client.port` | Copied | Vendor.client_port |
| `destination.address` | Copied | Vendor.dest_ip, Vendor.dest_fqdn |
| `destination.bytes` | Copied | Vendor.bytes_out |
| `destination.ip` | Copied | Vendor.dest_ip, destination.address |
| `destination.nat.ip` | Copied | Vendor.translated_dest_ip |
| `destination.nat.port` | Copied | Vendor.translated_dest_port |
| `destination.port` | Copied | Vendor.dest_port |
| `device.id` | Copied | Vendor.device_id |
| `device.manufacturer` | Copied | Vendor.device_vendor |
| `dns.question.class` | Copied | Vendor.question_class |
| `dns.question.name` | Copied | Vendor.question_name |
| `dns.question.registered_domain` | Copied | Vendor.wideip |
| `dns.question.type` | Copied | Vendor.question_type |
| `event.id` | Copied | Vendor.support_id |
| `event.reason` | Copied | Vendor.drop_reason, Vendor.anomalies |
| `host.hostname` | Copied | Vendor.hostname |
| `http.request.body.bytes` | Copied | Vendor.bytes_in |
| `http.request.body.content` | Copied | Vendor.req |
| `http.request.method` | Copied | Vendor.method, Vendor.http_method |
| `http.request.mime_type` | Copied | Vendor.http_content_type |
| `http.request.referrer` | Copied | Vendor.http_class, Vendor.http_referrer |
| `http.response.body.bytes` | Copied | Vendor.bytes_out |
| `http.response.body.content` | Copied | Vendor.resp |
| `http.response.status_code` | Copied | Vendor.resp_code |
| `log.level` | Copied | log.syslog.severity.name, Vendor.severity |
| `network.forwarded_ip` | Copied | Vendor.x_fwd_hdr_val |
| `network.protocol` | Copied | Vendor.ip_protocol, Vendor.http_protocol_indication |
| `network.transport` | Copied | Vendor.message |
| `network.vlan.id` | Copied | Vendor.dest_vlan |
| `network.vlan.name` | Copied | Vendor.vlan |
| `observer.hostname` | Copied | Vendor.hostname |
| `observer.ingress.zone` | Copied | Vendor.context_name |
| `observer.product` | Copied | Vendor.device_product |
| `observer.version` | Copied | Vendor.device_version |
| `process.pid` | Copied | Vendor.pid |
| `rule.category` | Copied | Vendor.acl_policy_name |
| `rule.id` | Copied | Vendor.acl_rule_uuid |
| `rule.ruleset` | Copied | Vendor.enforced_by, Vendor.acl_policy_type |
| `server.address` | Copied | Vendor.node, server.ip |
| `server.ip` | Copied | server.address |
| `source.address` | Copied | Vendor.source_fqdn, Vendor.src_ip |
| `source.bytes` | Copied | Vendor.bytes_in |
| `source.geo.country_iso_code` | Copied | Vendor.src_geo, Vendor.geo_info |
| `source.ip` | Copied | Vendor.source_ip, source.address |
| `source.nat.ip` | Copied | Vendor.translated_source_ip |
| `source.nat.port` | Copied | Vendor.translated_source_port |
| `source.port` | Copied | Vendor.source_port, Vendor.src_port |
| `source.user.group.name` | Copied | Vendor.source_user_group |
| `source.user.name` | Copied | Vendor.source_user |
| `url.original` | Copied | Vendor.http_url |
| `url.path` | Copied | Vendor.http_uri, Vendor.client_request_uri |
| `user.name` | Copied | Vendor.username, user.name, Vendor.user |
| `user_agent.original` | Copied | Vendor.http_user_agent, user_agent.original |
| `client.domain` | Extracted | Vendor.message |
| `error.code` | Extracted | Vendor.message |
| `error.message` | Extracted | Vendor.message |
| `file.name` | Extracted | file.path |
| `file.path` | Extracted | Vendor.message |
| `geo.continent_code` | Extracted | Vendor.message |
| `geo.country_iso_code` | Extracted | Vendor.message |
| `geo.region_name` | Extracted | Vendor.message |
| `http.version` | Extracted | Vendor.req, Vendor.http_version |
| `log.syslog.appname` | Extracted | @rawstring |
| `log.syslog.hostname` | Extracted | @rawstring |
| `log.syslog.msgid` | Extracted | @rawstring |
| `log.syslog.priority` | Extracted | @rawstring |
| `log.syslog.procid` | Extracted | @rawstring |
| `log.syslog.severity.code` | Extracted | @rawstring |
| `log.syslog.severity.name` | Extracted | @rawstring |
| `observer.ingress.vlan.id` | Extracted | Vendor.message |
| `process.command_line` | Extracted | Vendor.message |
| `process.name` | Extracted | Vendor.message |
| `server.domain` | Extracted | Vendor.message |
| `server.port` | Extracted | Vendor.message, Vendor.node_port |
| `tls.cipher` | Extracted | Vendor.message |
| `tls.version_protocol` | Extracted | Vendor.message |
| `tls.version` | Extracted | Vendor.message |
| `url.domain` | Extracted | Vendor.http_host |
| `url.port` | Extracted | Vendor.http_host |
| `url.scheme` | Extracted | Vendor.http_referrer |
| `user.email` | Extracted | Vendor.message |
| `user_agent.name` | Extracted | user_agent.original |
| `user_agent.version` | Extracted | user_agent.original |
| `event.severity` | Mapped | Vendor.severity |
| `@timestamp` | Parsed | Vendor.timestamp, _ts |
| `dns.answers[]` | Parsed | Vendor.answer |
| `ecs.version` | Static | None |
| `event.action` | Static | log.syslog.msgid, Vendor.message |
| `event.dataset` | Static | log.syslog.appname, log.syslog.msgid |
| `event.kind` | Static | Vendor.attack_type |
| `event.module` | Static | None |
| `observer.vendor` | Static | None |
| `threat.framework` | Static | None |
| Vendor.ip_client | client.address | |
| Vendor.client_ip_geo_location | client.geo.country_iso_code | |
| client.address | client.ip | |
| Vendor.client_port | client.port | |
| Vendor.dest_fqdn | destination.address | |
| Vendor.dest_ip | destination.address | |
| Vendor.dns_server_ip | destination.address | |
| Vendor.vip | destination.address | |
| Vendor.dest_geo | destination.geo.country_iso_code | |
| Vendor.dest_ip | destination.ip | |
| destination.address | destination.ip | |
| Vendor.translated_dest_ip | destination.nat.ip | |
| Vendor.translated_dest_port | destination.nat.port | |
| Vendor.dest_port | destination.port | |
| Vendor.device_id | device.id | |
| Vendor.device_vendor | device.manufacturer | |
| Vendor.question_class | dns.question.class | |
| Vendor.question_name | dns.question.name | |
| Vendor.wideip | dns.question.registered_domain | |
| Vendor.question_type | dns.question.type | |
| Vendor.action | event.action | |
| Vendor.req_elapsed_time | event.duration | |
| Vendor.support_id | event.id | |
| Vendor.anomalies | event.reason | |
| Vendor.bytes_in | http.request.body.bytes | |
| Vendor.req | http.request.body.content | |
| Vendor.http_method | http.request.method | |
| Vendor.method | http.request.method | |
| Vendor.http_content_type | http.request.mime_type | |
| Vendor.http_class | http.request.referrer | |
| Vendor.http_referrer | http.request.referrer | |
| Vendor.bytes_out | http.response.body.bytes | |
| Vendor.resp | http.response.body.content | |
| Vendor.http_status | http.response.status_code | |
| Vendor.resp_code | http.response.status_code | |
| Vendor.http_version | http.version | |
| Vendor.severity | log.level | |
| log.syslog.severity.name | log.level | |
| log.syslog.priority | log.syslog.facility.code | |
| Vendor.bytes_in | network.bytes | |
| Vendor.dns_len | network.bytes | |
| Vendor.x_fwd_hdr_val | network.forwarded_ip | |
| Vendor.ip_protocol | network.protocol | |
| Vendor.dest_vlan | network.vlan.id | |
| Vendor.vlan | network.vlan.name | |
| Vendor.hostname | observer.hostname | |
| Vendor.context_name | observer.ingress.zone | |
| Vendor.device_product | observer.product | |
| Vendor.device_version | observer.version | |
| Vendor.pid | process.pid | |
| Vendor.acl_policy_name | rule.category | |
| Vendor.acl_rule_uuid | rule.id | |
| Vendor.acl_rule_name | rule.name | |
| Vendor.violations | rule.name | |
| Vendor.acl_policy_type | rule.ruleset | |
| Vendor.enforced_by | rule.ruleset | |
| Vendor.node | server.address | |
| server.address | server.ip | |
| Vendor.node_port | server.port | |
| Vendor.src_ip | source.address | |
| Vendor.geo_info | source.geo.country_iso_code | |
| Vendor.src_geo | source.geo.country_iso_code | |
| Vendor.source_ip | source.ip | |
| source.address | source.ip | |
| Vendor.translated_source_ip | source.nat.ip | |
| Vendor.translated_source_port | source.nat.port | |
| Vendor.source_port | source.port | |
| Vendor.src_port | source.port | |
| Vendor.source_user_group | source.user.group.name | |
| Vendor.source_user | source.user.name | |
| Vendor.threat_campaign_names | threat.group.alias | |
| Vendor.attack_type | threat.technique.name | |
| Vendor.sig_ids | threat.technique.subtechnique.id | |
| Vendor.sig_names | threat.technique.subtechnique.name | |
| Vendor.http_url | url.original | |
| Vendor.http_uri | url.path | |
| Vendor.user | user.name | |
| Vendor.username | user.name |