Parsers and Generated Fields
Tag Fields Created by Parser f5networks-bigip
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser f5networks-bigip
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.ip_client | client.address | |
| Vendor.client_ip_geo_location | client.geo.country_iso_code | Client geo location for ASM Bot Defense |
| client.address | client.ip | |
| Vendor.client_port | client.port | Client port for ASM Bot Defense |
| Vendor.dest_fqdn | destination.address | Destination FQDN |
| Vendor.dest_ip | destination.address | |
| Vendor.dns_server_ip | destination.address | |
| Vendor.vip | destination.address | |
| Vendor.dest_geo | destination.geo.country_iso_code | Destination geographic location |
| Vendor.dest_ip | destination.ip | Destination IP for ASM Bot Defense |
| destination.address | destination.ip | |
| Vendor.translated_dest_ip | destination.nat.ip | Translated destination IP |
| Vendor.translated_dest_port | destination.nat.port | Translated destination port |
| Vendor.dest_port | destination.port | Destination port for ASM Bot Defense |
| Vendor.device_id | device.id | Device ID |
| Vendor.device_vendor | device.manufacturer | Device manufacturer for ASM Bot Defense |
| Vendor.question_class | dns.question.class | |
| Vendor.question_name | dns.question.name | |
| Vendor.wideip | dns.question.registered_domain | |
| Vendor.question_type | dns.question.type | |
| Vendor.action | event.action | Action taken |
| Vendor.req_elapsed_time | event.duration | |
| Vendor.support_id | event.id | |
| Vendor.new_request_status | event.outcome | Maps to success/failure based on accepted/denied |
| Vendor.anomalies | event.reason | Event reason for ASM Bot Defense |
| Vendor.drop_reason | event.reason | Reason for dropping traffic |
| Vendor.severity | event.severity | Event severity based on mapping |
| Vendor.hostname | host.hostname | Host hostname for ASM Bot Defense |
| Vendor.host | host.ip[] | Host information as array |
| Vendor.bytes_in | http.request.body.bytes | |
| Vendor.req | http.request.body.content | HTTP request content |
| Vendor.http_method | http.request.method | HTTP method |
| Vendor.method | http.request.method | HTTP method |
| Vendor.http_content_type | http.request.mime_type | |
| Vendor.http_class | http.request.referrer | HTTP class |
| Vendor.http_referrer | http.request.referrer | |
| Vendor.bytes_out | http.response.body.bytes | |
| Vendor.resp | http.response.body.content | HTTP response content |
| Vendor.http_status | http.response.status_code | |
| Vendor.resp_code | http.response.status_code | HTTP response code |
| Vendor.http_version | http.version | |
| Vendor.severity | log.level | Log level |
| log.syslog.severity.name | log.level | |
| log.syslog.priority | log.syslog.facility.code | |
| Vendor.bytes_in | network.bytes | |
| Vendor.dns_len | network.bytes | |
| Vendor.x_fwd_hdr_val | network.forwarded_ip | X-Forwarded-For header value |
| Vendor.http_protocol_indication | network.protocol | Network protocol for ASM Bot Defense |
| Vendor.ip_protocol | network.protocol | IP protocol |
| Vendor.dest_vlan | network.vlan.id | Destination VLAN ID |
| Vendor.vlan | network.vlan.name | VLAN name |
| Vendor.hostname | observer.hostname | Observer hostname |
| Vendor.context_name | observer.ingress.zone | |
| Vendor.bigip_mgmt_ip | observer.ip[] | Observer IP address as array |
| Vendor.manage_ip_addr | observer.ip[] | Management IP address as array |
| Vendor.device_product | observer.product | Observer product name |
| Vendor.device_version | observer.version | Observer version |
| Vendor.acl_policy_name | rule.category | ACL policy name |
| Vendor.acl_rule_uuid | rule.id | ACL rule UUID |
| Vendor.acl_rule_name | rule.name | ACL rule name |
| Vendor.violations | rule.name | Violations as array |
| Vendor.acl_policy_type | rule.ruleset | ACL policy type |
| Vendor.enforced_by | rule.ruleset | Enforcement mechanism |
| Vendor.node | server.address | |
| server.address | server.ip | |
| Vendor.node_port | server.port | |
| Vendor.source_fqdn | source.address | Source FQDN |
| Vendor.src_ip | source.address | Source address |
| Vendor.geo_info | source.geo.country_iso_code | |
| Vendor.src_geo | source.geo.country_iso_code | Source geographic location |
| Vendor.client_ip | source.ip | Client IP address for ASM Bot Defense |
| Vendor.source_ip | source.ip | Source IP address |
| source.address | source.ip | |
| Vendor.translated_source_ip | source.nat.ip | Translated source IP |
| Vendor.translated_source_port | source.nat.port | Translated source port |
| Vendor.source_port | source.port | Source port number |
| Vendor.src_port | source.port | Source port |
| Vendor.source_user_group | source.user.group.name | Source user group |
| Vendor.source_user | source.user.name | Source username |
| Vendor.threat_campaign_names | threat.group.alias | Threat campaign names as array |
| Vendor.attack_type | threat.technique.name | Attack type as array |
| Vendor.sig_ids | threat.technique.subtechnique.id | Signature IDs as array |
| Vendor.sig_names | threat.technique.subtechnique.name | Signature names as array |
| Vendor.http_url | url.original | |
| Vendor.client_request_uri | url.path | URL path for ASM Bot Defense |
| Vendor.http_uri | url.path | |
| Vendor.user | user.name | Username |
| Vendor.username | user.name | |
| Vendor.http_request | user_agent.original | User agent extraction from HTTP request |
| Vendor.http_user_agent | user_agent.original | User agent string |