Parsers and Generated Fields

Tag Fields Created by Parser forcepoint-dlp

  • #Cps.version

  • #Vendor

  • #ecs.version

  • #event.dataset

  • #event.kind

  • #event.module

  • #event.outcome

  • #observer.type

Fields Identified by Parser forcepoint-dlp
Vendor FieldCPS FieldDescription
`event.category[]`ArrayNone
`event.type[]`ArrayVendor.act
`agent.name`CopiedVendor.name
`agent.version`CopiedVendor.device.version
`destination.domain`CopiedVendor.destinationHosts
`event.action`CopiedVendor.sourceServiceName
`event.id`CopiedVendor.eventId
`event.risk_score`CopiedVendor.riskScore
`host.risk.calculated_score`CopiedVendor.riskScore (indirect)
`rule.name`CopiedVendor.msg
`source.address`CopiedVendor.sourceIp
`source.domain`CopiedVendor.sourceHost
`source.ip`CopiedVendor.sourceIp (indirect)
`threat.indicator.confidence`CopiedVendor.severityType
`threat.indicator.description`CopiedVendor.caseDescription
`threat.indicator.sightings`CopiedVendor.numberOfIncidents
`user.email`CopiedVendor.duser
`file.extension`ExtractedVendor.fname (indirect)
`file.name`ExtractedVendor.fname
`file.size`ExtractedVendor.fname
`user.domain`ExtractedVendor.loginName
`user.name`ExtractedVendor.loginName
`event.severity`MappedVendor.severity
`@timestamp`ParsedVendor.caseDateAndTime
`agent.type`StaticNone
`ecs.version`StaticNone
`event.dataset`StaticNone
`event.kind`StaticVendor.riskScore, Vendor.eventId
`event.module`StaticNone
`file.type`StaticNone
Vendor.nameagent.name 
Vendor.device.versionagent.version 
Vendor.sourceServiceNameevent.action 
Vendor.eventIdevent.id 
Vendor.riskScoreevent.risk_score 
event.risk_scorehost.risk.calculated_score 
Vendor.msgrule.name 
Vendor.sourceIpsource.address 
Vendor.severityTypethreat.indicator.confidence 
Vendor.caseDescriptionthreat.indicator.description 
Vendor.numberOfIncidentsthreat.indicator.sightings 
Vendor.duseruser.email 
Vendor.loginNameuser.name