Parsers and Generated Fields
Tag Fields Created by Parser forcepoint-dlp
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser forcepoint-dlp
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.caseDateAndTime | @timestamp | Timestamp for report data | Parsed from Vendor.caseDateAndTime using format dd MMM. yyyy, h:mm:ss a |
| Vendor.name | agent.name | Name of the agent | Copied from Vendor.name |
| None | agent.type | Agent type identifier | Static value: dlp |
| Vendor.device.version | agent.version | Version of the agent | Copied from Vendor.device.version |
| Vendor.destinationHosts | destination.domain | Destination host domain | Copied from Vendor.destinationHosts when not N/A |
| None | ecs.version | ECS schema version | Static value: 8.17.0 |
| Vendor.sourceServiceName | event.action | Action performed in the event | Copied from Vendor.sourceServiceName |
| None | event.category[] | Event categorization | Array populated based on event type conditions |
| None | event.dataset | Dataset classification | Static value: dlp.report or dlp.event |
| Vendor.eventId | event.id | Unique identifier for the event | Copied from Vendor.eventId |
| Vendor.riskScore, Vendor.eventId | event.kind | Event kind classification | Static value: alert for reports, event for events |
| None | event.module | Module identifier | Static value: dlp |
| Vendor.riskScore | event.risk_score | Risk score for report events | Copied from Vendor.riskScore |
| Vendor.severity | event.severity | Mapped severity based on numeric value | Mapped from Vendor.severity using severity mapping |
| Vendor.act | event.type[] | Event type classification | Array populated based on event conditions |
| Vendor.fname (indirect) | file.extension | File extension | Extracted from file name using regex pattern |
| Vendor.fname | file.name | File name | Extracted from Vendor.fname using string splitting |
| Vendor.fname | file.size | File size in bytes | Extracted from Vendor.fname and converted to bytes |
| None | file.type | File type identifier | Static value: file |
| Vendor.riskScore (indirect) | host.risk.calculated_score | Risk score mapped to host risk | Copied from event.risk_score |
| Vendor.msg | rule.name | Name of the rule that triggered | Copied from Vendor.msg |
| Vendor.sourceIp | source.address | Source IP address | Copied from Vendor.sourceIp when not N/A |
| Vendor.sourceHost | source.domain | Source host domain | Copied from Vendor.sourceHost when not N/A |
| Vendor.sourceIp (indirect) | source.ip | Source IP address | Copied from source.address |
| Vendor.severityType | threat.indicator.confidence | Confidence level of the threat indicator | Copied from Vendor.severityType |
| Vendor.caseDescription | threat.indicator.description | Description of the threat indicator | Copied from Vendor.caseDescription |
| Vendor.numberOfIncidents | threat.indicator.sightings | Number of incidents related to the threat | Copied from Vendor.numberOfIncidents |
| Vendor.loginName | user.domain | Domain extraction from username | Extracted from Vendor.loginName using regex pattern |
| Vendor.duser | user.email | User email address | Copied from Vendor.duser |
| Vendor.loginName | user.name | Username | Extracted from Vendor.loginName using regex pattern |