Parsers and Generated Fields
Tag Fields Created by Parser imperva-cloudwaf
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser imperva-cloudwaf
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.start | @timestamp | Event timestamp | Parsed from Vendor.start using millis format |
| Vendor.src | client.address | Client address | Copied from Vendor.src with lowercase transformation |
| Vendor.in | client.bytes | Number of bytes from client | Copied from Vendor.in |
| Vendor.sourceServiceName | client.domain | Client domain name | Parsed from Vendor.sourceServiceName with lowercase transformation |
| Vendor.cicode | client.geo.city_name | Client city name | Copied from Vendor.cicode |
| Vendor.ccode | client.geo.country_iso_code | Client country code | Copied from Vendor.ccode |
| Vendor.latitude | client.geo.location.lat | Client latitude | Copied from Vendor.latitude |
| Vendor.longitude | client.geo.location.lon | Client longitude | Copied from Vendor.longitude |
| client.address | client.ip | Client IP address | Conditional assignment from client.address when valid IP |
| Vendor.cpt | client.port | Client port | Copied from Vendor.cpt |
| Vendor.sip | destination.address | Destination address | Copied from Vendor.sip with lowercase transformation |
| Vendor.dhost | destination.domain | Destination domain name | Copied from Vendor.dhost with lowercase transformation |
| destination.address | destination.ip | Destination IP address | Conditional assignment from destination.address when valid IP |
| Vendor.spt | destination.port | Destination port | Copied from Vendor.spt |
| None | ecs.version | ECS schema version | Static value: 9.2.0 |
| Vendor.act | event.action | Action taken on the event | Copied from Vendor.act |
| Vendor.name | event.category[] | Event category classification | Array populated based on Vendor.name conditions |
| Vendor.end | event.end | Event end timestamp | Copied from Vendor.end |
| Vendor.id | event.id | Event identifier | Copied from Vendor.id |
| Vendor.name | event.kind | Event kind classification | Conditional assignment based on Vendor.name |
| None | event.module | Event module identifier | Static value: cloudwaf |
| http.response.status_code | event.outcome | Event outcome | Conditional assignment based on http.response.status_code |
| Vendor.severity | event.risk_score | Numeric risk score | Copied from Vendor.severity when numeric |
| event.risk_score, host.risk.calculated_level | event.severity | Event severity level | Mapped from event.risk_score or host.risk.calculated_level |
| Vendor.start | event.start | Event start timestamp | Copied from Vendor.start |
| Vendor.name | event.type[] | Event type classification | Array populated based on Vendor.name conditions |
| Vendor.severity | host.risk.calculated_level | Text-based risk level | Copied from Vendor.severity when text |
| Vendor.requestMethod | http.request.method | HTTP request method | Copied from Vendor.requestMethod |
| Vendor.ref | http.request.referrer | HTTP referrer URL | Copied from Vendor.ref |
| Vendor.cn1 | http.response.status_code | HTTP response status code | Copied from Vendor.cn1 |
| Vendor.in | network.bytes | Total bytes transferred | Copied from Vendor.in |
| Vendor.xff | network.forwarded_ip | Forwarded IP address | Copied from Vendor.xff |
| Vendor.app | network.protocol | Network protocol | Copied from Vendor.app with lowercase transformation |
| source.address, client.address, destination.address, server.address | network.type | Network type (ipv4/ipv6) | Conditional assignment based on address CIDR validation |
| Vendor.device.product | observer.product | Observer product name | Copied from Vendor.device.product |
| Vendor.device.vendor | observer.vendor | Observer vendor name | Copied from Vendor.device.vendor |
| Vendor.device.version | observer.version | Observer version | Copied from Vendor.device.version |
| Vendor.name | rule.name | Rule name that triggered the event | Copied from Vendor.name |
| Vendor.sip | server.address | Server address | Copied from Vendor.sip with lowercase transformation |
| server.address | server.domain | Server domain name | Conditional assignment from server.address when not valid IP |
| server.address | server.ip | Server IP address | Conditional assignment from server.address when valid IP |
| Vendor.spt | server.port | Server port | Copied from Vendor.spt |
| Vendor.src | source.address | Source address | Copied from Vendor.src with lowercase transformation |
| Vendor.in | source.bytes | Number of bytes from source | Copied from Vendor.in |
| Vendor.sourceServiceName | source.domain | Source domain name | Parsed from Vendor.sourceServiceName with lowercase transformation |
| Vendor.cicode | source.geo.city_name | Source city name | Copied from Vendor.cicode |
| Vendor.ccode | source.geo.country_iso_code | Source country code | Copied from Vendor.ccode |
| source.geo.country_iso_code | source.geo.country_name | Source country name | Mapped from source.geo.country_iso_code using country lookup |
| Vendor.latitude | source.geo.location.lat | Source latitude | Copied from Vendor.latitude |
| Vendor.longitude | source.geo.location.lon | Source longitude | Copied from Vendor.longitude |
| source.geo.country_iso_code | source.geo.region_iso_code | Source region ISO code | Mapped from source.geo.country_iso_code using region lookup |
| source.geo.country_iso_code | source.geo.region_name | Source region name | Mapped from source.geo.country_iso_code using region lookup |
| source.address | source.ip | Source IP address | Conditional assignment from source.address when valid IP |
| Vendor.cpt | source.port | Source port | Copied from Vendor.cpt |
| Vendor.request | url.original | Original URL | Copied from Vendor.request |
| Vendor.qstr | url.query | URL query string | Copied from Vendor.qstr |
| Vendor.requestClientApplication | user_agent.original | User agent string | Copied from Vendor.requestClientApplication |