Parsers and Generated Fields

Tag Fields Created by Parser imperva-cwaf

  • #Cps.version

  • #Vendor

  • #ecs.version

  • #event.dataset

  • #event.kind

  • #event.module

  • #event.outcome

  • #observer.type

Fields Identified by Parser imperva-cwaf
Vendor FieldCPS FieldDescription
Vendor.sipdestination.ipDestination IP address
Vendor.sptdestination.portDestination port
Vendor.actevent.actionAction taken on the event
Vendor.endevent.endEvent end timestamp
Vendor.idevent.idEvent identifier
Vendor.nameevent.kind,If "Normal", sets event.kind="event", event.category[]="network", event.type[]="info"; otherwise sets event.kind="alert", event.category[]="threat", event.type[]="indicator"
http.response.status_codeevent.outcomeSets "success" for 2xx/3xx status codes, "failure" for 4xx/5xx status codes
Vendor.severityevent.risk_scoreNumeric risk score from CEF severity
event.risk_scoreevent.severityMaps risk scores to severity levels (0-3→30, 4-6→50, 7-8→70, 9-10→90)
host.risk.calculated_levelevent.severityMaps risk levels to severity (minor→30, major→50, critical→70)
Vendor.startevent.startEvent start timestamp
Vendor.severityhost.risk.calculated_levelText-based risk level (MINOR, MAJOR, CRITICAL)
Vendor.requestMethodhttp.request.methodHTTP request method
Vendor.refhttp.request.referrerHTTP referrer URL
Vendor.cn1http.response.status_codeHTTP response status code
Vendor.srcsource.addressSource address (could be IP or "Distributed")
Vendor.insource.bytesNumber of bytes from source
Vendor.sourceServiceNamesource.domainSource domain name (converted to lowercase)
Vendor.cicodesource.geo.city_nameSource city name
Vendor.ccodesource.geo.country_iso_codeSource country code
Vendor.latitudesource.geo.location.latSource latitude
Vendor.longitudesource.geo.location.lonSource longitude
source.addresssource.ipSource IP address (only if valid IP)
Vendor.cptsource.portSource port
Vendor.requestClientApplicationuser_agent.originalUser agent string