Parsers and Generated Fields
Tag Fields Created by Parser island-enterprisebrowser
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser island-enterprisebrowser
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Action type for admin actions | Vendor.action | event.action | |
| Hostname converted to lowercase | Vendor.hostname | host.hostname | |
| Direct assignment of user email address | Vendor.message.email | user.email | |
| Target user ID for admin actions | Vendor.message.entityId | user.target.id | |
| Target user name for admin actions | Vendor.message.entityName | user.target.name | |
| Public/NAT IP address | Vendor.message.publicIp | source.nat.ip | |
| ID of the rule that triggered | Vendor.message.ruleId | rule.id | |
| Name of the rule that triggered | Vendor.message.ruleName | rule.name | |
| Category and type for network events | Vendor.message.source != AdminAction | event.category[0] = "network", event.type[0] = "access" | |
| Category and type for admin actions | Vendor.message.source = AdminAction | event.category[0] = "iam", event.type[0] = "admin" | |
| Source IP address for network events | Vendor.message.sourceIp | source.ip | |
| Original URL for parsing | Vendor.message.topLevelUrl | url.original | |
| Action type for network events | Vendor.message.type | event.action | |
| Direct assignment of user identifier | Vendor.message.userId | user.id | |
| Username for network events | Vendor.message.userName | user.name | |
| Outcome for allowed verdicts | Vendor.message.verdict = Allowed | event.outcome = "success" | |
| Outcome for blocked verdicts | Vendor.message.verdict = Blocked | event.outcome = "failure" | |
| Domain extracted from URL and converted to lowercase | url.host | url.domain |