Parsers and Generated Fields
Tag Fields Created by Parser island-enterprisebrowser
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser island-enterprisebrowser
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Action type for admin actions | Vendor.action | Â | event.action |
| Hostname converted to lowercase | Vendor.hostname | Â | host.hostname |
| Direct assignment of user email address | Vendor.message.email | Â | user.email |
| Target user ID for admin actions | Vendor.message.entityId | Â | user.target.id |
| Target user name for admin actions | Vendor.message.entityName | Â | user.target.name |
| Public/NAT IP address | Vendor.message.publicIp | Â | source.nat.ip |
| ID of the rule that triggered | Vendor.message.ruleId | Â | rule.id |
| Name of the rule that triggered | Vendor.message.ruleName | Â | rule.name |
| Category and type for network events | Vendor.message.source != AdminAction | Â | event.category[0] = "network", event.type[0] = "access" |
| Category and type for admin actions | Vendor.message.source = AdminAction | Â | event.category[0] = "iam", event.type[0] = "admin" |
| Source IP address for network events | Vendor.message.sourceIp | Â | source.ip |
| Original URL for parsing | Vendor.message.topLevelUrl | Â | url.original |
| Action type for network events | Vendor.message.type | Â | event.action |
| Direct assignment of user identifier | Vendor.message.userId | Â | user.id |
| Username for network events | Vendor.message.userName | Â | user.name |
| Outcome for allowed verdicts | Vendor.message.verdict = Allowed | Â | event.outcome = "success" |
| Outcome for blocked verdicts | Vendor.message.verdict = Blocked | Â | event.outcome = "failure" |
| Domain extracted from URL and converted to lowercase | url.host | Â | url.domain |