Parsers and Generated Fields
Tag Fields Created by Parser juniper-srx
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser juniper-srx
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| @timestamp | @timestamp | Event timestamp in ISO 8601 format | Parsed from timestamp field using parseTimestamp function |
| source.bytes | client.bytes | Bytes sent from client | Copied from source.bytes |
| source.ip | client.ip | Client IP address | Copied from source.ip |
| source.nat.ip | client.nat.ip | Client NAT IP address | Copied from source.nat.ip |
| source.nat.port | client.nat.port | Client NAT port number | Copied from source.nat.port |
| source.packets | client.packets | Packets sent from client | Copied from source.packets |
| source.port | client.port | Client port number | Copied from source.port |
| Vendor.destination-address, Vendor.dst-addr, Vendor.remote-address | destination.address | Destination address before validation | Copied from various vendor destination address fields |
| Vendor.bytes-from-server, Vendor.inbound-bytes | destination.bytes | Bytes sent to destination | Copied from vendor server bytes fields |
| destination.address | destination.ip | Destination IP address | Validated and copied from destination address after CIDR check |
| Vendor.nat-destination-address, Vendor.nat-remote-address | destination.nat.ip | Destination NAT IP address | Copied from vendor NAT destination address |
| Vendor.nat-destination-port | destination.nat.port | Destination NAT port number | Copied from vendor NAT destination port |
| Vendor.packets-from-server, Vendor.inbound-packets | destination.packets | Packets sent to destination | Copied from vendor server packet fields |
| Vendor.destination-port, Vendor.dst-port | destination.port | Destination port number | Copied from various vendor destination port fields |
| None | ecs.version | ECS schema version | Static value: 9.1.0 |
| Vendor.action, log.syslog.msgid | event.action | Action performed | Extracted from vendor action or derived from message type |
| log.syslog.appname, log.syslog.msgid | event.category[] | Event category classification | Array populated based on event type and context |
| log.syslog.appname | event.dataset | Dataset classification (srx.flow, srx.utm, srx.idp, srx.ids, srx.atp, srx.secintel, srx.system) | Conditional based on log.syslog.appname |
| None | event.kind | Event categorization | Static value: event (alert for security events) |
| None | event.module | Event module identifier | Static value: srx |
| log.syslog.priority, event context | event.outcome | Event outcome (success/failure) | Conditional based on log level and event context |
| Vendor.reason | event.reason | Reason for the event | Copied from vendor reason field |
| Vendor.application-risk, Vendor.urlcategory-risk | event.risk_score | Risk score associated with the event | Copied from vendor application risk or URL category risk |
| Vendor.threat-severity | event.severity | Event severity level (10-90) | Mapped from vendor threat severity using severity scale |
| log.syslog.msgid, Vendor.action | event.type[] | Event type classification | Array populated based on event actions and outcomes |
| Vendor.sample-sha256 | file.hash.sha256 | SHA256 file hash | Copied from vendor SHA256 hash (lowercased) |
| Vendor.filename, Vendor.file-name | file.name | File name | Copied from vendor filename fields |
| @rawstring | host.name | Host name from BSD syslog | Extracted from BSD syslog format |
| log.syslog.priority | log.level | Log severity level | Derived from syslog priority using priority mapping |
| @rawstring | log.syslog.appname | Syslog application name | Extracted from syslog header |
| @rawstring | log.syslog.hostname | Syslog hostname | Extracted from syslog header |
| @rawstring | log.syslog.msgid | Syslog message ID | Extracted from syslog header |
| @rawstring | log.syslog.priority | Syslog priority value | Extracted from syslog header |
| @rawstring | log.syslog.procid | Syslog process ID | Extracted from syslog header |
| @rawstring | log.syslog.structured_data | Syslog structured data | Extracted from syslog structured data section |
| @rawstring | log.syslog.version | Syslog version | Extracted from syslog header |
| source.bytes, destination.bytes | network.bytes | Total network bytes | Calculated as sum of source and destination bytes |
| Vendor.protocol-id | network.iana_number | IANA protocol number | Copied from vendor protocol ID |
| client.packets, server.packets | network.packets | Total network packets | Calculated as sum of client and server packets |
| Vendor.protocol | network.protocol | Network protocol | Copied from vendor protocol (lowercased) |
| network.iana_number, Vendor.protocol-name, Vendor.packet-protocol | network.transport | Network transport protocol | Derived from protocol ID or copied from vendor protocol fields |
| Vendor.destination-interface-name | observer.egress.interface.name | Egress interface name | Copied from vendor destination interface |
| Vendor.destination-zone-name | observer.egress.zone | Egress security zone | Copied from vendor destination zone |
| Vendor.source-interface-name, Vendor.packet-incoming-interface, Vendor.interface-name | observer.ingress.interface.name | Ingress interface name | Copied from various vendor interface fields |
| Vendor.source-zone-name | observer.ingress.zone | Ingress security zone | Copied from vendor source zone |
| None | observer.product | Observer product | Static value: srx |
| None | observer.type | Observer type | Static value: firewall |
| message | process.command_line | Process command line | Extracted from rshd command messages |
| Vendor.pid | process.pid | Process ID | Copied from vendor PID |
| Vendor.policy-name, Vendor.rule-name, Vendor.rulebase-name | rule.name | Rule or policy name | Copied from various vendor rule/policy fields |
| destination.bytes | server.bytes | Bytes sent from server | Copied from destination.bytes |
| destination.ip | server.ip | Server IP address | Copied from destination.ip |
| destination.nat.ip | server.nat.ip | Server NAT IP address | Copied from destination.nat.ip |
| destination.nat.port | server.nat.port | Server NAT port number | Copied from destination.nat.port |
| destination.packets | server.packets | Packets sent from server | Copied from destination.packets |
| destination.port | server.port | Server port number | Copied from destination.port |
| Vendor.client-mode | service.type | Service type | Copied from vendor client mode |
| Vendor.source-address, Vendor.src-addr, Vendor.src-ip-str, Vendor.local-address | source.address | Source address before validation | Copied from various vendor source address fields |
| Vendor.bytes-from-client, Vendor.outbound-bytes | source.bytes | Bytes sent from source | Copied from vendor client bytes fields |
| Vendor.hostname | source.domain | Source domain | Copied from vendor hostname (lowercased) |
| source.address | source.ip | Source IP address | Validated and copied from source address after CIDR check |
| Vendor.nat-source-address, Vendor.nat-local-address | source.nat.ip | Source NAT IP address | Copied from vendor NAT source address |
| Vendor.nat-source-port | source.nat.port | Source NAT port number | Copied from vendor NAT source port |
| Vendor.packets-from-client, Vendor.outbound-packets, Vendor.packets-num | source.packets | Packets sent from source | Copied from vendor client packet fields |
| Vendor.source-port, Vendor.src-port | source.port | Source port number | Copied from various vendor source port fields |
| Vendor.username | source.user.name | Source username | Copied from vendor username |
| Vendor.url, Vendor.http-host | url.domain | URL domain | Copied from vendor URL or HTTP host (lowercased) |
| Vendor.obj | url.path | URL path | Copied from vendor object path |
| source.user.name, Vendor.username | user.name | Username | Copied from source.user.name when available |
| Vendor.class-name | user.roles[] | User roles | Array populated from vendor class name |