Parsers and Generated Fields
Tag Fields Created by Parser microsoft-windows-dhcp-server
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser microsoft-windows-dhcp-server
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.Date, Vendor.Time | @timestamp | Event timestamp | Parsed from Vendor.Date and Vendor.Time using format MM/dd/yy HH:mm:ss |
| source.address | client.address | Client address | Copied from source.address |
| source.ip | client.ip | Client IP address | Copied from source.ip |
| source.mac | client.mac | Client MAC address | Copied from source.mac |
| None | ecs.version | ECS schema version | Static value: 9.2.0 |
| Vendor.Error_Code, Vendor.DnsRegError | error.code | Error code | Copied from Vendor.Error_Code or Vendor.DnsRegError |
| Vendor.ID | event.action | Event action | Static value based on event ID |
| Vendor.ID | event.category[] | Event categories | Array populated based on event ID conditions |
| None | event.dataset | Dataset identifier | Static value: windows.dhcp-server |
| Vendor.ID | event.id | Event identifier | Copied from Vendor.ID |
| None | event.kind | Event categorization | Static value: event |
| None | event.module | Module name | Static value: windows |
| Vendor.ID, Vendor.Description | event.outcome | Event outcome | Conditional assignment based on event ID or description |
| Vendor.ID | event.reason | Event reason description | Static value based on event ID |
| Vendor.ID | event.type[] | Event types | Array populated based on event ID conditions |
| network.type | network.protocol | Network protocol | Static value: dhcp or dhcpv6 based on network.type |
| None | network.transport | Network transport protocol | Static value: udp |
| None | network.type | Network protocol type | Static value: ipv4 or ipv6 based on log type |
| source.ip, source.domain | source.address | Source address | Copied from coalesce of source.ip or source.domain |
| Vendor.Host_Name | source.domain | Source domain name | Copied from Vendor.Host_Name with lowercase transformation |
| Vendor.IP_Address, Vendor.IPv6_Address | source.ip | Source IP address | Copied from coalesce of Vendor.IP_Address or Vendor.IPv6_Address with CIDR validation |
| Vendor.Mac_Address | source.mac | Source MAC address | Copied from Vendor.Mac_Address with uppercase and dash formatting |
| Vendor.User_Name, Vendor.UserClass_Ascii | user.name | Username | Copied from coalesce of Vendor.User_Name or Vendor.UserClass_Ascii |