Parsers and Generated Fields
Tag Fields Created by Parser microsoft-sysmon
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser microsoft-sysmon
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.TimeCreated | @timestamp | Event timestamp | Parsed from timestamp field using conditional format detection |
| Vendor.EventData.DestinationHostname | destination.domain | Destination domain | Copied from DestinationHostname and converted to lowercase |
| Vendor.EventData.DestinationIp | destination.ip | Destination IP address | Copied from DestinationIp |
| Vendor.EventData.DestinationPort | destination.port | Destination port | Copied from DestinationPort |
| Vendor.EventData.QueryResults | dns.answers.data[] | DNS answer data | Extracted from QueryResults using regex pattern |
| Vendor.EventData.QueryResults | dns.answers.type[] | DNS answer type | Mapped from DNS type ID in QueryResults |
| Vendor.EventData.QueryName | dns.question.name | DNS query name | Copied from QueryName |
| None | ecs.version | ECS schema version | Static value: 9.1.0 |
| Vendor.EventData.ID | error.code | Error code | Copied from EventData.ID for error events |
| Vendor.EventID | event.action | Specific action performed | Static value based on EventID mapping |
| Vendor.EventID | event.category[] | Event category classification | Array populated based on EventID conditions |
| None | event.dataset | Dataset identifier | Static value: windows.sysmon |
| None | event.kind | Event categorization | Static value: event |
| None | event.module | Module name | Static value: windows |
| Vendor.EventID | event.type[] | Event type classification | Array populated based on EventID conditions |
| Vendor.EventData.Signed | file.code_signature.exists | Whether file is signed | Copied from Signed |
| Vendor.EventData.SignatureStatus | file.code_signature.status | Code signature status | Copied from SignatureStatus |
| Vendor.EventData.Signature | file.code_signature.subject_name | Code signature subject | Copied from Signature |
| Vendor.EventData.SignatureStatus | file.code_signature.valid | Code signature validity | Static value based on SignatureStatus evaluation |
| Vendor.EventData.Hashes.MD5 | file.hash.md5 | File MD5 hash | Copied from Hashes.MD5 and converted to lowercase |
| Vendor.EventData.Hashes.SHA1 | file.hash.sha1 | File SHA1 hash | Copied from Hashes.SHA1 and converted to lowercase |
| Vendor.EventData.Hashes.SHA256 | file.hash.sha256 | File SHA256 hash | Copied from Hashes.SHA256 and converted to lowercase |
| Vendor.EventData.PipeName | file.name | File name | Copied from PipeName |
| Vendor.EventData.TargetFilename, Vendor.EventData.Device, Vendor.EventData.ImageLoaded | file.path | File path | Copied from TargetFilename, Device, or ImageLoaded |
| Vendor.EventData.Company | file.pe.company | PE company information | Copied from Company when not "-" |
| Vendor.EventData.Description | file.pe.description | PE description | Copied from Description when not "-" |
| Vendor.EventData.FileVersion | file.pe.file_version | PE file version | Copied from FileVersion when not "-" |
| Vendor.EventData.Hashes.IMPHASH | file.pe.imphash | File PE import hash | Copied from Hashes.IMPHASH for specific EventIDs |
| Vendor.EventData.OriginalFileName | file.pe.original_file_name | Original PE file name | Copied from OriginalFileName when not "-" |
| Vendor.EventData.Product | file.pe.product | PE product information | Copied from Product when not "-" |
| Vendor.EventData.Initiated | network.direction | Network connection direction | Static value based on Initiated field evaluation |
| Vendor.EventData.DestinationPortName, Vendor.EventData.SourcePortName | network.protocol | Network protocol | Static value "dns" for EventID 22, otherwise from PortName fields |
| Vendor.EventData.Protocol | network.transport | Network transport protocol | Copied from Protocol |
| Vendor.EventData.SourceIsIpv6 | network.type | Network type (IPv4/IPv6) | Static value based on SourceIsIpv6 field evaluation |
| Vendor.EventData.CommandLine | process.command_line | Process command line | Copied from CommandLine |
| Vendor.EventData.ProcessGuid, Vendor.EventData.SourceProcessGuid | process.entity_id | Process entity identifier | Copied from ProcessGuid or SourceProcessGuid |
| Vendor.EventData.Image, Vendor.EventData.SourceImage, Vendor.EventData.Destination | process.executable | Process executable path | Copied from Image, SourceImage, or Destination |
| Vendor.EventData.Hashes.MD5 | process.hash.md5 | Process MD5 hash | Copied from Hashes.MD5 and converted to lowercase |
| Vendor.EventData.Hashes.SHA1 | process.hash.sha1 | Process SHA1 hash | Copied from Hashes.SHA1 and converted to lowercase |
| Vendor.EventData.Hashes.SHA256 | process.hash.sha256 | Process SHA256 hash | Copied from Hashes.SHA256 and converted to lowercase |
| process.executable | process.name | Process name | Extracted from executable path using string split |
| Vendor.EventData.ParentCommandLine | process.parent.command_line | Parent process command line | Copied from ParentCommandLine |
| Vendor.EventData.ParentProcessGuid | process.parent.entity_id | Parent process entity identifier | Copied from ParentProcessGuid |
| Vendor.EventData.ParentImage | process.parent.executable | Parent process executable path | Copied from ParentImage |
| process.parent.executable | process.parent.name | Parent process name | Extracted from parent executable path using string split |
| Vendor.EventData.ParentProcessId | process.parent.pid | Parent process identifier | Copied from ParentProcessId |
| Vendor.EventData.Company | process.pe.company | PE company information | Copied from Company when not "-" |
| Vendor.EventData.Description | process.pe.description | PE description | Copied from Description when not "-" |
| Vendor.EventData.FileVersion | process.pe.file_version | PE file version | Copied from FileVersion when not "-" |
| Vendor.EventData.Hashes.IMPHASH | process.pe.imphash | Process PE import hash | Copied from Hashes.IMPHASH for specific EventIDs |
| Vendor.EventData.OriginalFileName | process.pe.original_file_name | Original PE file name | Copied from OriginalFileName when not "-" |
| Vendor.EventData.Product | process.pe.product | PE product information | Copied from Product when not "-" |
| Vendor.EventData.ProcessId, Vendor.EventData.SourceProcessId | process.pid | Process identifier | Copied from ProcessId or SourceProcessId |
| Vendor.EventData.SourceThreadId | process.thread.id | Thread identifier | Copied from SourceThreadId |
| Vendor.EventData.CurrentDirectory | process.working_directory | Process working directory | Copied from CurrentDirectory |
| Vendor.EventData.TargetObject | registry.hive | Registry hive | Extracted from registry path using regex pattern |
| Vendor.EventData.TargetObject | registry.key | Registry key | Extracted from registry path using regex pattern |
| Vendor.EventData.TargetObject | registry.path | Registry path | Copied from TargetObject for registry EventIDs |
| Vendor.EventData.TargetObject | registry.value | Registry value | Extracted from registry path using regex pattern |
| Vendor.EventData.RuleName | rule.name | Rule name that triggered | Copied from Vendor.EventData.RuleName when exists and not "-" |
| Vendor.EventData.SourceHostname | source.domain | Source domain | Copied from SourceHostname and converted to lowercase |
| Vendor.EventData.SourceIp | source.ip | Source IP address | Copied from SourceIp |
| Vendor.EventData.SourcePort | source.port | Source port | Copied from SourcePort |
| Vendor.EventData.User | user.domain | User domain | Extracted from User field using regex pattern and converted to lowercase |
| Vendor.winlog.user.identifier | user.id | User identifier | Copied from user identifier |
| Vendor.EventData.User | user.name | User name | Extracted from User field using regex pattern |