Parsers and Generated Fields | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support

Parsers and Generated Fields

Tag Fields Created by Parser microsoft-sysmon

#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type

Fields Identified by Parser microsoft-sysmon

Vendor Field	CPS Field	Description
Vendor.EventData.DestinationHostname	destination.domain	Destination hostname, converted to lowercase
Vendor.EventData.DestinationIp	destination.ip	Destination IP address
Vendor.EventData.DestinationPort	destination.port	Destination port
Vendor.EventData.QueryName	dns.question.name	DNS query name
Vendor.EventData.Signed	file.code_signature.exists	Whether file is signed
Vendor.EventData.SignatureStatus	file.code_signature.status	Signature status
Vendor.EventData.Signature	file.code_signature.subject_name	Signature information
Vendor.EventData.Hashes.MD5	file.hash.md5	For EventIDs 6, 7, 15, 29, converted to lowercase
Vendor.EventData.Hashes.SHA1	file.hash.sha1	For EventIDs 6, 7, 15, 29, converted to lowercase
Vendor.EventData.Hashes.SHA256	file.hash.sha256	For EventIDs 6, 7, 15, 29, converted to lowercase
Vendor.EventData.PipeName	file.name	Pipe name
Vendor.EventData.Device	file.path	When Device exists
Vendor.EventData.ImageLoaded	file.path	When neither TargetFilename nor Device exist
Vendor.EventData.TargetFilename	file.path	When TargetFilename exists
Vendor.EventData.Company	file.pe.company	When not "-"
Vendor.EventData.Description	file.pe.description	When not "-"
Vendor.EventData.FileVersion	file.pe.file_version	When not "-"
Vendor.EventData.Hashes.IMPHASH	file.pe.imphash	For EventIDs 6, 7, 15, 29
Vendor.EventData.OriginalFileName	file.pe.original_file_name	When not "-"
Vendor.EventData.Product	file.pe.product	When not "-"
Vendor.EventData.DestinationPortName	network.protocol	When DestinationPortName exists
Vendor.EventData.SourcePortName	network.protocol	When DestinationPortName doesn't exist
Vendor.EventData.Protocol	network.transport	Network protocol
Vendor.EventData.CommandLine	process.command_line	Command line arguments
Vendor.EventData.ProcessGuid	process.entity_id	Process GUID
Vendor.EventData.SourceProcessGUID	process.entity_id	Alternative field for process GUID
Vendor.EventData.SourceProcessGuid	process.entity_id	When SourceProcessGuid exists
Vendor.EventData.Destination	process.executable	When neither Image nor SourceImage exist
Vendor.EventData.Image	process.executable	When Image exists
Vendor.EventData.SourceImage	process.executable	When SourceImage exists
Vendor.EventData.Hashes.MD5	process.hash.md5	For EventIDs 1, 23, 24, 25, 26, converted to lowercase
Vendor.EventData.Hashes.SHA1	process.hash.sha1	For EventIDs 1, 23, 24, 25, 26, converted to lowercase
Vendor.EventData.Hashes.SHA256	process.hash.sha256	For EventIDs 1, 23, 24, 25, 26, converted to lowercase
Vendor.EventData.ParentCommandLine	process.parent.command_line	Parent process command line
Vendor.EventData.ParentProcessGuid	process.parent.entity_id	Parent process GUID
Vendor.EventData.ParentImage	process.parent.executable	Parent process executable path
Vendor.EventData.ParentProcessId	process.parent.pid	Parent process ID
Vendor.EventData.Company	process.pe.company	When not "-"
Vendor.EventData.Description	process.pe.description	When not "-"
Vendor.EventData.FileVersion	process.pe.file_version	When not "-"
Vendor.EventData.Hashes.IMPHASH	process.pe.imphash	For EventIDs 1, 23, 24, 25, 26
Vendor.EventData.OriginalFileName	process.pe.original_file_name	When not "-"
Vendor.EventData.Product	process.pe.product	When not "-"
Vendor.EventData.ProcessId	process.pid	When ProcessId exists
Vendor.EventData.SourceProcessId	process.pid	When ProcessId doesn't exist
Vendor.EventData.SourceThreadId	process.thread.id	Thread ID
Vendor.EventData.CurrentDirectory	process.working_directory	Working directory
Vendor.EventData.TargetObject	registry.path	Registry path for EventIDs 12, 13, 14
Vendor.EventData.RuleName	rule.name	When RuleName exists and is not "-"
Vendor.EventData.SourceHostname	source.domain	Source hostname, converted to lowercase
Vendor.EventData.SourceIp	source.ip	Source IP address
Vendor.EventData.SourcePort	source.port	Source port
Vendor.winlog.user.identifier	user.id	User identifier

Tag Fields Created by Parser sysmon

#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type

Fields Identified by Parser sysmon

Vendor Field	CPS Field	Description
Vendor.EventData.DestinationIp	destination.ip
Vendor.EventData.DestinationPort	destination.port
Vendor.EventData.QueryName	dns.question.name
Vendor.EventData.Signed	file.code_signature.signed
Vendor.EventData.SignatureStatus	file.code_signature.status
Vendor.EventData.Signature	file.code_signature.subject_name
Vendor.EventData.PipeName	file.name
Vendor.EventData.ImageLoaded	file.path
Vendor.EventData.Hashes.IMPHASH	file.pe.imphash
Vendor.EventData.SourcePortName	network.protocol
Vendor.EventData.Protocol	network.transport
Vendor.EventData.CommandLine	process.command_line
Vendor.EventData.ProcessGuid	process.entity_id
Vendor.EventData.SourceProcessGUID	process.entity_id
Vendor.EventData.Destination	process.executable
Vendor.EventData.ParentCommandLine	process.parent.command_line
Vendor.EventData.ParentProcessGuid	process.parent.entity_id
Vendor.EventData.ParentImage	process.parent.executable
Vendor.EventData.ParentProcessId	process.parent.pid
Vendor.EventData.Hashes.IMPHASH	process.pe.imphash
Vendor.EventData.SourceProcessId	process.pid
Vendor.EventData.SourceThreadId	process.thread.id
Vendor.EventData.CurrentDirectory	process.working_directory
Vendor.EventData.TargetObject	registry.path
Vendor.EventData.SourceIp	source.ip
Vendor.EventData.SourcePort	source.port
Vendor.winlog.user.identifier	user.id

Enter search term