Parsers and Generated Fields
Tag Fields Created by Parser sysmon
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser sysmon
| Source Field | LogScale Repository Field |
|---|---|
| Vendor.EventData.DestinationIp | destination.ip |
| Vendor.EventData.DestinationPort | destination.port |
| Vendor.EventData.CurrentDirectory | directory |
| Vendor.EventData.QueryName | dns.question.name |
| Vendor.EventData.ID | error.code |
| Vendor.EventData.PipeName | file.name |
| Vendor.EventData.Device | file.path |
| Vendor.EventData.ImageLoaded | file.path |
| Vendor.EventData.TargetFilename | file.path |
| Vendor.EventData.Company | file.pe.company |
| Vendor.EventData.Description | file.pe.description |
| Vendor.EventData.Hashes.IMPHASH | file.pe.imphash |
| Vendor.EventData.Product | file.pe.product |
| Vendor.EventData.ParentProcessGuid | id |
| Vendor.EventData.ProcessGuid | id |
| Vendor.EventData.SourceProcessGUID | id |
| Vendor.EventData.SourceProcessGuid | id |
| Vendor.EventData.CommandLine | line |
| Vendor.EventData.ParentCommandLine | line |
| Vendor.EventData.OriginalFileName | name |
| Vendor.EventData.Signature | name |
| Vendor.EventData.DestinationPortName | network.protocol |
| Vendor.EventData.SourcePortName | network.protocol |
| Vendor.EventData.Protocol | network.transport |
| Vendor.EventData.Destination | process.executable |
| Vendor.EventData.Image | process.executable |
| Vendor.EventData.SourceImage | process.executable |
| Vendor.EventData.ParentImage | process.parent.executable |
| Vendor.EventData.ParentProcessId | process.parent.pid |
| Vendor.EventData.Company | process.pe.company |
| Vendor.EventData.Description | process.pe.description |
| Vendor.EventData.Hashes.IMPHASH | process.pe.imphash |
| Vendor.EventData.Product | process.pe.product |
| Vendor.EventData.ProcessId | process.pid |
| Vendor.EventData.SourceProcessId | process.pid |
| Vendor.EventData.SourceThreadId | process.thread.id |
| Vendor.EventData.TargetObject | registry.path |
| Vendor.EventData.RuleName | rule.name |
| Vendor.EventData.Signed | signature.signed |
| Vendor.EventData.SignatureStatus | signature.status |
| Vendor.EventData.SourceIp | source.ip |
| Vendor.EventData.SourcePort | source.port |
| Vendor.winlog.user.identifier | user.id |
| Vendor.EventData.FileVersion | version |