Parsers and Generated Fields
Tag Fields Created by Parser microsoft-sysmon
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser microsoft-sysmon
| Vendor Field | CPS Field | Description |
|---|---|---|
| `event.category[]` | Array | Vendor.EventID |
| `event.type[]` | Array | Vendor.EventID |
| `destination.domain` | Copied | Vendor.EventData.DestinationHostname |
| `destination.ip` | Copied | Vendor.EventData.DestinationIp |
| `destination.port` | Copied | Vendor.EventData.DestinationPort |
| `dns.question.name` | Copied | Vendor.EventData.QueryName |
| `error.code` | Copied | Vendor.EventData.ID |
| `file.code_signature.exists` | Copied | Vendor.EventData.Signed |
| `file.code_signature.status` | Copied | Vendor.EventData.SignatureStatus |
| `file.code_signature.subject_name` | Copied | Vendor.EventData.Signature |
| `file.hash.md5` | Copied | Vendor.EventData.Hashes.MD5 |
| `file.hash.sha1` | Copied | Vendor.EventData.Hashes.SHA1 |
| `file.hash.sha256` | Copied | Vendor.EventData.Hashes.SHA256 |
| `file.name` | Copied | Vendor.EventData.PipeName |
| `file.path` | Copied | Vendor.EventData.TargetFilename, Vendor.EventData.Device, Vendor.EventData.ImageLoaded |
| `file.pe.company` | Copied | Vendor.EventData.Company |
| `file.pe.description` | Copied | Vendor.EventData.Description |
| `file.pe.file_version` | Copied | Vendor.EventData.FileVersion |
| `file.pe.imphash` | Copied | Vendor.EventData.Hashes.IMPHASH |
| `file.pe.original_file_name` | Copied | Vendor.EventData.OriginalFileName |
| `file.pe.product` | Copied | Vendor.EventData.Product |
| `network.transport` | Copied | Vendor.EventData.Protocol |
| `process.command_line` | Copied | Vendor.EventData.CommandLine |
| `process.entity_id` | Copied | Vendor.EventData.ProcessGuid, Vendor.EventData.SourceProcessGuid |
| `process.executable` | Copied | Vendor.EventData.Image, Vendor.EventData.SourceImage, Vendor.EventData.Destination |
| `process.hash.md5` | Copied | Vendor.EventData.Hashes.MD5 |
| `process.hash.sha1` | Copied | Vendor.EventData.Hashes.SHA1 |
| `process.hash.sha256` | Copied | Vendor.EventData.Hashes.SHA256 |
| `process.parent.command_line` | Copied | Vendor.EventData.ParentCommandLine |
| `process.parent.entity_id` | Copied | Vendor.EventData.ParentProcessGuid |
| `process.parent.executable` | Copied | Vendor.EventData.ParentImage |
| `process.parent.pid` | Copied | Vendor.EventData.ParentProcessId |
| `process.pe.company` | Copied | Vendor.EventData.Company |
| `process.pe.description` | Copied | Vendor.EventData.Description |
| `process.pe.file_version` | Copied | Vendor.EventData.FileVersion |
| `process.pe.imphash` | Copied | Vendor.EventData.Hashes.IMPHASH |
| `process.pe.original_file_name` | Copied | Vendor.EventData.OriginalFileName |
| `process.pe.product` | Copied | Vendor.EventData.Product |
| `process.pid` | Copied | Vendor.EventData.ProcessId, Vendor.EventData.SourceProcessId |
| `process.thread.id` | Copied | Vendor.EventData.SourceThreadId |
| `process.working_directory` | Copied | Vendor.EventData.CurrentDirectory |
| `registry.path` | Copied | Vendor.EventData.TargetObject |
| `rule.name` | Copied | Vendor.EventData.RuleName |
| `source.domain` | Copied | Vendor.EventData.SourceHostname |
| `source.ip` | Copied | Vendor.EventData.SourceIp |
| `source.port` | Copied | Vendor.EventData.SourcePort |
| `user.id` | Copied | Vendor.winlog.user.identifier |
| `dns.answers.data[]` | Extracted | Vendor.EventData.QueryResults |
| `process.name` | Extracted | process.executable |
| `process.parent.name` | Extracted | process.parent.executable |
| `registry.hive` | Extracted | Vendor.EventData.TargetObject |
| `registry.key` | Extracted | Vendor.EventData.TargetObject |
| `registry.value` | Extracted | Vendor.EventData.TargetObject |
| `user.domain` | Extracted | Vendor.EventData.User |
| `user.name` | Extracted | Vendor.EventData.User |
| `dns.answers.type[]` | Mapped | Vendor.EventData.QueryResults |
| `@timestamp` | Parsed | Vendor.TimeCreated |
| `ecs.version` | Static | None |
| `event.action` | Static | Vendor.EventID |
| `event.dataset` | Static | None |
| `event.kind` | Static | None |
| `event.module` | Static | None |
| `file.code_signature.valid` | Static | Vendor.EventData.SignatureStatus |
| `network.direction` | Static | Vendor.EventData.Initiated |
| `network.protocol` | Static | Vendor.EventData.DestinationPortName, Vendor.EventData.SourcePortName |
| `network.type` | Static | Vendor.EventData.SourceIsIpv6 |
| Vendor.EventData.DestinationIp | destination.ip | |
| Vendor.EventData.DestinationPort | destination.port | |
| Vendor.EventData.QueryName | dns.question.name | |
| Vendor.EventData.Signed | file.code_signature.exists | |
| Vendor.EventData.SignatureStatus | file.code_signature.status | |
| Vendor.EventData.Signature | file.code_signature.subject_name | |
| Vendor.EventData.PipeName | file.name | |
| Vendor.EventData.ImageLoaded | file.path | |
| Vendor.EventData.Hashes.IMPHASH | file.pe.imphash | |
| Vendor.EventData.SourcePortName | network.protocol | |
| Vendor.EventData.Protocol | network.transport | |
| Vendor.EventData.CommandLine | process.command_line | |
| Vendor.EventData.ProcessGuid | process.entity_id | |
| Vendor.EventData.SourceProcessGUID | process.entity_id | |
| Vendor.EventData.Destination | process.executable | |
| Vendor.EventData.ParentCommandLine | process.parent.command_line | |
| Vendor.EventData.ParentProcessGuid | process.parent.entity_id | |
| Vendor.EventData.ParentImage | process.parent.executable | |
| Vendor.EventData.ParentProcessId | process.parent.pid | |
| Vendor.EventData.Hashes.IMPHASH | process.pe.imphash | |
| Vendor.EventData.SourceProcessId | process.pid | |
| Vendor.EventData.SourceThreadId | process.thread.id | |
| Vendor.EventData.CurrentDirectory | process.working_directory | |
| Vendor.EventData.TargetObject | registry.path | |
| Vendor.EventData.SourceIp | source.ip | |
| Vendor.EventData.SourcePort | source.port | |
| Vendor.winlog.user.identifier | user.id |