Parsers and Generated Fields
Tag Fields Created by Parser microsoft-sysmon
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser microsoft-sysmon
| Source Field | CPS Field |
|---|---|
| Vendor.EventData.DestinationIp | destination.ip |
| Vendor.EventData.DestinationPort | destination.port |
| Vendor.EventData.QueryName | dns.question.name |
| Vendor.EventData.ID; | error.code |
| Vendor.EventData.Signed | file.code_signature.exists |
| Vendor.EventData.SignatureStatus | file.code_signature.status |
| Vendor.EventData.Signature | file.code_signature.subject_name |
| Vendor.EventData.PipeName | file.name |
| Vendor.EventData.Device | file.path |
| Vendor.EventData.ImageLoaded | file.path |
| Vendor.EventData.TargetFilename | file.path |
| Vendor.EventData.Company | file.pe.company |
| Vendor.EventData.Description | file.pe.description |
| Vendor.EventData.FileVersion | file.pe.file_version |
| Vendor.EventData.Hashes.IMPHASH | file.pe.imphash |
| Vendor.EventData.OriginalFileName | file.pe.original_file_name |
| Vendor.EventData.Product | file.pe.product |
| Vendor.EventData.DestinationPortName | network.protocol |
| Vendor.EventData.SourcePortName | network.protocol |
| Vendor.EventData.Protocol | network.transport |
| Vendor.EventData.CommandLine | process.command_line |
| Vendor.EventData.ProcessGuid | process.entity_id |
| Vendor.EventData.SourceProcessGUID | process.entity_id |
| Vendor.EventData.SourceProcessGuid | process.entity_id |
| Vendor.EventData.Destination | process.executable |
| Vendor.EventData.Image | process.executable |
| Vendor.EventData.SourceImage | process.executable |
| Vendor.EventData.ParentCommandLine | process.parent.command_line |
| Vendor.EventData.ParentProcessGuid | process.parent.entity_id |
| Vendor.EventData.ParentImage | process.parent.executable |
| Vendor.EventData.ParentProcessId | process.parent.pid |
| Vendor.EventData.Company | process.pe.company |
| Vendor.EventData.Description | process.pe.description |
| Vendor.EventData.FileVersion | process.pe.file_version |
| Vendor.EventData.Hashes.IMPHASH | process.pe.imphash |
| Vendor.EventData.OriginalFileName | process.pe.original_file_name |
| Vendor.EventData.Product | process.pe.product |
| Vendor.EventData.ProcessId | process.pid |
| Vendor.EventData.SourceProcessId | process.pid |
| Vendor.EventData.SourceThreadId | process.thread.id |
| Vendor.EventData.CurrentDirectory | process.working_directory |
| Vendor.EventData.TargetObject | registry.path |
| rename(Vendor.EventData.RuleName) | rule.name |
| Vendor.EventData.SourceIp | source.ip |
| Vendor.EventData.SourcePort | source.port |
| Vendor.winlog.user.identifier | user.id |
Tag Fields Created by Parser sysmon
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser sysmon
| Source Field | CPS Field |
|---|---|
| Vendor.EventData.DestinationIp | destination.ip |
| Vendor.EventData.DestinationPort | destination.port |
| Vendor.EventData.QueryName | dns.question.name |
| Vendor.EventData.ID; | error.code |
| Vendor.EventData.Signed | file.code_signature.signed |
| Vendor.EventData.SignatureStatus | file.code_signature.status |
| Vendor.EventData.Signature | file.code_signature.subject_name |
| Vendor.EventData.PipeName | file.name |
| Vendor.EventData.Device; | file.path |
| Vendor.EventData.ImageLoaded | file.path |
| Vendor.EventData.TargetFilename; | file.path |
| Vendor.EventData.Company; | file.pe.company |
| Vendor.EventData.Description; | file.pe.description |
| Vendor.EventData.FileVersion; | file.pe.file_version |
| Vendor.EventData.Hashes.IMPHASH | file.pe.imphash |
| Vendor.EventData.OriginalFileName; | file.pe.original_file_name |
| Vendor.EventData.Product; | file.pe.product |
| Vendor.EventData.DestinationPortName; | network.protocol |
| Vendor.EventData.SourcePortName | network.protocol |
| Vendor.EventData.Protocol | network.transport |
| Vendor.EventData.CommandLine | process.command_line |
| Vendor.EventData.ProcessGuid | process.entity_id |
| Vendor.EventData.SourceProcessGUID | process.entity_id |
| Vendor.EventData.SourceProcessGuid; | process.entity_id |
| Vendor.EventData.Destination | process.executable |
| Vendor.EventData.Image; | process.executable |
| Vendor.EventData.SourceImage; | process.executable |
| Vendor.EventData.ParentCommandLine | process.parent.command_line |
| Vendor.EventData.ParentProcessGuid | process.parent.entity_id |
| Vendor.EventData.ParentImage | process.parent.executable |
| Vendor.EventData.ParentProcessId | process.parent.pid |
| Vendor.EventData.Company; | process.pe.company |
| Vendor.EventData.Description; | process.pe.description |
| Vendor.EventData.FileVersion; | process.pe.file_version |
| Vendor.EventData.Hashes.IMPHASH | process.pe.imphash |
| Vendor.EventData.OriginalFileName; | process.pe.original_file_name |
| Vendor.EventData.Product; | process.pe.product |
| Vendor.EventData.ProcessId; | process.pid |
| Vendor.EventData.SourceProcessId | process.pid |
| Vendor.EventData.SourceThreadId | process.thread.id |
| Vendor.EventData.CurrentDirectory | process.working_directory |
| Vendor.EventData.TargetObject | registry.path |
| Vendor.EventData.RuleName; | rule.name |
| Vendor.EventData.SourceIp | source.ip |
| Vendor.EventData.SourcePort | source.port |
| Vendor.winlog.user.identifier | user.id |