Parsers and Generated Fields | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support

Reading time: 1 minutes

Parsers and Generated Fields

Tag Fields Created by Parser microsoft-sysmon

#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type

Fields Identified by Parser microsoft-sysmon

Vendor Field	CPS Field	Description
Vendor.EventData.DestinationIp	destination.ip
Vendor.EventData.DestinationPort	destination.port
Vendor.EventData.QueryName	dns.question.name
Vendor.EventData.ID;	error.code
Vendor.EventData.Signed	file.code_signature.exists
Vendor.EventData.SignatureStatus	file.code_signature.status
Vendor.EventData.Signature	file.code_signature.subject_name
Vendor.EventData.PipeName	file.name
Vendor.EventData.Device	file.path
Vendor.EventData.ImageLoaded	file.path
Vendor.EventData.TargetFilename	file.path
Vendor.EventData.Company	file.pe.company
Vendor.EventData.Description	file.pe.description
Vendor.EventData.FileVersion	file.pe.file_version
Vendor.EventData.Hashes.IMPHASH	file.pe.imphash
Vendor.EventData.OriginalFileName	file.pe.original_file_name
Vendor.EventData.Product	file.pe.product
Vendor.EventData.DestinationPortName	network.protocol
Vendor.EventData.SourcePortName	network.protocol
Vendor.EventData.Protocol	network.transport
Vendor.EventData.CommandLine	process.command_line
Vendor.EventData.ProcessGuid	process.entity_id
Vendor.EventData.SourceProcessGUID	process.entity_id
Vendor.EventData.SourceProcessGuid	process.entity_id
Vendor.EventData.Destination	process.executable
Vendor.EventData.Image	process.executable
Vendor.EventData.SourceImage	process.executable
Vendor.EventData.ParentCommandLine	process.parent.command_line
Vendor.EventData.ParentProcessGuid	process.parent.entity_id
Vendor.EventData.ParentImage	process.parent.executable
Vendor.EventData.ParentProcessId	process.parent.pid
Vendor.EventData.Company	process.pe.company
Vendor.EventData.Description	process.pe.description
Vendor.EventData.FileVersion	process.pe.file_version
Vendor.EventData.Hashes.IMPHASH	process.pe.imphash
Vendor.EventData.OriginalFileName	process.pe.original_file_name
Vendor.EventData.Product	process.pe.product
Vendor.EventData.ProcessId	process.pid
Vendor.EventData.SourceProcessId	process.pid
Vendor.EventData.SourceThreadId	process.thread.id
Vendor.EventData.CurrentDirectory	process.working_directory
Vendor.EventData.TargetObject	registry.path
rename(Vendor.EventData.RuleName)	rule.name
Vendor.EventData.SourceIp	source.ip
Vendor.EventData.SourcePort	source.port
Vendor.winlog.user.identifier	user.id

Tag Fields Created by Parser sysmon

#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type

Fields Identified by Parser sysmon

Vendor Field	CPS Field	Description
Vendor.EventData.DestinationIp	destination.ip
Vendor.EventData.DestinationPort	destination.port
Vendor.EventData.QueryName	dns.question.name
Vendor.EventData.ID;	error.code
Vendor.EventData.Signed	file.code_signature.signed
Vendor.EventData.SignatureStatus	file.code_signature.status
Vendor.EventData.Signature	file.code_signature.subject_name
Vendor.EventData.PipeName	file.name
Vendor.EventData.Device;	file.path
Vendor.EventData.ImageLoaded	file.path
Vendor.EventData.TargetFilename;	file.path
Vendor.EventData.Company;	file.pe.company
Vendor.EventData.Description;	file.pe.description
Vendor.EventData.FileVersion;	file.pe.file_version
Vendor.EventData.Hashes.IMPHASH	file.pe.imphash
Vendor.EventData.OriginalFileName;	file.pe.original_file_name
Vendor.EventData.Product;	file.pe.product
Vendor.EventData.DestinationPortName;	network.protocol
Vendor.EventData.SourcePortName	network.protocol
Vendor.EventData.Protocol	network.transport
Vendor.EventData.CommandLine	process.command_line
Vendor.EventData.ProcessGuid	process.entity_id
Vendor.EventData.SourceProcessGUID	process.entity_id
Vendor.EventData.SourceProcessGuid;	process.entity_id
Vendor.EventData.Destination	process.executable
Vendor.EventData.Image;	process.executable
Vendor.EventData.SourceImage;	process.executable
Vendor.EventData.ParentCommandLine	process.parent.command_line
Vendor.EventData.ParentProcessGuid	process.parent.entity_id
Vendor.EventData.ParentImage	process.parent.executable
Vendor.EventData.ParentProcessId	process.parent.pid
Vendor.EventData.Company;	process.pe.company
Vendor.EventData.Description;	process.pe.description
Vendor.EventData.FileVersion;	process.pe.file_version
Vendor.EventData.Hashes.IMPHASH	process.pe.imphash
Vendor.EventData.OriginalFileName;	process.pe.original_file_name
Vendor.EventData.Product;	process.pe.product
Vendor.EventData.ProcessId;	process.pid
Vendor.EventData.SourceProcessId	process.pid
Vendor.EventData.SourceThreadId	process.thread.id
Vendor.EventData.CurrentDirectory	process.working_directory
Vendor.EventData.TargetObject	registry.path
Vendor.EventData.RuleName;	rule.name
Vendor.EventData.SourceIp	source.ip
Vendor.EventData.SourcePort	source.port
Vendor.winlog.user.identifier	user.id

Enter search term