Parsers and Generated Fields
Tag Fields Created by Parser microsoft-windows-dns
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser microsoft-windows-dns
| Vendor Field | CPS Field | Description |
|---|---|---|
| `dns.header_flags[]` | Array | Vendor.Flags |
| `event.category[]` | Array | None |
| `event.type[]` | Array | None |
| `client.address` | Conditionally | Vendor.RemoteIP, Vendor.IP |
| `destination.address` | Conditionally | Vendor.RemoteIP |
| `server.address` | Conditionally | Vendor.RemoteIP |
| `source.address` | Conditionally | Vendor.RemoteIP |
| `client.domain` | Copied | client.address |
| `client.ip` | Copied | client.address |
| `destination.domain` | Copied | destination.address |
| `destination.ip` | Copied | destination.address |
| `dns.answers[0].name` | Copied | Vendor.AnswerName |
| `dns.answers[0].type` | Copied | Vendor.AnswerType |
| `dns.id` | Copied | Vendor.PacketID |
| `dns.op_code` | Copied | Vendor.Opcode |
| `dns.question.type` | Copied | Vendor.QuestionType |
| `dns.response_code` | Copied | Vendor.ResponseCode |
| `event.created` | Copied | Vendor.EventReceivedTime |
| `event.id` | Copied | Vendor.XID |
| `network.transport` | Copied | Vendor.Protocol |
| `process.thread.name` | Copied | Vendor.ThreadID |
| `server.domain` | Copied | server.address |
| `server.ip` | Copied | server.address |
| `source.domain` | Copied | source.address |
| `source.ip` | Copied | source.address |
| `dns.type` | Determined | Vendor.QR, dns.answers.type |
| `network.type` | Determined | Vendor.RemoteIP |
| `error.reason` | Extracted | error.reason |
| `error.message` | Mapped | dns.response_code |
| `network.direction` | Mapped | Vendor.Direction |
| `@timestamp` | Parsed | __timestamp, __timestamp1 |
| `dns.question.name` | Parsed | Vendor.QuestionName |
| `process.thread.id` | Parsed | Vendor.ThreadID |
| `ecs.version` | Static | None |
| `event.dataset` | Static | None |
| `event.kind` | Static | None |
| `event.module` | Static | None |
| Vendor.RemoteIP | client.address | |
| Vendor.IP | client.ip | |
| Vendor.AnswerName | dns.answers[0].name | |
| Vendor.AnswerType | dns.answers[0].type | |
| Vendor.PacketID | dns.id | |
| Vendor.Opcode | dns.op_code | |
| Vendor.QuestionName | dns.question.name | |
| Vendor.QuestionType | dns.question.type | |
| Vendor.ResponseCode | dns.response_code | |
| Vendor.EventReceivedTime | event.created | |
| Vendor.XID | event.id | |
| Vendor.ThreadID | process.thread.name | |
| Vendor.RemoteIP | server.address |