Parsers and Generated Fields
Tag Fields Created by Parser microsoft-windows-dns
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser microsoft-windows-dns
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| __timestamp, __timestamp1 | @timestamp | Event timestamp | Parsed from timestamp fields using parseTimestamp function |
| Vendor.RemoteIP, Vendor.IP | client.address | Client address | Conditionally mapped based on direction and DNS type |
| client.address | client.domain | Client domain name | Copied from client.address if domain name |
| client.address | client.ip | Client IP address | Copied from client.address if IP address |
| Vendor.RemoteIP | destination.address | Destination address | Conditionally mapped based on direction and DNS type |
| destination.address | destination.domain | Destination domain name | Copied from destination.address if domain name |
| destination.address | destination.ip | Destination IP address | Copied from destination.address if IP address |
| Vendor.AnswerName | dns.answers[0].name | DNS answer record name | Copied from Vendor.AnswerName |
| Vendor.AnswerType | dns.answers[0].type | DNS answer record type | Copied from Vendor.AnswerType |
| Vendor.Flags | dns.header_flags[] | DNS header flags array | Array populated from Vendor.Flags |
| Vendor.PacketID | dns.id | DNS packet identifier | Copied from Vendor.PacketID |
| Vendor.Opcode | dns.op_code | DNS operation code | Copied from Vendor.Opcode |
| Vendor.QuestionName | dns.question.name | DNS question name | Parsed from Vendor.QuestionName with regex transformations |
| Vendor.QuestionType | dns.question.type | DNS question type | Copied from Vendor.QuestionType |
| Vendor.ResponseCode | dns.response_code | DNS response code | Copied from Vendor.ResponseCode |
| Vendor.QR, dns.answers.type | dns.type | DNS message type | Determined by Vendor.QR field and dns.answers.type with conditional logic |
| None | ecs.version | ECS schema version | Static value: 9.2.0 |
| dns.response_code | error.message | Error description for DNS failures | Mapped from DNS response codes using match statement |
| error.reason | error.reason | Socket failure reason | Extracted from socket failure messages using regex |
| None | event.category[] | Event category array | Array populated with static value: network |
| Vendor.EventReceivedTime | event.created | Event creation timestamp | Copied from Vendor.EventReceivedTime |
| None | event.dataset | Event dataset | Static value: windows.dns-debug |
| Vendor.XID | event.id | DNS transaction ID | Copied from Vendor.XID |
| None | event.kind | Event categorization | Static value: event |
| None | event.module | Event module | Static value: windows |
| None | event.type[] | Event type array | Array populated with static value: protocol |
| Vendor.Direction | network.direction | Network packet direction | Mapped based on Vendor.Direction using match statement |
| Vendor.Protocol | network.transport | Network protocol (UDP/TCP) | Copied from Vendor.Protocol with lowercase transformation |
| Vendor.RemoteIP | network.type | Network address type | Determined by IP address format using CIDR matching |
| Vendor.ThreadID | process.thread.id | DNS server process thread ID as integer | Parsed from Vendor.ThreadID using parseInt function |
| Vendor.ThreadID | process.thread.name | DNS server process thread name | Copied from Vendor.ThreadID |
| Vendor.RemoteIP | server.address | Server address | Conditionally mapped based on direction and DNS type |
| server.address | server.domain | Server domain name | Copied from server.address if domain name |
| server.address | server.ip | Server IP address | Copied from server.address if IP address |
| Vendor.RemoteIP | source.address | Source address | Conditionally mapped based on direction and DNS type |
| source.address | source.domain | Source domain name | Copied from source.address if domain name |
| source.address | source.ip | Source IP address | Copied from source.address if IP address |