Parsers and Generated Fields
Tag Fields Created by Parser microsoft-windows-dns
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser microsoft-windows-dns
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.IP | client.ip | Client IP address for socket failures |
| Vendor.RemoteIP | client.ip | |
| client.ip; | destination.ip | |
| server.ip; | destination.ip | |
| Vendor.Flags | dns.header_flags[] | DNS header flags as array |
| Vendor.PacketID | dns.id | DNS packet identifier |
| Vendor.Opcode | dns.op_code | DNS operation code |
| Vendor.QuestionName | dns.question.name | DNS question name |
| Vendor.QuestionType | dns.question.type | DNS question type |
| Vendor.ResponseCode | dns.response_code | DNS response code |
| error.reason | error.reason | Error reason for socket failures |
| Vendor.EventReceivedTime | event.created | Timestamp when event was received |
| Vendor.XID | event.id | Transaction ID of the DNS query |
| Vendor.Direction | network.direction | Direction of packet (Snd=outbound, Rcv=inbound) |
| Vendor.Protocol | network.transport | Protocol used (UDP/TCP) |
| Vendor.ThreadID | process.thread.id | Thread ID of the DNS server process |
| Vendor.RemoteIP | server.ip | |
| client.ip; | source.ip | |
| server.ip; | source.ip | |
| Vendor.RemoteIP | source.ip/destination.ip/client.ip/server.ip | IP address mapping depends on direction and DNS type |