Parsers and Generated Fields
Tag Fields Created by Parser nozomi-ids
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser nozomi-ids
| Vendor Field | CPS Field | Description |
|---|---|---|
| `event.category[]` | Array | Vendor.msg |
| `event.type[]` | Array | Vendor.msg |
| `observer.ip[]` | Array | Vendor.dvc |
| `threat.tactic.id[]` | Array | Vendor.Mitre_attack_techniques |
| `threat.tactic.name[]` | Array | Vendor.Mitre_attack_tactics |
| `destination.address` | Copied | Vendor.dhost |
| `destination.ip` | Copied | Vendor.dst |
| `destination.port` | Copied | Vendor.dpt |
| `device.manufacturer` | Copied | Vendor.device.vendor |
| `event.action` | Copied | Vendor.Name |
| `event.id` | Copied | Vendor.Id |
| `event.reason` | Copied | Vendor.event_class_id |
| `event.risk_score` | Copied | Vendor.Risk |
| `event.start` | Copied | Vendor.start |
| `log.syslog.appname` | Copied | Vendor.app |
| `network.transport` | Copied | Vendor.proto |
| `observer.hostname` | Copied | Vendor.dvchost |
| `observer.os.name` | Copied | Vendor.device.product |
| `observer.os.version` | Copied | Vendor.device.version |
| `observer.vendor` | Copied | Vendor.device.vendor |
| `observer.version` | Copied | Vendor.n2os_schema |
| `rule.category` | Copied | Vendor.trigger_type |
| `rule.id` | Copied | Vendor.trigger_id |
| `rule.name` | Copied | Vendor.event_class_id |
| `source.address` | Copied | Vendor.shost |
| `source.ip` | Copied | Vendor.src |
| `source.port` | Copied | Vendor.dpt |
| `client.ip` | Extracted | Vendor.msg |
| `file.hash.md5` | Extracted | Vendor.msg |
| `file.name` | Extracted | Vendor.msg |
| `file.path` | Extracted | Vendor.msg |
| `log.syslog.hostname` | Extracted | @rawstring |
| `log.syslog.priority` | Extracted | @rawstring |
| `log.syslog.version` | Extracted | @rawstring |
| `network.protocol` | Extracted | Vendor.msg |
| `process.name` | Extracted | Vendor.msg |
| `server.address` | Extracted | Vendor.msg |
| `server.ip` | Extracted | Vendor.msg |
| `threat.software.name` | Extracted | Vendor.msg |
| `threat.technique.name` | Extracted | Vendor.msg |
| `url.domain` | Extracted | Vendor.msg |
| `url.original` | Extracted | Vendor.msg |
| `user.domain` | Extracted | Vendor.suser, @rawstring |
| `user.name` | Extracted | Vendor.suser, @rawstring |
| `event.severity` | Mapped | Vendor.severity |
| `@timestamp` | Parsed | Vendor.syslog.timestamp |
| `event.outcome` | Set | Vendor.msg |
| `ecs.version` | Static | None |
| `event.dataset` | Static | None |
| `event.kind` | Static | None |
| `event.module` | Static | None |
| `destination.mac` | Transformed | Vendor.dmac |
| `source.mac` | Transformed | Vendor.smac |
| Vendor.dhost | destination.address | |
| Vendor.dst | destination.ip | |
| Vendor.dpt | destination.port | |
| Vendor.device.vendor | device.manufacturer | |
| Vendor.Name | event.action | |
| Vendor.Id | event.id | |
| Vendor.event_class_id | event.reason | |
| Vendor.Risk | event.risk_score | |
| Vendor.start | event.start | |
| Vendor.app | log.syslog.appname | |
| Vendor.proto | network.transport | |
| Vendor.dvchost | observer.hostname | |
| Vendor.device.product | observer.os.name | |
| Vendor.device.version | observer.os.version | |
| Vendor.device.vendor | observer.vendor | |
| Vendor.n2os_schema | observer.version | |
| Vendor.trigger_type | rule.category | |
| Vendor.trigger_id | rule.id | |
| Vendor.shost | source.address | |
| Vendor.src | source.ip | |
| Vendor.dpt | source.port |