Parsers and Generated Fields
Tag Fields Created by Parser nozomi-ids
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser nozomi-ids
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.syslog.timestamp | @timestamp | Event timestamp | Parsed from syslog timestamp using parseTimestamp() |
| Vendor.msg | client.ip | Client IP address | Extracted from message content |
| Vendor.dhost | destination.address | Destination hostname or address | Copied from Vendor.dhost, converted to lowercase |
| Vendor.dst | destination.ip | Destination IP address | Copied from Vendor.dst |
| Vendor.dmac | destination.mac | Destination MAC address | Transformed from Vendor.dmac (uppercase, hyphen delimiters) |
| Vendor.dpt | destination.port | Destination port number | Copied from Vendor.dpt |
| Vendor.device.vendor | device.manufacturer | Device manufacturer | Copied from Vendor.device.vendor |
| None | ecs.version | ECS schema version | Static value: 9.1.0 |
| Vendor.Name | event.action | Action performed in the event | Copied from Vendor.Name |
| Vendor.msg | event.category[] | Event categories determined by message analysis | Array populated based on message content patterns |
| None | event.dataset | Event dataset identifier | Static value: ids.iot |
| Vendor.Id | event.id | Unique event identifier | Copied from Vendor.Id |
| None | event.kind | Event kind classification | Static value: event |
| None | event.module | Event module identifier | Static value: ids |
| Vendor.msg | event.outcome | Event outcome (success/failure/unknown) | Set based on message content patterns |
| Vendor.event_class_id | event.reason | Event classification reason | Copied from Vendor.event_class_id |
| Vendor.Risk | event.risk_score | Risk score associated with the event | Copied from Vendor.Risk |
| Vendor.severity | event.severity | Event severity level | Mapped from Vendor.severity using severity ranges |
| Vendor.start | event.start | Event start timestamp | Copied from Vendor.start |
| Vendor.msg | event.type[] | Event types determined by message analysis | Array populated based on message content patterns |
| Vendor.msg | file.hash.md5 | MD5 hash of file | Extracted from message content, converted to lowercase |
| Vendor.msg | file.name | Filename | Extracted from message content |
| Vendor.msg | file.path | File path | Extracted from message content |
| Vendor.app | log.syslog.appname | Syslog application name | Copied from Vendor.app |
| @rawstring | log.syslog.hostname | Syslog hostname | Extracted from syslog header |
| @rawstring | log.syslog.priority | Syslog priority value | Extracted from syslog header |
| @rawstring | log.syslog.version | Syslog version | Extracted from RFC 5424 syslog header |
| Vendor.msg | network.protocol | Network protocol extracted from message | Extracted from message content |
| Vendor.proto | network.transport | Network transport protocol | Copied from Vendor.proto |
| Vendor.dvchost | observer.hostname | Observer hostname | Copied from Vendor.dvchost |
| Vendor.dvc | observer.ip[] | Observer IP addresses | Array with Vendor.dvc value appended |
| Vendor.device.product | observer.os.name | Observer operating system name | Copied from Vendor.device.product |
| Vendor.device.version | observer.os.version | Observer operating system version | Copied from Vendor.device.version |
| Vendor.device.vendor | observer.vendor | Observer vendor name | Copied from Vendor.device.vendor |
| Vendor.n2os_schema | observer.version | Observer schema version | Copied from Vendor.n2os_schema |
| Vendor.msg | process.name | Process name | Extracted from message content |
| Vendor.trigger_type | rule.category | Rule category | Copied from Vendor.trigger_type |
| Vendor.trigger_id | rule.id | Rule identifier | Copied from Vendor.trigger_id |
| Vendor.event_class_id | rule.name | Rule name for alert events | Copied from Vendor.event_class_id when event.kind is alert |
| Vendor.msg | server.address | Server address | Extracted from message content, converted to lowercase |
| Vendor.msg | server.ip | Server IP address | Extracted from message content |
| Vendor.shost | source.address | Source hostname or address | Copied from Vendor.shost |
| Vendor.src | source.ip | Source IP address | Copied from Vendor.src |
| Vendor.smac | source.mac | Source MAC address | Transformed from Vendor.smac (uppercase, hyphen delimiters) |
| Vendor.dpt | source.port | Source port number | Copied from Vendor.dpt |
| Vendor.msg | threat.software.name | Threat software name | Extracted from message content |
| Vendor.Mitre_attack_techniques | threat.tactic.id[] | MITRE ATT&CK technique IDs | Array with Vendor.Mitre_attack_techniques appended |
| Vendor.Mitre_attack_tactics | threat.tactic.name[] | MITRE ATT&CK tactic names | Array with Vendor.Mitre_attack_tactics appended |
| Vendor.msg | threat.technique.name | Threat technique name | Extracted from message content |
| Vendor.msg | url.domain | URL domain | Extracted from message content, converted to lowercase |
| Vendor.msg | url.original | Original URL | Extracted from message content |
| Vendor.suser, @rawstring | user.domain | User domain | Extracted from domain\username format in suser field |
| Vendor.suser, @rawstring | user.name | Username | Extracted from Vendor.suser or parsed from domain\username format |