Parsers and Generated Fields
Tag Fields Created by Parser nozomi-ids
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser nozomi-ids
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.msg | Various | Message content parsed for various fields based on pattern matching |
| Vendor.msg | client.ip | Client IP address extracted from message |
| Vendor.dhost | destination.address | Destination hostname |
| Vendor.dst | destination.ip | Destination IP address |
| Vendor.dmac | destination.mac | Destination MAC address, converted to uppercase with hyphens |
| Vendor.dpt | destination.port | Destination port number |
| Vendor.device.vendor | device.manufacturer | Device manufacturer information |
| Vendor.Name | event.action | Event action name |
| Vendor.msg | event.category[] | Event categories determined by message content |
| Vendor.Id | event.id | Unique event identifier |
| Vendor.msg | event.outcome | Event outcome determined by message content |
| Vendor.event_class_id | event.reason | Event classification ID |
| Vendor.Risk | event.risk_score | Risk score associated with the event |
| Vendor.severity | event.severity | Event severity level, mapped to numeric values based on severity range |
| Vendor.start | event.start | Event start timestamp |
| Vendor.msg | event.type[] | Event types determined by message content |
| Vendor.msg | file.hash.md5 | MD5 hash extracted from message, converted to lowercase |
| Vendor.msg | file.name | Filename extracted from message |
| Vendor.msg | file.path | File path extracted from message |
| Vendor.app | log.syslog.appname | Application name from CEF header |
| Vendor.msg | network.protocol | Network protocol extracted from message |
| Vendor.proto | network.transport | Network transport protocol |
| Vendor.dvchost | observer.hostname | Observer hostname, converted to lowercase |
| Vendor.dvc | observer.ip[0] | Device IP address added to observer IP array |
| Vendor.device.product | observer.os.name | Operating system name of the observer |
| Vendor.device.version | observer.os.version | Operating system version of the observer |
| Vendor.device.vendor | observer.vendor | Observer vendor name |
| Vendor.n2os_schema | observer.version | Observer schema version |
| Vendor.msg | process.name | Process name extracted from message |
| Vendor.trigger_type | rule.category | Type of trigger that generated the event |
| Vendor.trigger_id | rule.id | Trigger ID for the event |
| Vendor.event_class_id | rule.name | Rule name set when event.kind is "alert" |
| Vendor.event_class_id; | rule.name | |
| Vendor.msg | server.address | Server address extracted from message, converted to lowercase |
| Vendor.msg | server.ip | Server IP address extracted from message |
| Vendor.shost | source.address | Source hostname |
| Vendor.src | source.ip | Source IP address |
| Vendor.smac | source.mac | Source MAC address, converted to uppercase with hyphens |
| Vendor.dpt | source.port | Source port number |
| Vendor.msg | threat.software.name | Threat software name extracted from message |
| Vendor.Mitre_attack_techniques | threat.tactic.id[] | MITRE ATT&CK technique IDs added to array |
| Vendor.Mitre_attack_tactics | threat.tactic.name[] | MITRE ATT&CK tactic names added to array |
| Vendor.msg | threat.technique.name | Threat technique name extracted from message |
| Vendor.msg | url.domain | URL domain extracted from message, converted to lowercase |
| Vendor.msg | url.original | Original URL extracted from message |
| @rawstring | user.domain | Domain name extracted from suser field when in domain\username format |
| Vendor.suser | user.name | Username extracted from suser field |
| Vendor.suser; | user.name |