Parsers and Generated Fields
Tag Fields Created by Parser paloalto-ngfw
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser paloalto-ngfw
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.TimeGenerated | @timestamp | Event timestamp |
| Vendor.FUTUREUSE2 | Vendor.ConfigVersion | |
| Vendor.FUTUREUSE1 | Vendor.FUTURE_USE_1 | |
| Vendor.FUTUREUSE2 | Vendor.FUTURE_USE_2 | |
| Vendor.FUTUREUSE3 | Vendor.FUTURE_USE_3 | |
| Vendor.SubType | Vendor.Subtype | |
| Vendor.TimeGenerated | Vendor.generated_time | |
| Vendor.ReceiveTime | Vendor.receive_time | |
| Vendor.Serial | Vendor.serial_number | |
| Vendor.Type | Vendor.type | |
| Vendor.BytesReceived | destination.bytes | Bytes received by destination |
| Vendor.DestinationCountry | destination.geo.country_name | Destination country |
| Vendor.DestinationAddress | destination.ip | Destination IP address |
| Vendor.DestinationDeviceMac | destination.mac | |
| Vendor.NATDestination | destination.nat.ip | NAT destination IP |
| Vendor.NATDestinationPort | destination.nat.port | NAT destination port |
| Vendor.PacketsReceived | destination.packets | Packets received by destination |
| Vendor.DestinationPort | destination.port | Destination port number |
| Vendor.DestinationPort; | destination.port | |
| Vendor.Recipient | destination.user.email | |
| Vendor.DestinationUser | destination.user.name | Destination username |
| Vendor.DestinationUser; | destination.user.name | |
| Vendor.Description | event.action | |
| Vendor.ReceiveTime | event.created | Event creation timestamp |
| Vendor.Description | event.description | Event description details |
| Vendor.ElapsedTime | event.duration | |
| Vendor.SessionDuration | event.duration | |
| Vendor.Action | event.outcome | Maps allow to success, deny/drop to failure |
| Vendor.Status | event.outcome | |
| Vendor.Reason | event.reason | |
| Vendor.Severity | event.severity | Maps severity levels to numeric values |
| Vendor.StartTime | event.start | |
| Vendor.SubType | event.type | Maps to allowed/denied based on action |
| Vendor.FileType | file.type | |
| Vendor.HostID | host.id | |
| Vendor.MachineName | host.name | |
| Vendor.SourceDeviceOS | host.os.family | |
| Vendor.OperatingSystem; | host.os.full | |
| Vendor.SourceDeviceOSVersion | host.os.full | |
| Vendor.HTTPMethod | http.request.method | |
| Vendor.Severity | log.level | |
| Vendor.Application | network.application | Application identifier |
| Vendor.Bytes | network.bytes | Total bytes transferred |
| Vendor.XForwardedFor | network.forwarded_ip | |
| Vendor.Packets | network.packets | Total packets transferred |
| Vendor.IpProtocol | network.transport | |
| Vendor.Protocol | network.transport | Transport protocol |
| Vendor.DeviceName | observer.hostname | Device hostname |
| Vendor.ConfigurationPath | process.command_line | Command line for config changes |
| Vendor.Category | rule.category | Rule category |
| Vendor.Category; | rule.category | |
| Vendor.Category | rule.category | |
| Vendor.RuleName | rule.name | Security policy rule name |
| Vendor.TunnelInspectionRule | rule.name | |
| Vendor.RuleUUID | rule.uuid | Security policy rule UUID |
| Vendor.BytesSent | source.bytes | Bytes sent from source |
| Vendor.SourceCountry | source.geo.country_name | Source country |
| Vendor.SourceCountry; | source.geo.country_name | |
| Vendor.Host | source.ip | |
| Vendor.IPV6PrivateAddress; | source.ip | |
| Vendor.IPv6SystemAddress; | source.ip | |
| Vendor.PrivateAddress; | source.ip | |
| Vendor.SourceAddress | source.ip | Source IP address |
| Vendor.SourceAddress; | source.ip | |
| Vendor.SourceDeviceMac | source.mac | |
| Vendor.IPV6PublicAddress; | source.nat.ip | |
| Vendor.NATSource | source.nat.ip | NAT source IP |
| Vendor.PublicAddress; | source.nat.ip | |
| Vendor.NATSourcePort | source.nat.port | NAT source port |
| Vendor.PacketsSent | source.packets | Packets sent from source |
| Vendor.SourcePort | source.port | Source port number |
| Vendor.Sender | source.user.email | |
| Vendor.NormalizeUser; | source.user.name | |
| Vendor.SourceUser | source.user.name | Source username |
| Vendor.SourceUser; | source.user.name | |
| Vendor.User | source.user.name | |
| Vendor.UserBySource | source.user.name | |
| Vendor.EncryptionAlgorithm | tls.cipher | TLS cipher suite |
| Vendor.CertificateEndDate | tls.client.not_after | |
| Vendor.CertificateStartDate | tls.client.not_before | |
| Vendor.ServerNameIndication | tls.client.server_name | SNI value |
| Vendor.CertificateSize | tls.client.x509.public_key_size | Certificate key size |
| Vendor.CertificateSerialNumber | tls.client.x509.serial_number | Certificate serial number |
| Vendor.ChainStatus | tls.client.x509.serial_number | |
| Vendor.CertificateVersion | tls.client.x509.version_number | |
| Vendor.EllipticCurve | tls.curve | |
| Vendor.TLSVersion | tls.version | TLS protocol version |
| Vendor.URLFilename | url.original | |
| top_ld | url.top_level_domain | |
| source.user.name | user.name | |
| Vendor.Admin | user.name | |
| Vendor.UserAgent | user_agent.original | User agent string |
| Vendor.UserAgent | user_agent.original |