Parsers and Generated Fields
Tag Fields Created by Parser paloalto-ngfw
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser paloalto-ngfw
Source Field | CPS Field |
---|---|
Vendor.FUTUREUSE2 | Vendor.ConfigVersion |
Vendor.BytesReceived | destination.bytes |
Vendor.DestinationCountry | destination.geo.country_name |
Vendor.DestinationAddress | destination.ip |
Vendor.DestinationDeviceMac | destination.mac |
Vendor.NATDestination | destination.nat.ip |
Vendor.NATDestinationPort | destination.nat.port |
Vendor.PacketsReceived | destination.packets |
Vendor.DestinationPort | destination.port |
Vendor.DestinationPort; | destination.port |
Vendor.Recipient | destination.user.email |
Vendor.DestinationUser; | destination.user.name |
Vendor.Description | event.action |
Vendor.ReceiveTime | event.created |
Vendor.ElapsedTime | event.duration |
Vendor.SessionDuration | event.duration |
Vendor.Status | event.outcome |
Vendor.Reason | event.reason |
Vendor.StartTime | event.start |
Vendor.FileType | file.type |
Vendor.HostID | host.id |
Vendor.DeviceMacAddress | host.mac[0] |
Vendor.MachineName | host.name |
Vendor.SourceDeviceOS | host.os.family |
Vendor.OperatingSystem; | host.os.full |
Vendor.SourceDeviceOSVersion | host.os.full |
Vendor.HTTPMethod | http.request.method |
Vendor.Severity | log.level |
Vendor.Application | network.application |
Vendor.Bytes | network.bytes |
Vendor.XForwardedFor | network.forwarded_ip |
Vendor.Packets | network.packets |
Vendor.IpProtocol | network.transport |
Vendor.Protocol | network.transport |
Vendor.ConfigurationPath | process.command_line |
Vendor.Category | rule.category |
Vendor.Category | rule.category |
Vendor.TunnelInspectionRule | rule.name |
Vendor.RuleUUID | rule.uuid |
Vendor.BytesSent | source.bytes |
Vendor.SourceCountry; | source.geo.country_name |
Vendor.Host | source.ip |
Vendor.IPV6PrivateAddress; | source.ip |
Vendor.IPv6SystemAddress; | source.ip |
Vendor.PrivateAddress; | source.ip |
Vendor.SourceAddress | source.ip |
Vendor.SourceAddress; | source.ip |
Vendor.SourceDeviceMac | source.mac |
Vendor.IPV6PublicAddress; | source.nat.ip |
Vendor.NATSource | source.nat.ip |
Vendor.PublicAddress; | source.nat.ip |
Vendor.NATSourcePort | source.nat.port |
Vendor.PacketsSent | source.packets |
Vendor.SourcePort | source.port |
Vendor.Sender | source.user.email |
Vendor.NormalizeUser; | source.user.name |
Vendor.SourceUser; | source.user.name |
Vendor.User | source.user.name |
Vendor.UserBySource | source.user.name |
Vendor.EncryptionAlgorithm | tls.cipher |
Vendor.CertificateEndDate | tls.client.not_after |
Vendor.CertificateStartDate | tls.client.not_before |
Vendor.ServerNameIndication | tls.client.server_name |
Vendor.IssuerCommonName; | tls.client.x509.issuer.common_name[0] |
Vendor.CertificateSize | tls.client.x509.public_key_size |
Vendor.ChainStatus | tls.client.x509.serial_number |
Vendor.SubjectCommonName; | tls.client.x509.subject.common_name[0] |
Vendor.CertificateVersion | tls.client.x509.version_number |
Vendor.EllipticCurve | tls.curve |
Vendor.URLFilename | url.original |
top_ld | url.top_level_domain |