Parsers and Generated Fields

Tag Fields Created by Parser paloalto-prisma-sdwan

  • #Cps.version

  • #Vendor

  • #ecs.version

  • #event.dataset

  • #event.kind

  • #event.module

  • #event.outcome

  • #observer.type

Fields Identified by Parser paloalto-prisma-sdwan
Source FieldCPS FieldDescriptionMapping
Vendor.event_time, __ts, Vendor.DEVICE_TIME@timestampEvent timestampParsed from timestamp fields using parseTimestamp()
source.addressclient.addressClient addressCopied from source.address for non-flow events
source.bytesclient.bytesClient bytes transferredCopied from source.bytes for non-flow events
client.addressclient.ipClient IP addressConditional assignment using CIDR validation
source.packetsclient.packetsClient packets transferredCopied from source.packets for non-flow events
source.portclient.portClient port numberCopied from source.port for non-flow events
Vendor.dst_ip, Vendor.DST_IP, Vendor.REMOTE_IPdestination.addressDestination addressCoalesced from destination IP fields
Vendor.bytes_recvd, Vendor.BYTES_SENTdestination.bytesDestination bytes transferredCoalesced from bytes received fields
Vendor.REMOTE_HOSTNAMEdestination.domainDestination domainCopied from Vendor.REMOTE_HOSTNAME
destination.addressdestination.ipDestination IP addressConditional assignment using CIDR validation
Vendor.pkts_sent, Vendor.PKTS_SENTdestination.packetsDestination packets transferredCoalesced from packets received fields
Vendor.dst_port, Vendor.DST_PORTdestination.portDestination port numberCoalesced from destination port fields
Noneecs.versionECS schema versionStatic value: 9.2.0
Vendor.CODEerror.codeError codeCopied from Vendor.CODE
Vendor.MSG, Vendor.zbfw_classification_rulesevent.actionAction performedExtracted from message fields or flow events
Vendor.zbfw_classification_rules, Vendor.flow_event, error.code, Vendor.MSG, log.syslog.appnameevent.category[]Event categorization arrayArray populated based on conditions
Vendor.DEVICE_TIMEevent.createdEvent creation timestampCopied from Vendor.DEVICE_TIME
Vendor.STATUS, Vendor.FACILITYevent.datasetDataset classification (prismasdwan.event, prismasdwan.auth, prismasdwan.flow)Conditional assignment based on event type
Vendor.IDENTIFIERevent.idEvent identifierCopied from Vendor.IDENTIFIER
Noneevent.kindEvent categorizationStatic value: event
Noneevent.moduleModule identifierStatic value: prismasdwan
Vendor.STATUS, Vendor.MSG, log.syslog.appnameevent.outcomeEvent outcome (success/failure)Conditional assignment based on various conditions
Vendor.REASONevent.reasonReason for the eventCopied from Vendor.REASON
log.levelevent.severityEvent severity level (20, 50, 80)Conditional assignment based on log level
Vendor.zbfw_classification_rules, Vendor.flow_event, Vendor.MSG, log.syslog.appnameevent.type[]Event type classification arrayArray populated based on flow events and authentication actions
Vendor.DeviceNamehost.nameHost nameCopied from Vendor.DeviceName
Vendor.Severity, Vendor.SEVERITYlog.levelLog levelCoalesced from severity fields
@rawstring, Vendor.MSGlog.syslog.appnameSyslog application nameExtracted from syslog header using regex
Vendor.FACILITYlog.syslog.facility.nameSyslog facility nameCopied from Vendor.FACILITY
@rawstringlog.syslog.hostnameSyslog hostnameExtracted from syslog header using regex
@rawstringlog.syslog.prioritySyslog priority valueExtracted from syslog header using regex
@rawstringlog.syslog.procidSyslog process IDExtracted from syslog header using regex
Vendor.SEVERITYlog.syslog.severity.nameSyslog severity nameCopied from Vendor.SEVERITY
@rawstringlog.syslog.versionSyslog versionExtracted from syslog header using regex
Vendor.app_namenetwork.applicationNetwork applicationCopied from Vendor.app_name
source.bytes, destination.bytesnetwork.bytesTotal network bytesCalculated as source.bytes + destination.bytes
source.packets, destination.packetsnetwork.packetsTotal network packetsCalculated as source.packets + destination.packets
Vendor.protocol_namenetwork.transportNetwork transport protocolCopied from Vendor.protocol_name
Vendor.CLOUDGENIX_HOST, Vendor.ION_HOSTobserver.hostnameObserver hostnameCoalesced from observer fields
@rawstringobserver.ip[0]Observer IP addressExtracted from log messages using regex
Vendor.PROCESS_NAMEprocess.nameProcess nameCopied from Vendor.PROCESS_NAME
Vendor.ProcessIDprocess.pidProcess IDCopied from Vendor.ProcessID
destination.addressserver.addressServer addressCopied from destination.address for non-flow events
destination.bytesserver.bytesServer bytes transferredCopied from destination.bytes for non-flow events
destination.domainserver.domainServer domainCopied from destination.domain for non-flow events
server.addressserver.ipServer IP addressConditional assignment using CIDR validation
destination.packetsserver.packetsServer packets transferredCopied from destination.packets for non-flow events
destination.portserver.portServer port numberCopied from destination.port for non-flow events
Vendor.src_ip, Vendor.SRC_IPsource.addressSource addressCoalesced from source IP fields
Vendor.bytes_sent, Vendor.BYTES_RECVDsource.bytesSource bytes transferredCoalesced from bytes sent fields
Vendor.NAMEsource.domainSource domainCopied from Vendor.NAME
source.addresssource.ipSource IP addressConditional assignment using CIDR validation
Vendor.pkts_sent, Vendor.PKTS_RECVDsource.packetsSource packets transferredCoalesced from packets sent fields
Vendor.src_port, Vendor.SRC_PORTsource.portSource port numberCoalesced from source port fields
Vendor.user, Vendor.USERuser.nameUsernameCoalesced from user fields