Parsers and Generated Fields
Tag Fields Created by Parser radware-alteon
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser radware-alteon
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| __timestamp | @timestamp | Event timestamp with timezone support | Extracted using parseTimestamp() or findTimestamp() based on format |
| Vendor.keys.WAFObservedIP, Vendor.keys.SrcIp | client.address | Client address | Coalesced from WAFObservedIP or SrcIp, converted to lowercase |
| client.address | client.domain | Client domain name | Assigned from client.address if not valid IP |
| client.address | client.ip | Client IP address | Assigned from client.address if valid IP |
| Vendor.keys.DstIP | destination.address | Destination address | Copied from Vendor.keys.DstIP, converted to lowercase |
| destination.address | destination.domain | Destination domain name | Assigned from destination.address if not valid IP |
| destination.address | destination.ip | Destination IP address | Assigned from destination.address if valid IP |
| Vendor.keys.DstPort | destination.port | Destination port number | Copied from Vendor.keys.DstPort |
| None | ecs.version | ECS schema version | Static value: 9.2.0 |
| Vendor.message, http.response.status_code | event.category[] | Event category array | Array populated based on message content and HTTP status |
| None | event.kind | Event categorization | Static value: event |
| None | event.module | Event module identifier | Static value: alteon |
| http.response.status_code, Vendor.message | event.outcome | Event outcome determination | Conditional based on HTTP status code and message patterns |
| Vendor.message | event.reason | Reason for event occurrence | Extracted from message using regex pattern |
| Vendor.message, http.response.status_code | event.type[] | Event type array | Array populated based on message content and HTTP status |
| Vendor.message | host.ip[] | Host IP addresses array | Array populated from message extraction |
| Vendor.keys.Method | http.request.method | HTTP request method | Copied from Vendor.keys.Method |
| Vendor.keys.ResponseCode | http.response.status_code | HTTP response status code | Copied from Vendor.keys.ResponseCode |
| __remaining, Vendor.message | log.syslog.appname | Syslog application name | Extracted from __remaining and Vendor.message using regex patterns |
| __remaining | log.syslog.hostname | Syslog hostname field | Extracted from __remaining using regex pattern |
| __remaining | log.syslog.msgid | Syslog message ID | Extracted from __remaining using regex pattern |
| __tmp | log.syslog.priority | Syslog priority value | Extracted from @rawstring using regex pattern |
| __remaining | log.syslog.procid | Syslog process ID | Extracted from __remaining using regex pattern |
| Vendor.message | log.syslog.severity.name | Syslog severity level name | Extracted from Vendor.message using regex pattern |
| __tmp | log.syslog.version | Syslog version number | Extracted from @rawstring using regex pattern |
| Vendor.message | network.application | Network application | Extracted from Vendor.message using regex patterns |
| Vendor.message | network.protocol | Network protocol | Extracted from Vendor.message using regex patterns |
| Vendor.keys.DstIP | server.address | Server address | Copied from Vendor.keys.DstIP, converted to lowercase |
| server.address, Vendor.message | server.domain | Server domain name | Assigned from server.address if not valid IP or extracted from message |
| server.address | server.ip | Server IP address | Assigned from server.address if valid IP |
| Vendor.keys.DstPort, Vendor.message | server.port | Server port number | Copied from Vendor.keys.DstPort or extracted from message |
| Vendor.keys.WAFObservedIP, Vendor.keys.SrcIp | source.address | Source address | Coalesced from WAFObservedIP or SrcIp, converted to lowercase |
| source.address | source.domain | Source domain name | Assigned from source.address if not valid IP |
| source.address | source.ip | Source IP address | Assigned from source.address if valid IP |
| url.original | url.domain | URL domain name | Parsed from url.original and converted to lowercase |
| url.original | url.full | Full URL | Copied from url.original |
| Vendor.keys.URL | url.original | Original URL | Copied from Vendor.keys.URL |
| url.original | url.path | URL path component | Parsed from url.original using parseUri() |
| url.original | url.query | URL query parameters | Parsed from url.original using parseUri() |
| Vendor.keys.CWSID | user.full_name | Full name from CWSID field | Extracted from Vendor.keys.CWSID using regex pattern |
| Vendor.keys.CWSID | user.id | User ID from catrecid portion | Extracted from Vendor.keys.CWSID using regex pattern |
| Vendor.keys.CWSID, Vendor.message | user.name | Username from various sources | Extracted from Vendor.keys.CWSID and Vendor.message using regex patterns |
| Vendor.keys.UserAgent | user_agent.original | Original user agent string | Copied from Vendor.keys.UserAgent |