Parsers and Generated Fields
Tag Fields Created by Parser trellix-fireeyenx
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser trellix-fireeyenx
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.rt | @timestamp | Event timestamp | Parsed from Vendor.rt using format "MMM dd yyyy HH:mm:ss z" |
| Vendor.dst (indirect) | destination.address | Destination address | Coalesced from destination.ip or destination.domain |
| Vendor.dst | destination.domain | Destination domain name | Conditionally set from Vendor.dst if it's not an IP address |
| Vendor.dst | destination.ip | Destination IP address | Conditionally set from Vendor.dst if it matches IP CIDR |
| Vendor.dmac | destination.mac | Destination MAC address formatted with dashes and uppercase | Transformed from Vendor.dmac using replace and upper functions |
| Vendor.dpt | destination.port | Destination port number | Copied from Vendor.dpt |
| None | ecs.version | ECS schema version | Static value: 9.2.0 |
| Vendor.act | event.action | Action performed | Copied from Vendor.act |
| Vendor.event_class_id | event.category[] | Event category classification | Array populated with ["network"] and conditionally ["malware"] or ["intrusion_detection"] based on event class ID |
| Vendor.name | event.dataset | Event dataset identifier | Generated using format function with event.module and Vendor.name |
| Vendor.externalId | event.id | Event identifier | Copied from Vendor.externalId |
| None | event.kind | Event categorization | Static value: event |
| None | event.module | Module identifier | Static value: fireeyenx |
| None | event.type[] | Event type classification | Array populated with ["info"] |
| Vendor.link | event.url | Event URL reference | Copied from Vendor.link |
| Vendor.msg | message | Event message | Copied from Vendor.msg |
| Vendor.proto | network.transport | Network transport protocol | Lowercased from Vendor.proto |
| Vendor.vlan | network.vlan.id | VLAN identifier | Copied from Vendor.vlan |
| Vendor.dvchost | observer.hostname | Observer hostname | Copied from Vendor.dvchost |
| Vendor.dvc | observer.ip[] | Observer IP addresses | Conditionally populated with Vendor.dvc if it matches IP CIDR |
| Vendor.dvcmac | observer.mac[] | Observer MAC addresses formatted with dashes and uppercase | Array populated with transformed Vendor.dvcmac |
| Vendor.device.product | observer.product | Observer product name | Copied from Vendor.device.product |
| Vendor.device.vendor | observer.vendor | Observer vendor name | Lowercased from Vendor.device.vendor |
| Vendor.device.version | observer.version | Observer version | Copied from Vendor.device.version |
| Vendor.sname | rule.name | Rule name | Copied from Vendor.sname |
| Vendor.src (indirect) | source.address | Source address | Coalesced from source.ip or source.domain |
| Vendor.src | source.domain | Source domain name | Conditionally set from Vendor.src if it's not an IP address |
| Vendor.src | source.ip | Source IP address | Conditionally set from Vendor.src if it matches IP CIDR |
| Vendor.smac | source.mac | Source MAC address formatted with dashes and uppercase | Transformed from Vendor.smac using replace and upper functions |
| Vendor.spt | source.port | Source port number | Copied from Vendor.spt |
| Vendor.request | url.original | Original URL from request | Copied from Vendor.request |