Parsers and Generated Fields
Tag Fields Created by Parser zscaler-deception
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser zscaler-deception
| Vendor Field | CPS Field | Description |
|---|---|---|
| `event.category[]` | Array | Vendor.module, Vendor.description |
| `event.type[]` | Array | Vendor.module, Vendor.description |
| `http.request.method` | Coalesced | Vendor.recon.method, Vendor.web.method, Vendor.method |
| `http.response.status_code` | Coalesced | Vendor.web.status, Vendor.recon.status, Vendor.status_code |
| `log.level` | Coalesced | Vendor.severity, Vendor.threat.alert.severity |
| `network.protocol` | Coalesced | Vendor.network.protocol, Vendor.recon.scheme |
| `server.address` | Coalesced | Vendor.decoy.name, Vendor.recon.server_name |
| `url.domain` | Coalesced | Vendor.recon.host, Vendor.web.host |
| `url.path` | Coalesced | Vendor.recon.request_uri, Vendor.recon.uri, Vendor.web.request_uri |
| `user_agent.name` | Coalesced | Vendor.web.user_agent.string, Vendor.recon.user_agent.string |
| `threat.technique.id` | Concatenated | Vendor.mitre_ids |
| `event.dataset` | Conditional | Vendor.module |
| `event.outcome` | Conditional | Vendor.status_code |
| `client.address` | Copied | Vendor.decoy.client.name |
| `client.bytes` | Copied | Vendor.network.orig_ip_bytes |
| `client.packets` | Copied | Vendor.network.orig_pkts |
| `event.duration` | Copied | Vendor.network.duration |
| `event.id` | Copied | Vendor.id |
| `event.reason` | Copied | Vendor.description |
| `event.risk_score` | Copied | Vendor.score |
| `http.request.bytes` | Copied | Vendor.recon.bytes_sent |
| `network.name` | Copied | Vendor.decoy.network_name |
| `observer.name` | Copied | Vendor.decoy.appliance.name |
| `process.command_line` | Copied | Vendor.linux.command_line |
| `process.name` | Copied | Vendor.linux.process_name |
| `process.pid` | Copied | Vendor.linux.pid |
| `process.user.name` | Copied | Vendor.linux.user |
| `server.bytes` | Copied | Vendor.network.resp_ip_bytes |
| `server.ip` | Copied | Vendor.decoy.ip |
| `server.packets` | Copied | Vendor.network.resp_pkts |
| `server.port` | Copied | Vendor.decoy.port |
| `source.ip` | Copied | threat.indicator.ip |
| `source.port` | Copied | threat.indicator.port |
| `threat.indicator.name` | Copied | Vendor.attacker.name |
| `threat.indicator.port` | Copied | Vendor.attacker.port |
| `threat.indicator.type` | Copied | Vendor.type |
| `tls.cipher` | Copied | Vendor.ssl.cipher |
| `tls.version` | Copied | Vendor.ssl.version |
| `trace.id` | Copied | Vendor.id |
| `url.full` | Copied | Vendor.web.uri |
| `url.scheme` | Copied | Vendor.web.scheme |
| `user_agent.version` | Copied | Vendor.recon.user_agent.patch |
| `http.version` | Extracted | Vendor.recon.server_protocol, Vendor.web.server_protocol |
| `threat.indicator.ip` | Extracted | Vendor.attacker.ip, Vendor.abuseip.ipAddress |
| `user.email` | Extracted | Vendor.description |
| `user.full_name` | Extracted | Vendor.username |
| `user.name` | Extracted | Vendor.username |
| `event.severity` | Mapped | log.level |
| `@timestamp` | Parsed | Vendor.timestamp, __timestamp |
| `ecs.version` | Static | None |
| `event.kind` | Static | None |
| `event.module` | Static | None |
| Vendor.decoy.client.name | client.address | |
| Vendor.network.orig_ip_bytes | client.bytes | |
| Vendor.network.orig_pkts | client.packets | |
| Vendor.network.duration | event.duration | |
| Vendor.id | event.id | |
| Vendor.description | event.reason | |
| Vendor.score | event.risk_score | |
| Vendor.recon.bytes_sent | http.request.bytes | |
| Vendor.decoy.network_name | network.name | |
| Vendor.network.protocol | network.protocol | |
| Vendor.recon.scheme | network.protocol | |
| Vendor.decoy.appliance.name | observer.name | |
| Vendor.linux.command_line | process.command_line | |
| Vendor.linux.process_name | process.name | |
| Vendor.linux.pid | process.pid | |
| Vendor.linux.user | process.user.name | |
| Vendor.network.resp_ip_bytes | server.bytes | |
| Vendor.network.resp_pkts | server.packets | |
| Vendor.decoy.port | server.port | |
| threat.indicator.ip | source.ip | |
| threat.indicator.port | source.port | |
| Vendor.attacker.name | threat.indicator.name | |
| Vendor.attacker.port | threat.indicator.port | |
| Vendor.type | threat.indicator.type | |
| Vendor.ssl.cipher | tls.cipher | |
| Vendor.ssl.version | tls.version | |
| Vendor.id | trace.id | |
| Vendor.web.uri | url.full | |
| Vendor.web.scheme | url.scheme | |
| Vendor.recon.user_agent.patch | user_agent.version |