Parsers and Generated Fields
Tag Fields Created by Parser zscaler-deception
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser zscaler-deception
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.decoy.client.name | client.address | Decoy client name |
| Vendor.network.orig_ip_bytes | client.bytes | |
| Vendor.network.orig_pkts | client.packets | |
| Vendor.network.duration | event.duration | Duration of network event |
| Vendor.id | event.id | |
| Vendor.id | event.id, trace.id | Event identifier |
| Vendor.score | event.risk_score | Risk score of event |
| Vendor.severity | event.severity | Event severity |
| Vendor.threat.alert.severity | event.severity | Alert severity |
| Vendor.recon.bytes_sent | http.request.bytes | |
| Vendor.recon.method | http.request.method | |
| Vendor.web.method | http.request.method | HTTP request method |
| Vendor.recon.status | http.response.status_code | |
| Vendor.web.status | http.response.status_code | HTTP response status code |
| Vendor.decoy.network_name | network.name | Network name |
| Vendor.network.protocol | network.protocol | Network protocol used |
| Vendor.recon.scheme | network.protocol | |
| Vendor.decoy.appliance.name | observer.name | Appliance name |
| Vendor.linux.command_line | process.command_line | Linux process command line |
| Vendor.linux.process_name | process.name | Linux process name |
| Vendor.linux.pid | process.pid | Linux process ID |
| Vendor.linux.user | process.user.name | Linux username |
| Vendor.decoy.name | server.address | Decoy server name |
| Vendor.recon.server_name | server.address | |
| Vendor.network.resp_ip_bytes | server.bytes | |
| Vendor.decoy.ip; | server.ip | |
| Vendor.network.resp_pkts | server.packets | |
| Vendor.decoy.port | server.port | |
| threat.indicator.ip | source.ip | |
| threat.indicator.port | source.port | |
| Vendor.abuseip.ipAddress; | threat.indicator.ip | |
| Vendor.attacker.ip | threat.indicator.ip | IP address extracted from format "x.x.x.x [hostname]" |
| Vendor.attacker.name | threat.indicator.name | Name of attacker |
| Vendor.attacker.port | threat.indicator.port | Port number of attacker |
| Vendor.type | threat.indicator.type | Type of threat indicator |
| Vendor.mitre_ids | threat.technique.id | MITRE ATT&CK technique IDs |
| Vendor.ssl.cipher | tls.cipher | SSL/TLS cipher used |
| Vendor.ssl.version | tls.version | SSL/TLS version |
| Vendor.id | trace.id | |
| Vendor.recon.host | url.domain | |
| Vendor.web.host | url.domain | Web host domain |
| Vendor.web.uri | url.full | Full URL |
| Vendor.recon.request_uri | url.path | |
| Vendor.recon.uri | url.path | |
| Vendor.web.request_uri | url.path | |
| Vendor.web.scheme | url.scheme | URL scheme (http/https) |
| Vendor.recon.user_agent.string | user_agent.name | |
| Vendor.web.user_agent.string | user_agent.name | User agent string |
| Vendor.recon.user_agent.patch | user_agent.version |