Parsers and Generated Fields
Tag Fields Created by Parser zscaler-deception
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser zscaler-deception
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.decoy.client.name | client.address | Decoy client name |
| Vendor.network.orig_ip_bytes | client.bytes | |
| Vendor.network.orig_pkts | client.packets | |
| Vendor.network.duration | event.duration | Duration of network event |
| Vendor.id | event.id | |
| Vendor.id | event.id, | Event identifier |
| Vendor.description | event.reason | Description of the event |
| Vendor.score | event.risk_score | Risk score of event |
| Vendor.recon.bytes_sent | http.request.bytes | |
| Vendor.recon.method, | http.request.method | HTTP request method using coalesce function |
| Vendor.web.status, | http.response.status_code | HTTP response status code using coalesce function |
| Vendor.severity, | log.level | Event severity level |
| Vendor.decoy.network_name | network.name | Network name |
| Vendor.network.protocol | network.protocol | Network protocol used |
| Vendor.recon.scheme | network.protocol | |
| Vendor.decoy.appliance.name | observer.name | Appliance name |
| Vendor.linux.command_line | process.command_line | Linux process command line |
| Vendor.linux.process_name | process.name | Linux process name |
| Vendor.linux.pid | process.pid | Linux process ID |
| Vendor.linux.user | process.user.name | Linux username |
| Vendor.decoy.name, | server.address | Decoy server name using coalesce function |
| Vendor.network.resp_ip_bytes | server.bytes | |
| Vendor.decoy.ip; | server.ip | |
| Vendor.network.resp_pkts | server.packets | |
| Vendor.decoy.port | server.port | |
| threat.indicator.ip | source.ip | |
| threat.indicator.port | source.port | |
| Vendor.abuseip.ipAddress; | threat.indicator.ip | |
| Vendor.attacker.ip | threat.indicator.ip | IP address extracted from format "x.x.x.x [hostname]" |
| Vendor.attacker.name | threat.indicator.name | Name of attacker |
| Vendor.attacker.port | threat.indicator.port | Port number of attacker |
| Vendor.type | threat.indicator.type | Type of threat indicator |
| Vendor.mitre_ids | threat.technique.id | MITRE ATT&CK technique IDs |
| Vendor.ssl.cipher | tls.cipher | SSL/TLS cipher used |
| Vendor.ssl.version | tls.version | SSL/TLS version |
| Vendor.id | trace.id | |
| Vendor.recon.host, | url.domain | Web host domain using coalesce function |
| Vendor.web.uri | url.full | Full URL |
| Vendor.web.scheme | url.scheme | URL scheme (http/https) |
| Vendor.username | user.full_name, | Extracts both full name and username when in format "Name (username)" |
| Vendor.username | user.name | Username when not "Unauthenticated" |
| Vendor.username; | user.name | |
| Vendor.web.user_agent.string, | user_agent.name | User agent string using coalesce function |
| Vendor.recon.user_agent.patch | user_agent.version |