Parsers and Generated Fields
Tag Fields Created by Parser zscaler-deception
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser zscaler-deception
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.timestamp | @timestamp | Event timestamp | Parsed from Vendor.timestamp using parseTimestamp() |
| Vendor.landmine.version | agent.version | Agent version | Copied from Vendor.landmine.version |
| source.address | client.address | Client address | Copied from source.address |
| source.bytes | client.bytes | Client bytes sent | Copied from source.bytes |
| source.domain | client.domain | Client domain | Copied from source.domain |
| source.ip | client.ip | Client IP address | Copied from source.ip |
| source.packets | client.packets | Client packets sent | Copied from source.packets |
| source.port | client.port | Client port | Copied from source.port |
| Vendor.azure.resourceId | cloud.instance.id | Azure resource identifier | Copied from Vendor.azure.resourceId |
| Vendor.azure.operationName | cloud.service.name | Azure operation name | Copied from Vendor.azure.operationName |
| Vendor.linux.container_name | container.name | Container name | Copied from Vendor.linux.container_name |
| destination.ip, destination.domain | destination.address | Destination address | Coalesced from destination.ip and destination.domain |
| Vendor.network.resp_ip_bytes | destination.bytes | Destination bytes sent | Copied from Vendor.network.resp_ip_bytes |
| Vendor.decoy.name, Vendor.recon.server_name | destination.domain | Destination domain | Coalesced and lowercased from decoy and server name fields |
| Vendor.decoy.ip | destination.ip | Destination IP address | Copied from Vendor.decoy.ip after IP validation |
| Vendor.network.resp_pkts | destination.packets | Destination packets sent | Copied from Vendor.network.resp_pkts |
| Vendor.decoy.port | destination.port | Destination port | Copied from Vendor.decoy.port |
| None | ecs.version | ECS schema version | Static value: 9.2.0 |
| Vendor.module, Vendor.description, Vendor.type, Vendor.sub_type | event.category[] | Event category classification | Array populated based on event type and description patterns |
| Vendor.module | event.dataset | Dataset classification (deception.audit or deception.threat) | Conditional assignment based on Vendor.module field |
| Vendor.id | event.id | Event identifier | Copied from Vendor.id |
| None | event.kind | Event categorization | Static value: event |
| None | event.module | Module name | Static value: deception |
| Vendor.status_code, Vendor.username, Vendor.description | event.outcome | Event outcome (success/failure) | Conditional assignment based on status codes and event type |
| Vendor.description | event.reason | Event description | Copied from Vendor.description |
| Vendor.score | event.risk_score | Risk score of event | Copied from Vendor.score |
| log.level | event.severity | Numeric severity value | Mapped from log.level using conditional logic |
| Vendor.module, Vendor.description, Vendor.type, Vendor.sub_type | event.type[] | Event type classification | Array populated based on event type and description patterns |
| Vendor.attacker.process.md5, Vendor.file.hash.md5 | file.hash.md5 | MD5 hash | Coalesced from process and file hash fields |
| Vendor.attacker.process.sha1, Vendor.file.hash.sha1 | file.hash.sha1 | SHA1 hash | Coalesced from process and file hash fields |
| Vendor.attacker.process.sha256, Vendor.file.hash.sha256 | file.hash.sha256 | SHA256 hash | Coalesced from process and file hash fields |
| Vendor.file.name | file.path | File path | Copied from Vendor.file.name |
| Vendor.recon.method, Vendor.web.method, Vendor.method | http.request.method | HTTP request method | Coalesced from method fields |
| Vendor.web.bytes_sent, Vendor.recon.bytes_sent | http.response.bytes | HTTP response bytes | Coalesced from bytes sent fields |
| Vendor.web.status, Vendor.recon.status, Vendor.status_code | http.response.status_code | HTTP response status | Coalesced from status fields |
| Vendor.recon.server_protocol, Vendor.web.server_protocol | http.version | HTTP version | Extracted from server protocol using regex |
| Vendor.severity, Vendor.threat.alert.severity | log.level | Event severity level | Coalesced from severity fields |
| Vendor.decoy.network_name | network.name | Network name | Copied from Vendor.decoy.network_name |
| Vendor.recon.scheme, Vendor.web.scheme | network.protocol | Network protocol | Coalesced from scheme fields |
| Vendor.network.protocol | network.transport | Network transport protocol | Copied from Vendor.network.protocol |
| Vendor.attacker.ip, Vendor.decoy.ip | network.type | Network type (ipv4/ipv6) | Set based on IP version validation |
| Vendor.decoy.appliance.name | observer.name | Observer appliance name | Copied from Vendor.decoy.appliance.name |
| Vendor.linux.command_line, Vendor.attacker.process.command_line | process.command_line | Process command line | Coalesced from command line fields |
| Vendor.attacker.process.executable_path, Vendor.linux.process_name | process.executable | Process executable | Coalesced from executable path fields |
| Vendor.attacker.process.md5 | process.hash.md5 | Process MD5 hash | Copied from Vendor.attacker.process.md5 |
| Vendor.attacker.process.sha1 | process.hash.sha1 | Process SHA1 hash | Copied from Vendor.attacker.process.sha1 |
| Vendor.attacker.process.sha256 | process.hash.sha256 | Process SHA256 hash | Copied from Vendor.attacker.process.sha256 |
| Vendor.linux.process_name, Vendor.attacker.process.name | process.name | Process name | Coalesced from process name fields |
| Vendor.linux.parent_process_name | process.parent.name | Parent process name | Copied from Vendor.linux.parent_process_name |
| Vendor.linux.ppid | process.parent.pid | Parent process ID | Copied from Vendor.linux.ppid |
| Vendor.linux.pid | process.pid | Process ID | Copied from Vendor.linux.pid |
| Vendor.linux.user | process.user.name | Process user name | Copied from Vendor.linux.user |
| Vendor.threat.alert.signature_id | rule.id | Rule identifier | Copied from Vendor.threat.alert.signature_id |
| Vendor.threat.alert.signature | rule.name | Rule name | Copied from Vendor.threat.alert.signature |
| destination.address | server.address | Server address | Copied from destination.address |
| destination.bytes | server.bytes | Server bytes sent | Copied from destination.bytes |
| destination.domain | server.domain | Server domain | Copied from destination.domain |
| destination.ip | server.ip | Server IP address | Copied from destination.ip |
| destination.packets | server.packets | Server packets sent | Copied from destination.packets |
| destination.port | server.port | Server port | Copied from destination.port |
| source.ip, source.domain | source.address | Source address | Coalesced from source.ip and source.domain |
| Vendor.network.orig_ip_bytes | source.bytes | Source bytes sent | Copied from Vendor.network.orig_ip_bytes |
| Vendor.attacker.name | source.domain | Source domain name | Lowercased from Vendor.attacker.name |
| Vendor.attacker.country | source.geo.country_name | Source country | Copied from Vendor.attacker.country |
| Vendor.attacker.ip | source.ip | Source IP address | Copied from Vendor.attacker.ip after IP validation |
| Vendor.network.orig_pkts | source.packets | Source packets sent | Copied from Vendor.network.orig_pkts |
| Vendor.attacker.port | source.port | Source port | Copied from Vendor.attacker.port |
| Vendor.attacker.ip, Vendor.abuseip.ipAddress | threat.indicator.ip | Threat indicator IP | Extracted from Vendor.attacker.ip or copied from Vendor.abuseip.ipAddress |
| Vendor.attacker.name | threat.indicator.name | Threat indicator name | Copied from Vendor.attacker.name |
| Vendor.attacker.port | threat.indicator.port | Threat indicator port | Copied from Vendor.attacker.port |
| Vendor.type | threat.indicator.type | Threat indicator type | Copied from Vendor.type |
| Vendor.sub_type | threat.tactic.name[] | Threat tactic names | Array populated based on sub_type for specific events |
| Vendor.mitre_ids | threat.technique.id[] | MITRE ATT&CK technique IDs | Array populated from Vendor.mitre_ids using objectArray:eval |
| Vendor.ssl.cipher | tls.cipher | TLS cipher | Copied from Vendor.ssl.cipher |
| Vendor.ssl.version | tls.version | TLS version | Copied from Vendor.ssl.version |
| Vendor.recon.host, Vendor.web.host | url.domain | URL domain | Coalesced from host fields |
| Vendor.recon.uri, Vendor.web.uri | url.original | Original URL | Coalesced from URI fields |
| Vendor.recon.request_uri, Vendor.recon.uri, Vendor.web.request_uri, Vendor.url | url.path | URL path | Coalesced from URI fields |
| Vendor.recon.scheme, Vendor.web.scheme | url.scheme | URL scheme | Coalesced from scheme fields |
| Vendor.description, Vendor.attacker.zcc_user | user.email | User email address | Extracted from Vendor.description using regex pattern or copied from Vendor.attacker.zcc_user |
| Vendor.username | user.full_name | Full user name | Extracted from Vendor.username using regex pattern |
| Vendor.azure.identity.claim.oid | user.id | User identifier | Copied from Vendor.azure.identity.claim.oid |
| Vendor.username | user.name | Username | Extracted from Vendor.username when not "Unauthenticated" |
| Vendor.web.user_agent.string, Vendor.recon.user_agent.string | user_agent.original | User agent string | Coalesced from user agent fields |
| Vendor.web.user_agent.patch, Vendor.recon.user_agent.patch | user_agent.version | User agent version | Coalesced from user agent version fields |