Parsers and Generated Fields
Tag Fields Created by Parser zscaler-deception
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser zscaler-deception
| Vendor Field | CPS Field | Description |
|---|---|---|
| `event.category[]` | Array | Vendor.module, Vendor.description, Vendor.type, Vendor.sub_type |
| `event.type[]` | Array | Vendor.module, Vendor.description, Vendor.type, Vendor.sub_type |
| `threat.tactic.name[]` | Array | Vendor.sub_type |
| `threat.technique.id[]` | Array | Vendor.mitre_ids |
| `destination.address` | Coalesced | destination.ip, destination.domain |
| `destination.domain` | Coalesced | Vendor.decoy.name, Vendor.recon.server_name |
| `file.hash.md5` | Coalesced | Vendor.attacker.process.md5, Vendor.file.hash.md5 |
| `file.hash.sha1` | Coalesced | Vendor.attacker.process.sha1, Vendor.file.hash.sha1 |
| `file.hash.sha256` | Coalesced | Vendor.attacker.process.sha256, Vendor.file.hash.sha256 |
| `http.request.method` | Coalesced | Vendor.recon.method, Vendor.web.method, Vendor.method |
| `http.response.bytes` | Coalesced | Vendor.web.bytes_sent, Vendor.recon.bytes_sent |
| `http.response.status_code` | Coalesced | Vendor.web.status, Vendor.recon.status, Vendor.status_code |
| `log.level` | Coalesced | Vendor.severity, Vendor.threat.alert.severity |
| `network.protocol` | Coalesced | Vendor.recon.scheme, Vendor.web.scheme |
| `process.command_line` | Coalesced | Vendor.linux.command_line, Vendor.attacker.process.command_line |
| `process.executable` | Coalesced | Vendor.attacker.process.executable_path, Vendor.linux.process_name |
| `process.name` | Coalesced | Vendor.linux.process_name, Vendor.attacker.process.name |
| `source.address` | Coalesced | source.ip, source.domain |
| `url.domain` | Coalesced | Vendor.recon.host, Vendor.web.host |
| `url.original` | Coalesced | Vendor.recon.uri, Vendor.web.uri |
| `url.path` | Coalesced | Vendor.recon.request_uri, Vendor.recon.uri, Vendor.web.request_uri, Vendor.url |
| `url.scheme` | Coalesced | Vendor.recon.scheme, Vendor.web.scheme |
| `user_agent.original` | Coalesced | Vendor.web.user_agent.string, Vendor.recon.user_agent.string |
| `user_agent.version` | Coalesced | Vendor.web.user_agent.patch, Vendor.recon.user_agent.patch |
| `event.dataset` | Conditional | Vendor.module |
| `event.outcome` | Conditional | Vendor.status_code, Vendor.username, Vendor.description |
| `agent.version` | Copied | Vendor.landmine.version |
| `client.address` | Copied | source.address |
| `client.bytes` | Copied | source.bytes |
| `client.domain` | Copied | source.domain |
| `client.ip` | Copied | source.ip |
| `client.packets` | Copied | source.packets |
| `client.port` | Copied | source.port |
| `cloud.instance.id` | Copied | Vendor.azure.resourceId |
| `cloud.service.name` | Copied | Vendor.azure.operationName |
| `container.name` | Copied | Vendor.linux.container_name |
| `destination.bytes` | Copied | Vendor.network.resp_ip_bytes |
| `destination.ip` | Copied | Vendor.decoy.ip |
| `destination.packets` | Copied | Vendor.network.resp_pkts |
| `destination.port` | Copied | Vendor.decoy.port |
| `event.id` | Copied | Vendor.id |
| `event.reason` | Copied | Vendor.description |
| `event.risk_score` | Copied | Vendor.score |
| `file.path` | Copied | Vendor.file.name |
| `network.name` | Copied | Vendor.decoy.network_name |
| `network.transport` | Copied | Vendor.network.protocol |
| `observer.name` | Copied | Vendor.decoy.appliance.name |
| `process.hash.md5` | Copied | Vendor.attacker.process.md5 |
| `process.hash.sha1` | Copied | Vendor.attacker.process.sha1 |
| `process.hash.sha256` | Copied | Vendor.attacker.process.sha256 |
| `process.parent.name` | Copied | Vendor.linux.parent_process_name |
| `process.parent.pid` | Copied | Vendor.linux.ppid |
| `process.pid` | Copied | Vendor.linux.pid |
| `process.user.name` | Copied | Vendor.linux.user |
| `rule.id` | Copied | Vendor.threat.alert.signature_id |
| `rule.name` | Copied | Vendor.threat.alert.signature |
| `server.address` | Copied | destination.address |
| `server.bytes` | Copied | destination.bytes |
| `server.domain` | Copied | destination.domain |
| `server.ip` | Copied | destination.ip |
| `server.packets` | Copied | destination.packets |
| `server.port` | Copied | destination.port |
| `source.bytes` | Copied | Vendor.network.orig_ip_bytes |
| `source.geo.country_name` | Copied | Vendor.attacker.country |
| `source.ip` | Copied | Vendor.attacker.ip |
| `source.packets` | Copied | Vendor.network.orig_pkts |
| `source.port` | Copied | Vendor.attacker.port |
| `threat.indicator.name` | Copied | Vendor.attacker.name |
| `threat.indicator.port` | Copied | Vendor.attacker.port |
| `threat.indicator.type` | Copied | Vendor.type |
| `tls.cipher` | Copied | Vendor.ssl.cipher |
| `tls.version` | Copied | Vendor.ssl.version |
| `user.id` | Copied | Vendor.azure.identity.claim.oid |
| `http.version` | Extracted | Vendor.recon.server_protocol, Vendor.web.server_protocol |
| `threat.indicator.ip` | Extracted | Vendor.attacker.ip, Vendor.abuseip.ipAddress |
| `user.email` | Extracted | Vendor.description, Vendor.attacker.zcc_user |
| `user.full_name` | Extracted | Vendor.username |
| `user.name` | Extracted | Vendor.username |
| `source.domain` | Lowercased | Vendor.attacker.name |
| `event.severity` | Mapped | log.level |
| `@timestamp` | Parsed | Vendor.timestamp |
| `network.type` | Set | Vendor.attacker.ip, Vendor.decoy.ip |
| `ecs.version` | Static | None |
| `event.kind` | Static | None |
| `event.module` | Static | None |
| Vendor.landmine.version | agent.version | |
| source.address | client.address | |
| source.bytes | client.bytes | |
| source.domain | client.domain | |
| source.ip | client.ip | |
| source.packets | client.packets | |
| source.port | client.port | |
| Vendor.azure.resourceId | cloud.instance.id | |
| Vendor.azure.operationName | cloud.service.name | |
| Vendor.linux.container_name | container.name | |
| Vendor.network.resp_ip_bytes | destination.bytes | |
| Vendor.decoy.ip | destination.ip | |
| Vendor.network.resp_pkts | destination.packets | |
| Vendor.decoy.port | destination.port | |
| Vendor.id | event.id | |
| Vendor.description | event.reason | |
| Vendor.score | event.risk_score | |
| Vendor.file.name | file.path | |
| Vendor.method | http.request.method | |
| Vendor.status_code | http.response.status_code | |
| Vendor.decoy.network_name | network.name | |
| Vendor.network.protocol | network.transport | |
| Vendor.decoy.appliance.name | observer.name | |
| Vendor.attacker.process.md5 | process.hash.md5 | |
| Vendor.attacker.process.sha1 | process.hash.sha1 | |
| Vendor.attacker.process.sha256 | process.hash.sha256 | |
| Vendor.linux.parent_process_name | process.parent.name | |
| Vendor.linux.ppid | process.parent.pid | |
| Vendor.linux.pid | process.pid | |
| Vendor.linux.user | process.user.name | |
| Vendor.threat.alert.signature_id | rule.id | |
| Vendor.threat.alert.signature | rule.name | |
| destination.address | server.address | |
| destination.bytes | server.bytes | |
| destination.domain | server.domain | |
| destination.ip | server.ip | |
| destination.packets | server.packets | |
| destination.port | server.port | |
| Vendor.network.orig_ip_bytes | source.bytes | |
| Vendor.attacker.country | source.geo.country_name | |
| Vendor.attacker.ip | source.ip | |
| Vendor.network.orig_pkts | source.packets | |
| Vendor.attacker.port | source.port | |
| Vendor.abuseip.ipAddress | threat.indicator.ip | |
| Vendor.attacker.name | threat.indicator.name | |
| Vendor.attacker.port | threat.indicator.port | |
| Vendor.type | threat.indicator.type | |
| Vendor.ssl.cipher | tls.cipher | |
| Vendor.ssl.version | tls.version | |
| Vendor.url | url.path | |
| Vendor.attacker.zcc_user | user.email | |
| Vendor.azure.identity.claim.oid | user.id | |
| Vendor.username | user.name |