Parsers and Generated Fields
Tag Fields Created by Parser forcepoint-dlp
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser forcepoint-dlp
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.caseDateAndTime | @timestamp | Timestamp for report data |
| Vendor.timeStamp | @timestamp | Timestamp for event data |
| Vendor.name | agent.name | Name of the agent |
| Vendor.name | agent.name | |
| Vendor.device.version | agent.version | Version of the agent |
| Vendor.device.version | agent.version | |
| Vendor.destinationHosts | destination.domain | Destination host domain when not "N/A" |
| Vendor.sourceServiceName | event.action | Action performed in the event |
| Vendor.sourceServiceName | event.action | |
| Vendor.eventId | event.id | Unique identifier for the event |
| Vendor.eventId | event.id | |
| Vendor.riskScore | event.risk_score | Risk score for report events |
| Vendor.riskScore | event.risk_score | |
| Vendor.severity | event.severity | Mapped severity based on numeric value |
| Vendor.act | event.type[1] | Conditional mapping for denied actions |
| Vendor.fname | file.name, | File name and size extraction |
| Vendor.riskScore | host.risk.calculated_score | Risk score mapped to host risk |
| event.risk_score | host.risk.calculated_score | |
| Vendor.msg | rule.name | Name of the rule that triggered |
| Vendor.msg | rule.name | |
| Vendor.sourceIp | source.address | |
| Vendor.sourceIp | source.address, | Source IP address when not "N/A" |
| Vendor.sourceHost | source.domain | Source host domain when not "N/A" |
| source.address; | source.ip | |
| Vendor.severityType | threat.indicator.confidence | Confidence level of the threat indicator |
| Vendor.severityType | threat.indicator.confidence | |
| Vendor.caseDescription | threat.indicator.description | Description of the threat indicator |
| Vendor.caseDescription | threat.indicator.description | |
| Vendor.numberOfIncidents | threat.indicator.sightings | Number of incidents related to the threat |
| Vendor.numberOfIncidents | threat.indicator.sightings | |
| Vendor.loginName | user.domain | Domain extraction from username if in domain\user format |
| Vendor.duser | user.email | User email address |
| Vendor.duser | user.email | |
| Vendor.loginName | user.name | Username |
| Vendor.loginName | user.name |