forked from adriansr/nwdevice2filebeat
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfields-merge.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 3 columns, instead of 4 in line 1.
48 lines (48 loc) · 2.15 KB
/
fields-merge.csv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Target field, mode, extra..
message,by_prio,event_description,msg
event.code,by_prio,id,messageid
rsa.misc.action,append
rsa.network.alias_host,append
host.name,by_prio,hostname,host
related.user,append
related.hosts,append
event.action,by_prio,action,event_type
host.ip,by_prio,hostip,hostip_v6,devicehostip,alias.ip,alias.ipv6
source.port,by_prio,sport,port.src,tcp.srcport,udp.srcport
destination.port,by_prio,dport,port.dst,tcp.dstport,udp.dstport
rsa.misc.result_code,by_prio,resultcode,result_code
url.original,by_prio,url_raw,url
service.name,by_prio,service.name,service
server.domain,by_prio,domain,domainname
rsa.misc.policy_name,by_prio,policyname,signame
process.pid,by_prio,process_id,child_pid
process.name,by_prio,process,child_process
rsa.misc.client,by_prio,agent,client
rsa.time.event_time_str,by_prio,event_time_string,event_time_str
rsa.investigations.event_cat,by_prio,event_cat,event.cat
rsa.investigations.event_cat_name,by_prio,event_cat_name,event.cat.name
source.nat.ip,by_prio,stransaddr,ip.trans.src
url.query,by_prio,urlquery,web_query,query
http.request.referrer,by_prio,web_referer,referer
destination.nat.ip,by_prio,dtransaddr,ip.trans.dst
rsa.email.email,append
source.nat.port,by_prio,stransport,port.trans.src
destination.nat.port,by_prio,dtransport,port.trans.dst
url.domain,by_prio,urldomain,web_domain
rsa.misc.connection_id,by_prio,connectionid,connection_id
process.ppid,by_prio,parent_pid,process_id_src
user.full_name,by_prio,user_fullname,patient_fullname
rsa.wireless.wlan_ssid,by_prio,ssid,bssid
destination.domain,by_prio,ddomain,domain.dst
source.domain,by_prio,sdomain,c_domain,domain.src
process.parent.name,by_prio,parent_process,process_src
network.forwarded_ip,by_prio,ip.orig,orig_ip,ipv6.orig
rsa.misc.phone,by_prio,calling_to,calling_from,phone_number
file.extension,by_prio,web_extension,extension
user.id,by_prio,user_id,user.id,c_logon_id
rsa.physical.org_dst,by_prio,org_dst,org.dst
host.mac,by_prio,devicehostmac,alias.mac,macaddr
url.top_level_domain,by_prio,tld,cctld
user.name,by_prio,user,username,c_username,uid,administrator,logon_id,owner,service_account,c_user_name
event.outcome,map,ecs_outcome
file.name,by_prio,filename,webpage