Page Comparison

...

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

source

str

hostname

str

firewall_name

str

fwname

firewall_cluster

str

fwcluster

action

str

reason

str

source_ipv4

ip4

srcIp

source_ip

str

srcIp_str

destination_ipv4

ip4

dstIp

destination_ip

str

dstIp_str

source_port

str

Code Block
str(srcPort)

srcPort

destination_port

str

Code Block
str(dstPort)

dstPort

source_zone

str

srcZone

destination_zone

str

dstZone

application

str

app

protocol

str

proto

rule

str

source_interface

str

srcIface

destination_interface

str

dstIface

source_service

str

srcService

destination_service

str

dstService

packets_total

int8

packetsTotal

packets_sent

int8

packetsSent

packets_received

int8

packetsRecv

bytes_total

int8

bytes

bytes_sent

int8

bytesSent

bytes_received

int8

bytesRecv

source_username

str

srcUser

x_forwarded_for_ip

str

firewall_ip

str

rawMessage

str

rawSource

hostchain

str

✓

tag

str

✓

...

Rw ui tabs macro

Rw tab

title	1-5

Anchor
adn.f5.bigip.afm
adn.f5.bigip.afm
adn.f5.bigip.afm

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"adn.f5.bigip.afm"

str

hostname

hostName

str

firewall_name

str

firewall_cluster

str

action

Code Block
decode(action, 'Accept', 'accept', 'Drop', 'deny', 'Reject', 'deny', action)

str

reason

dropReason

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

aclRuleName

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

rawMessage

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
adn.f5.bigip.asm
adn.f5.bigip.asm
adn.f5.bigip.asm

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"adn.f5.bigip.asm"

str

hostname

hostName

str

firewall_name

str

firewall_cluster

str

action

requestStatus

Code Block
decode(requestStatus, 'passed', 'accept', 'blocked', 'deny', 'alerted', 'alerted', requestStatus)

str

reason

violations

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

policyName

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

x_fwd_hdr_val

xForwardedForHeaderValue

Code Block
isnotnull(xForwardedForHeaderValue) ? str(xForwardedForHeaderValue) : isnotnull(x_fwd_hdr_val) ? str(x_fwd_hdr_val) : null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

rawMessage

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
box.iptables
box.iptables
box.iptables

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"iptables"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

logprefix

Code Block
(logprefix -> 'ACCEPT') ? 'accept' : (logprefix -> 'DENY') ? 'deny' : (logprefix -> 'REJECT') ? 'reject' : null('')

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

-

Code Block
null('')

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
cef0.checkPoint.vpn1Firewall1
cef0.checkPoint.vpn1Firewall1
cef0.checkPoint.vpn1Firewall1

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"checkpoint"

str

hostname

hostchain

Code Block
split(hostchain, "=", 0)

str

firewall_name

str

firewall_cluster

str

action

act

Code Block
(lower(act) = 'reject') ? 'deny' : (lower(act) = 'drop') ? 'drop' : lower(act)

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

cs1

cs2

cs2Label

Code Block
cs2Label = "Rule Name" ? cs2 : cs1

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

✓

hostchain

str

tag

str

✓

Anchor
cef0.cisco.asa
cef0.cisco.asa
cef0.cisco.asa

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"cef0.cisco.asa"

str

hostname

hostchain

Code Block
split(hostchain, "=", 0)

str

firewall_name

str

firewall_cluster

str

action

act

Code Block

(act in {'permitted', 'Built', 'est-allowed', 'executed', 'Pre-allocate SIP SIGNALLING UDP secondary channel', 'Pre-allocate SIP Via UDP secondary channel', 'Retrieved', 'granted', 'built', 'Teardown', 'teardown', 'assigned a session'}) ? 'accept' : (act in {'Deny', 'denied', 'Denied', 'Inbound TCP connection denied', 'No matching connection for ICMP', 'discarded', 'Duplicate TCP SYN'}) ? 'deny' : (act in {'AAA user authentication Successful', 'User authentication failed', 'Login permitted', 'User authentication succeeded', 'User logged out', 'User priv level changed', 'WebVPN session started', 'User', 'Username', 'authentication', 'Authorization', 'logout', 'WebVPN session terminated', 'Stored'}) ? 'user' : null('')

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

cs1

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

destinationTranslatedAddress

Code Block
str(destinationTranslatedAddress)

str

firewall_ip

dvc

Code Block
str(dvc)

str

rawSource

rawMessage

str

✓

rawMessage

str

✓

hostchain

str

tag

str

✓

Anchor
cef0.cisco.firepower
cef0.cisco.firepower
cef0.cisco.firepower

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"cef0.cisco.firepower"

str

hostname

str

firewall_name

str

firewall_cluster

str

action

act

Code Block
(act = 'Allow') ? 'accept' : 'deny'

str

reason

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

cs2

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

rawMessage

str

✓

rawMessage

str

✓

hostchain

str

tag

str

✓

Rw tab

title	6-9

Anchor
cef0.forcepoint.firewall
cef0.forcepoint.firewall
cef0.forcepoint.firewall

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"forcepoint"

str

hostname

hostchain

Code Block
split(hostchain, "=", 0)

str

firewall_name

str

firewall_cluster

str

action

act

Code Block
(act = 'Allow') ? 'accept' : 'deny'

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

cs1

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

dvc

Code Block
str(dvc)

str

rawSource

str

✓

rawMessage

str

✓

hostchain

str

tag

str

✓

Anchor
cef0.fortinet.fortigateAll
cef0.fortinet.fortigateAll
cef0.fortinet.fortigateAll

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"fortinet"

str

hostname

hostchain

Code Block
split(hostchain, "=", 0)

str

firewall_name

str

firewall_cluster

str

action

act

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

-

Code Block
null('')

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

✓

hostchain

str

tag

str

✓

Anchor
cef0.paloAltoNetworks.lf
cef0.paloAltoNetworks.lf
cef0.paloAltoNetworks.lf

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"paloalto"

str

hostname

str

firewall_name

str

firewall_cluster

str

action

act

Code Block
(act = 'Allow') ? 'accept' : act

str

reason

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

cs1

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

rawMessage

str

✓

rawMessage

str

✓

hostchain

str

tag

str

✓

Anchor
cef0.paloAltoNetworks.panOs
cef0.paloAltoNetworks.panOs
cef0.paloAltoNetworks.panOs

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"paloalto"

str

hostname

hostchain

str

firewall_name

str

firewall_cluster

str

action

signatureID

Code Block
(signatureID = 'start') ? 'accept' : 'deny'

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

cs1

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

dvchost

Code Block
str(dvchost)

str

rawSource

str

✓

rawMessage

str

✓

hostchain

str

tag

str

✓

Rw tab

title	10-13

Anchor
cef0.stonesoft.firewall
cef0.stonesoft.firewall
cef0.stonesoft.firewall

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"stonegate"

str

hostname

hostchain

Code Block
split(hostchain, "=", 0)

str

firewall_name

str

firewall_cluster

str

action

act

Code Block
(act = 'Allow') ? 'accept' : 'deny'

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

cs1

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

dvc

Code Block
str(dvc)

str

rawSource

str

✓

rawMessage

str

✓

hostchain

str

tag

str

✓

Anchor
cef0.stonesoft.stonegate
cef0.stonesoft.stonegate
cef0.stonesoft.stonegate

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"stonegate"

str

hostname

hostchain

Code Block
split(hostchain, "=", 0)

str

firewall_name

str

firewall_cluster

str

action

act

Code Block
(act = 'Allow') ? 'accept' : 'deny'

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

cs1

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

dvc

Code Block
str(dvc)

str

rawSource

str

✓

rawMessage

str

✓

hostchain

str

tag

str

✓

Anchor
cef0.zscaler.nssfwlog
cef0.zscaler.nssfwlog
cef0.zscaler.nssfwlo

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"cef0 zscaler nssfwlog"

str

hostname

hostchain

str

firewall_name

str

firewall_cluster

str

action

act

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

-

Code Block
null('')

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

rawMessage

str

✓

rawMessage

str

✓

hostchain

str

tag

str

✓

Anchor
cloud.azure.firewall.application_rule
cloud.azure.firewall.application_rule
cloud.azure.firewall.application_rule

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"azure"azure"

str

hostname

str

firewall_name

str

firewall_cluster

str

action

Code Block
(action -> 'Allow') ? 'accept' : (action -> 'Deny') ? 'deny' : null('')

str

reason

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

-

Code Block
null('')

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

rawMessage

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Rw tab

title	14-18

Anchor
cloud.azure.firewall.network_rule
cloud.azure.firewall.network_rule
cloud.azure.firewall.network_rule

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"azure"

str

hostname

str

firewall_name

str

firewall_cluster

str

action

Code Block
(action -> 'Allow') ? 'accept' : (action -> 'Deny') ? 'deny' : null('')

str

reason

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

-

Code Block
null('')

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

rawMessage

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
cloud.cloudflare.logpush.http
cloud.cloudflare.logpush.http
cloud.cloudflare.logpush.http

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"cloud.cloudflare.logpush.http"

str

hostname

str

firewall_name

str

firewall_cluster

str

action

WAFAction

Code Block
decode(WAFAction, 'challenge allow', 'allow', 'drop', 'deny', WAFAction)

str

reason

WAFRuleMessage

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

WAFRuleID

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

rawMessage

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
edr.crowdstrike.falconstreaming.firewall_match
edr.crowdstrike.falconstreaming.firewall_match
edr.crowdstrike.falconstreaming.firewall_match

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
'edr.crowdstrike.falconstreaming.firewall_match'

str

hostname

hostchain

Code Block
split(hostchain, "=", 0)

str

firewall_name

str

firewall_cluster

str

action

ruleAction

Code Block
(ruleAction = '1') ? 'accept' : 'deny'

str

reason

ruleDescription

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

ruleName

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

rawMessage

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.checkpoint.fw
firewall.checkpoint.fw
firewall.checkpoint.fw

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"checkpoint"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

Code Block
(action = 'reject') ? 'deny' : (action = 'drop') ? 'drop' : action

str

reason

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

Code Block
str(rule)

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

fwIp

Code Block
str(fwIp)

str

firewall_ip

fwIp

Code Block
str(fwIp)

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.checkpoint.gaia
firewall.checkpoint.gaia
firewall.checkpoint.gaia

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"checkpoint"

str

hostname

hostchain

Code Block
split(hostchain, "=", 0)

str

firewall_name

str

firewall_cluster

str

action

Code Block
(action = 'reject') ? 'deny' : (action = 'drop') ? 'drop' : action

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

Code Block
str(rule)

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

✓

hostchain

str

tag

str

✓

Rw tab

title	19-22

Anchor
firewall.checkpoint.lea
firewall.checkpoint.lea
firewall.checkpoint.lea

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"checkpoint"

str

hostname

hostchain

Code Block
split(hostchain, "=", 0)

str

firewall_name

str

firewall_cluster

str

action

Code Block
(action = 'reject') ? 'deny' : (action = 'drop') ? 'drop' : action

str

reason

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

Code Block
str(rule)

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

✓

hostchain

str

tag

str

✓

Anchor
firewall.checkpoint.log_exporter
firewall.checkpoint.log_exporter
firewall.checkpoint.log_exporter

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"checkpoint log_exporter"

str

hostname

host_aux

str

firewall_name

str

firewall_cluster

str

action

Code Block
(action in {'Accept', 'Allow', 'Bypass', 'Key Install', 'Decrypt', 'Encrypt'}) ? 'accept' : (action in {'Block', 'Detect', 'Reject', 'Redirect'}) ? 'deny' : (action = 'Drop') ? 'drop' : action

str

reason

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

rule_name

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.cisco.asa
firewall.cisco.asa
firewall.cisco.asa

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"cisco asa"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

Code Block

(action in {'permitted', 'Built', 'est-allowed', 'executed', 'Pre-allocate SIP SIGNALLING UDP secondary channel', 'Pre-allocate SIP Via UDP secondary channel', 'Retrieved', 'granted', 'built', 'Teardown', 'teardown', 'assigned a session'}) ? 'accept' : (action in {'Deny', 'denied', 'Denied', 'Inbound TCP connection denied', 'No matching connection for ICMP', 'discarded', 'Duplicate TCP SYN'}) ? 'deny' : (action in {'AAA user authentication Successful', 'User authentication failed', 'Login permitted', 'User authentication succeeded', 'User logged out', 'User priv level changed', 'WebVPN session started', 'User', 'Username', 'authentication', 'Authorization', 'logout', 'WebVPN session terminated', 'Stored'}) ? 'user' : null('')

str

reason

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

aclId

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

dstXIp

Code Block
str(dstXIp)

str

firewall_ip

machine

Code Block
str(machine)

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.cisco.fmc
firewall.cisco.fmc
firewall.cisco.fmc

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"cisco fmc"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

accessControlRuleAction

Code Block
(accessControlRuleAction = 'Allow') ? 'accept' : (accessControlRuleAction = 'Block') ? 'deny' : null('')

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

accessControlRuleName

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Rw tab

title	23-26

Anchor
firewall.cisco.fmc_estreamer
firewall.cisco.fmc_estreamer
firewall.cisco.fmc_estreamer

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"cisco fmc_estreamer"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

at_computed__firewallRuleAction

Code Block

(at_computed__firewallRuleAction = 'Allow' or at_computed__firewallRuleAction = 'Trust') ? 'accept' : (at_computed__firewallRuleAction = 'Block' or at_computed__firewallRuleAction = 'Block with reset') ? 'deny' : null('')

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

at_computed__firewallRule

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

rawMessage

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.cisco.ftd
firewall.cisco.ftd
firewall.cisco.ftd

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"cisco ftd"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

accessControlRuleAction

Code Block
(accessControlRuleAction = 'Allow') ? 'accept' : (accessControlRuleAction = 'Block') ? 'deny' : null('')

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

accessControlRuleName

Code Block
str(accessControlRuleName)

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.cisco.fwsm
firewall.cisco.fwsm
firewall.cisco.fwsm

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"cisco fwsm"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

Code Block

(action in {'permitted', 'Built', 'est-allowed', 'executed', 'Pre-allocate SIP SIGNALLING UDP secondary channel', 'Pre-allocate SIP Via UDP secondary channel', 'Retrieved', 'granted', 'built', 'Teardown', 'teardown', 'assigned a session'}) ? 'accept' : (action in {'Deny', 'denied', 'Denied', 'Inbound TCP connection denied', 'No matching connection for ICMP', 'discarded', 'Duplicate TCP SYN'}) ? 'deny' : (action in {'AAA user authentication Successful', 'User authentication failed', 'Login permitted', 'User authentication succeeded', 'User logged out', 'User priv level changed', 'WebVPN session started', 'User', 'Username', 'authentication', 'Authorization', 'logout', 'WebVPN session terminated', 'Stored'}) ? 'user' : null('')

str

reason

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

aclId

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

dstXIp

Code Block
str(dstXIp)

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.cisco.pix
firewall.cisco.pix
firewall.cisco.pix

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"cisco pix"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

Code Block

(action in {'permitted', 'Built', 'est-allowed', 'executed', 'Pre-allocate SIP SIGNALLING UDP secondary channel', 'Pre-allocate SIP Via UDP secondary channel', 'Retrieved', 'granted', 'built', 'Teardown', 'teardown', 'assigned a session'}) ? 'accept' : (action in {'Deny', 'denied', 'Denied', 'Inbound TCP connection denied', 'No matching connection for ICMP', 'discarded', 'Duplicate TCP SYN'}) ? 'deny' : (action in {'AAA user authentication Successful', 'User authentication failed', 'Login permitted', 'User authentication succeeded', 'User logged out', 'User priv level changed', 'WebVPN session started', 'User', 'Username', 'authentication', 'Authorization', 'logout', 'WebVPN session terminated', 'Stored'}) ? 'user' : null('')

str

reason

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

aclId

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

dstXIp

Code Block
str(dstXIp)

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Rw tab

title	27-30

Anchor
firewall.fortinet.traffic
firewall.fortinet.traffic
firewall.fortinet.traffic

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"fortinet"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

status

action

Code Block
status ?: action

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

policyID

Code Block
isnotnull(rule) ? str(rule) : str(policyID)

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

rawMessage

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.juniper.isg.traffic
firewall.juniper.isg.traffic
firewall.juniper.isg.traffic

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"juniper"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

Code Block
(action -> 'Permit') ? 'accept' : (action -> 'Deny') ? 'deny' : null('')

str

reason

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

policyId

Code Block
str(policyId)

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

dstXIp

Code Block
str(dstXIp)

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.juniper.nsm.traffic
firewall.juniper.nsm.traffic
firewall.juniper.nsm.traffic

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"juniper"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

Code Block
(action -> 'accepted') ? 'accept' : (action -> 'conn dropped') ? 'deny' : null('')

str

reason

details

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

policyName

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

dstXIp

Code Block
str(dstXIp)

str

firewall_ip

-

Code Block
str('deviceIp')

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.juniper.srx.traffic
firewall.juniper.srx.traffic
firewall.juniper.srx.traffic

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"juniper"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

Code Block
(action -> 'CREATE') ? 'accept' : (action -> 'DENY') ? 'deny' : null('')

str

reason

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

policy

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

dstXIp

Code Block
str(dstXIp)

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Rw tab

title	31-34

Anchor
firewall.juniper.ssg.traffic
firewall.juniper.ssg.traffic
firewall.juniper.ssg.traffic

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"juniper""

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

Code Block
(action -> 'Permit') ? 'accept' : (action -> 'Deny') ? 'deny' : null('')

str

reason

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

policyId

Code Block
str(policyId)

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

dstXIp

Code Block
str(dstXIp)

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.meraki.flows
firewall.meraki.flows
firewall.meraki.flows

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"meraki"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

Code Block
(action = 'allow') ? 'accept' : 'deny'

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

-

Code Block
null('')

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

fwip

Code Block
str(fwip)

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.paloalto.traffic
firewall.paloalto.traffic
firewall.paloalto.traffic

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"paloalto"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

Code Block
(action = 'allow') ? 'accept' : action

str

reason

session_end_reason

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

xff_ip

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.pfsense.filterlog
firewall.pfsense.filterlog
firewall.pfsense.filterlog

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"pfsense"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

actionTaken

Code Block
(actionTaken -> 'pass') ? 'accept' : (actionTaken -> 'block') ? 'deny' : null('')

str

reason

reasonLogEntry

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

ruleNumber

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Rw tab

title	35-38

Anchor
firewall.pfsense.firewall
firewall.pfsense.firewall
firewall.pfsense.firewall

Field in union table

Field in custom table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"pfsense"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

Code Block
(action -> 'pass') ? 'accept' : (action -> 'block') ? 'deny' : null('')

str

reason

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.sonicwall.genv58
firewall.sonicwall.genv58
firewall.sonicwall.genv58

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"sonicwall.genv58"

str

hostname

hostchain

Code Block
split(hostchain, "=", 0)

str

firewall_name

str

firewall_cluster

str

action

c

Code Block
(band(c, 1024) = 1024) ? 'accept' : 'deny'

str

reason

msg

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

rawMessage

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.sophos.securenet.packetfilter
firewall.sophos.securenet.packetfilter
firewall.sophos.securenet.packetfilter

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"sophos"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

Code Block
(action = 'drop') ? 'deny' : action

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

fwrule

Code Block
str(fwrule)

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.sophos.xgfirewall.firewall
firewall.sophos.xgfirewall.firewall
firewall.sophos.xgfirewall.firewall

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"sophos"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

status

log_subtype

Code Block
(status -> 'Allow') ? 'accept' : (status -> 'Deny') ? 'deny' : (log_subtype -> 'Denied') ? 'deny' : (log_subtype -> 'Allowed') ? 'accept' : null('')

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

fw_rule_id

Code Block
str(fw_rule_id)

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

rawMessage

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Rw tab

title	39-42

Anchor
firewall.stonegate.leef
firewall.stonegate.leef
firewall.stonegate.leef

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"stonegate"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

eventID

Code Block
(eventID = 'Connection_Allowed') ? 'accept' : (eventID = 'Connection_Discarded') ? 'deny' : null('')

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

-

Code Block
null('')

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

✓

hostchain

str

tag

str

✓

Anchor
firewall.stonegate.xml
firewall.stonegate.xml
firewall.stonegate.xml

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"stonegate"

str

hostname

machine

str

firewall_name

str

firewall_cluster

str

action

Code Block
(action = 'Allow') ? 'accept' : (action in {'Refuse', 'Discard'}) ? 'deny' : null('')

str

reason

infomsg

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

rule_id

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

nodeid

Code Block
str(nodeid)

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.velocloud.traffic
firewall.velocloud.traffic
firewall.velocloud.traffic

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"velocloud"

str

hostname

hostchain

Code Block
split(hostchain, "=", 0)

str

firewall_name

str

firewall_cluster

str

action

str

reason

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

-

Code Block
null('')

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

rawMessage

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
firewall.vyatta.traffic
firewall.vyatta.traffic
firewall.vyatta.traffic

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"vyata.traffic"

str

hostname

hostchain

Code Block
split(hostchain, "=", 0)

str

firewall_name

str

firewall_cluster

str

action

Code Block
(action = 'PASS') ? 'accept' : (action = 'DROP') ? 'deny' : null('')

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

rule_name

Code Block
str(rule_name)

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Rw tab

title	43-47

Anchor
firewall.watchguard.traffic
firewall.watchguard.traffic
firewall.watchguard.traffic

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"watchguard"

str

hostname

hostchain

Code Block
split(hostchain, "=", 0)

str

firewall_name

str

firewall_cluster

str

action

Code Block
(action in {'Allow', 'allow'}) ? 'accept' : (action -> 'Deny') ? 'deny' : action

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

rule_name

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
network.meraki.firewall
network.meraki.firewall
network.meraki.firewall

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"meraki_firewall"

str

hostname

unknown2

str

firewall_name

str

firewall_cluster

str

action

-

Code Block
null('')

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

-

Code Block
null('')

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
network.meraki.l7_firewall
network.meraki.l7_firewall
network.meraki.l7_firewall

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"meraki_l7"

str

hostname

str

firewall_name

str

firewall_cluster

str

action

decision

Code Block
(decision -> 'allowed') ? 'accept' : (decision -> 'blocked') ? 'deny' : null('')

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

-

Code Block
null('')

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

rawMessage

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
proxy.zscaler.nss_firewall
proxy.zscaler.nss_firewall
proxy.zscaler.nss_firewall

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"zscaler nss_firewall"

str

hostname

str

firewall_name

str

firewall_cluster

str

action

str

reason

-

Code Block
null('')

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

-

Code Block
null('')

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

rawMessage

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Anchor
proxy.zscaler.zia.firewall
proxy.zscaler.zia.firewall
proxy.zscaler.zia.firewall

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

source

-

Code Block
"zscaler zia firewall"

str

hostname

str

firewall_name

str

firewall_cluster

str

action

str

reason

rulelabel

str

source_ipv4

ip4

source_ip

str

destination_ipv4

ip4

destination_ip

str

source_port

str

destination_port

str

source_zone

str

destination_zone

str

application

str

protocol

str

rule

rulelabel

str

source_interface

str

destination_interface

str

source_service

str

destination_service

str

packets_total

int8

packets_sent

int8

packets_received

int8

bytes_total

int8

bytes_sent

int8

bytes_received

int8

source_username

str

x_forwarded_for_ip

-

Code Block
null('')

str

firewall_ip

-

Code Block
null('')

str

rawSource

rawMessage

str

✓

rawMessage

str

hostchain

str

✓

tag

str

✓

Page Comparison

Versions Compared

Old Version 61

New Version 62

Key

Anchoradn.f5.bigip.afmadn.f5.bigip.afmadn.f5.bigip.afm

Anchoradn.f5.bigip.asmadn.f5.bigip.asmadn.f5.bigip.asm

Anchorbox.iptablesbox.iptablesbox.iptables

Anchorcef0.checkPoint.vpn1Firewall1cef0.checkPoint.vpn1Firewall1cef0.checkPoint.vpn1Firewall1

Anchorcef0.cisco.asacef0.cisco.asacef0.cisco.asa

Anchorcef0.cisco.firepowercef0.cisco.firepowercef0.cisco.firepower

Anchorcef0.forcepoint.firewallcef0.forcepoint.firewallcef0.forcepoint.firewall

Anchorcef0.fortinet.fortigateAllcef0.fortinet.fortigateAllcef0.fortinet.fortigateAll

Anchorcef0.paloAltoNetworks.lfcef0.paloAltoNetworks.lfcef0.paloAltoNetworks.lf

Anchorcef0.paloAltoNetworks.panOscef0.paloAltoNetworks.panOscef0.paloAltoNetworks.panOs

Anchorcef0.stonesoft.firewallcef0.stonesoft.firewallcef0.stonesoft.firewall

Anchorcef0.stonesoft.stonegatecef0.stonesoft.stonegatecef0.stonesoft.stonegate

Anchorcef0.zscaler.nssfwlogcef0.zscaler.nssfwlogcef0.zscaler.nssfwlo

Anchorcloud.azure.firewall.application_rulecloud.azure.firewall.application_rulecloud.azure.firewall.application_rule

Anchorcloud.azure.firewall.network_rulecloud.azure.firewall.network_rulecloud.azure.firewall.network_rule

Anchorcloud.cloudflare.logpush.httpcloud.cloudflare.logpush.httpcloud.cloudflare.logpush.http

Anchoredr.crowdstrike.falconstreaming.firewall_matchedr.crowdstrike.falconstreaming.firewall_matchedr.crowdstrike.falconstreaming.firewall_match

Anchorfirewall.checkpoint.fwfirewall.checkpoint.fwfirewall.checkpoint.fw

Anchorfirewall.checkpoint.gaiafirewall.checkpoint.gaiafirewall.checkpoint.gaia

Anchorfirewall.checkpoint.leafirewall.checkpoint.leafirewall.checkpoint.lea

Anchorfirewall.checkpoint.log_exporterfirewall.checkpoint.log_exporterfirewall.checkpoint.log_exporter

Anchorfirewall.cisco.asafirewall.cisco.asafirewall.cisco.asa

Anchorfirewall.cisco.fmcfirewall.cisco.fmcfirewall.cisco.fmc

Anchorfirewall.cisco.fmc_estreamerfirewall.cisco.fmc_estreamerfirewall.cisco.fmc_estreamer

Anchorfirewall.cisco.ftdfirewall.cisco.ftdfirewall.cisco.ftd

Anchorfirewall.cisco.fwsmfirewall.cisco.fwsmfirewall.cisco.fwsm

Anchorfirewall.cisco.pixfirewall.cisco.pixfirewall.cisco.pix

Anchorfirewall.fortinet.trafficfirewall.fortinet.trafficfirewall.fortinet.traffic

Anchorfirewall.juniper.isg.trafficfirewall.juniper.isg.trafficfirewall.juniper.isg.traffic

Anchorfirewall.juniper.nsm.trafficfirewall.juniper.nsm.trafficfirewall.juniper.nsm.traffic

Anchorfirewall.juniper.srx.trafficfirewall.juniper.srx.trafficfirewall.juniper.srx.traffic

Anchorfirewall.juniper.ssg.trafficfirewall.juniper.ssg.trafficfirewall.juniper.ssg.traffic

Anchorfirewall.meraki.flowsfirewall.meraki.flowsfirewall.meraki.flows

Anchorfirewall.paloalto.trafficfirewall.paloalto.trafficfirewall.paloalto.traffic

Anchorfirewall.pfsense.filterlogfirewall.pfsense.filterlogfirewall.pfsense.filterlog

Anchorfirewall.pfsense.firewallfirewall.pfsense.firewallfirewall.pfsense.firewall

Anchorfirewall.sonicwall.genv58firewall.sonicwall.genv58firewall.sonicwall.genv58

Anchorfirewall.sophos.securenet.packetfilterfirewall.sophos.securenet.packetfilterfirewall.sophos.securenet.packetfilter

Anchorfirewall.sophos.xgfirewall.firewallfirewall.sophos.xgfirewall.firewallfirewall.sophos.xgfirewall.firewall

Anchorfirewall.stonegate.leeffirewall.stonegate.leeffirewall.stonegate.leef

Anchorfirewall.stonegate.xmlfirewall.stonegate.xmlfirewall.stonegate.xml

Anchorfirewall.velocloud.trafficfirewall.velocloud.trafficfirewall.velocloud.traffic

Anchorfirewall.vyatta.trafficfirewall.vyatta.traffic firewall.vyatta.traffic

Anchorfirewall.watchguard.trafficfirewall.watchguard.trafficfirewall.watchguard.traffic

Anchornetwork.meraki.firewallnetwork.meraki.firewallnetwork.meraki.firewall

Anchornetwork.meraki.l7_firewallnetwork.meraki.l7_firewallnetwork.meraki.l7_firewall

Anchorproxy.zscaler.nss_firewallproxy.zscaler.nss_firewallproxy.zscaler.nss_firewall

Anchorproxy.zscaler.zia.firewallproxy.zscaler.zia.firewallproxy.zscaler.zia.firewall

Anchor
adn.f5.bigip.afm
adn.f5.bigip.afm
adn.f5.bigip.afm

Anchor
adn.f5.bigip.asm
adn.f5.bigip.asm
adn.f5.bigip.asm

Anchor
box.iptables
box.iptables
box.iptables

Anchor
cef0.checkPoint.vpn1Firewall1
cef0.checkPoint.vpn1Firewall1
cef0.checkPoint.vpn1Firewall1

Anchor
cef0.cisco.asa
cef0.cisco.asa
cef0.cisco.asa

Anchor
cef0.cisco.firepower
cef0.cisco.firepower
cef0.cisco.firepower

Anchor
cef0.forcepoint.firewall
cef0.forcepoint.firewall
cef0.forcepoint.firewall

Anchor
cef0.fortinet.fortigateAll
cef0.fortinet.fortigateAll
cef0.fortinet.fortigateAll

Anchor
cef0.paloAltoNetworks.lf
cef0.paloAltoNetworks.lf
cef0.paloAltoNetworks.lf

Anchor
cef0.paloAltoNetworks.panOs
cef0.paloAltoNetworks.panOs
cef0.paloAltoNetworks.panOs

Anchor
cef0.stonesoft.firewall
cef0.stonesoft.firewall
cef0.stonesoft.firewall

Anchor
cef0.stonesoft.stonegate
cef0.stonesoft.stonegate
cef0.stonesoft.stonegate

Anchor
cef0.zscaler.nssfwlog
cef0.zscaler.nssfwlog
cef0.zscaler.nssfwlo

Anchor
cloud.azure.firewall.application_rule
cloud.azure.firewall.application_rule
cloud.azure.firewall.application_rule

Anchor
cloud.azure.firewall.network_rule
cloud.azure.firewall.network_rule
cloud.azure.firewall.network_rule

Anchor
cloud.cloudflare.logpush.http
cloud.cloudflare.logpush.http
cloud.cloudflare.logpush.http

Anchor
edr.crowdstrike.falconstreaming.firewall_match
edr.crowdstrike.falconstreaming.firewall_match
edr.crowdstrike.falconstreaming.firewall_match

Anchor
firewall.checkpoint.fw
firewall.checkpoint.fw
firewall.checkpoint.fw

Anchor
firewall.checkpoint.gaia
firewall.checkpoint.gaia
firewall.checkpoint.gaia

Anchor
firewall.checkpoint.lea
firewall.checkpoint.lea
firewall.checkpoint.lea

Anchor
firewall.checkpoint.log_exporter
firewall.checkpoint.log_exporter
firewall.checkpoint.log_exporter

Anchor
firewall.cisco.asa
firewall.cisco.asa
firewall.cisco.asa

Anchor
firewall.cisco.fmc
firewall.cisco.fmc
firewall.cisco.fmc

Anchor
firewall.cisco.fmc_estreamer
firewall.cisco.fmc_estreamer
firewall.cisco.fmc_estreamer

Anchor
firewall.cisco.ftd
firewall.cisco.ftd
firewall.cisco.ftd

Anchor
firewall.cisco.fwsm
firewall.cisco.fwsm
firewall.cisco.fwsm

Anchor
firewall.cisco.pix
firewall.cisco.pix
firewall.cisco.pix

Anchor
firewall.fortinet.traffic
firewall.fortinet.traffic
firewall.fortinet.traffic

Anchor
firewall.juniper.isg.traffic
firewall.juniper.isg.traffic
firewall.juniper.isg.traffic

Anchor
firewall.juniper.nsm.traffic
firewall.juniper.nsm.traffic
firewall.juniper.nsm.traffic

Anchor
firewall.juniper.srx.traffic
firewall.juniper.srx.traffic
firewall.juniper.srx.traffic

Anchor
firewall.juniper.ssg.traffic
firewall.juniper.ssg.traffic
firewall.juniper.ssg.traffic

Anchor
firewall.meraki.flows
firewall.meraki.flows
firewall.meraki.flows

Anchor
firewall.paloalto.traffic
firewall.paloalto.traffic
firewall.paloalto.traffic

Anchor
firewall.pfsense.filterlog
firewall.pfsense.filterlog
firewall.pfsense.filterlog

Anchor
firewall.pfsense.firewall
firewall.pfsense.firewall
firewall.pfsense.firewall

Anchor
firewall.sonicwall.genv58
firewall.sonicwall.genv58
firewall.sonicwall.genv58

Anchor
firewall.sophos.securenet.packetfilter
firewall.sophos.securenet.packetfilter
firewall.sophos.securenet.packetfilter

Anchor
firewall.sophos.xgfirewall.firewall
firewall.sophos.xgfirewall.firewall
firewall.sophos.xgfirewall.firewall

Anchor
firewall.stonegate.leef
firewall.stonegate.leef
firewall.stonegate.leef

Anchor
firewall.stonegate.xml
firewall.stonegate.xml
firewall.stonegate.xml

Anchor
firewall.velocloud.traffic
firewall.velocloud.traffic
firewall.velocloud.traffic

Anchor
firewall.vyatta.traffic
firewall.vyatta.traffic
firewall.vyatta.traffic

Anchor
firewall.watchguard.traffic
firewall.watchguard.traffic
firewall.watchguard.traffic

Anchor
network.meraki.firewall
network.meraki.firewall
network.meraki.firewall

Anchor
network.meraki.l7_firewall
network.meraki.l7_firewall
network.meraki.l7_firewall

Anchor
proxy.zscaler.nss_firewall
proxy.zscaler.nss_firewall
proxy.zscaler.nss_firewall

Anchor
proxy.zscaler.zia.firewall
proxy.zscaler.zia.firewall
proxy.zscaler.zia.firewall