Anchor |
---|
| adn.f5.bigip.afm |
---|
| adn.f5.bigip.afm |
---|
| adn.f5.bigip.afmField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"adn.f5.bigip.afm" |
| str
| | hostname | hostName | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
decode(action, 'Accept', 'accept', 'Drop', 'deny', 'Reject', 'deny', action) |
| str
| | reason | dropReason | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | aclRuleName | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| adn.f5.bigip.asm |
---|
| adn.f5.bigip.asm |
---|
| adn.f5.bigip.asmField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"adn.f5.bigip.asm" |
| str
| | hostname | hostName | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | requestStatus | Code Block |
---|
decode(requestStatus, 'passed', 'accept', 'blocked', 'deny', 'alerted', 'alerted', requestStatus) |
| str
| | reason | violations | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | policyName | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | x_fwd_hdr_val xForwardedForHeaderValue | Code Block |
---|
isnotnull(xForwardedForHeaderValue) ? str(xForwardedForHeaderValue) : isnotnull(x_fwd_hdr_val) ? str(x_fwd_hdr_val) : null('') |
| str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
box.iptablesField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | logprefix | Code Block |
---|
(logprefix -> 'ACCEPT') ? 'accept' : (logprefix -> 'DENY') ? 'deny' : (logprefix -> 'REJECT') ? 'reject' : null('') |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | - | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| cef0.checkPoint.vpn1Firewall1 |
---|
| cef0.checkPoint.vpn1Firewall1 |
---|
| cef0.checkPoint.vpn1Firewall1Field in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | hostchain | Code Block |
---|
split(hostchain, "=", 0) |
| str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | act | Code Block |
---|
(lower(act) = 'reject') ? 'deny' : (lower(act) = 'drop') ? 'drop' : lower(act) |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | cs1 cs2 cs2Label | Code Block |
---|
cs2Label = "Rule Name" ? cs2 : cs1 |
| str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| ✓ | hostchain | hostchain | | str
| | tag | tag | | str
| ✓ |
Anchor |
---|
| cef0.cisco.asa |
---|
| cef0.cisco.asa |
---|
| cef0.cisco.asaField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"cef0.cisco.asa" |
| str
| | hostname | hostchain | Code Block |
---|
split(hostchain, "=", 0) |
| str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | act | Code Block |
---|
(act in {'permitted', 'Built', 'est-allowed', 'executed', 'Pre-allocate SIP SIGNALLING UDP secondary channel', 'Pre-allocate SIP Via UDP secondary channel', 'Retrieved', 'granted', 'built', 'Teardown', 'teardown', 'assigned a session'}) ? 'accept' : (act in {'Deny', 'denied', 'Denied', 'Inbound TCP connection denied', 'No matching connection for ICMP', 'discarded', 'Duplicate TCP SYN'}) ? 'deny' : (act in {'AAA user authentication Successful', 'User authentication failed', 'Login permitted', 'User authentication succeeded', 'User logged out', 'User priv level changed', 'WebVPN session started', 'User', 'Username', 'authentication', 'Authorization', 'logout', 'WebVPN session terminated', 'Stored'}) ? 'user' : null('') |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | cs1 | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | destinationTranslatedAddress | Code Block |
---|
str(destinationTranslatedAddress) |
| str
| | firewall_ip | dvc | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| ✓ | hostchain | hostchain | | str
| | tag | tag | | str
| ✓ |
Anchor |
---|
| cef0.cisco.firepower |
---|
| cef0.cisco.firepower |
---|
| cef0.cisco.firepowerField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"cef0.cisco.firepower" |
| str
| | hostname | hostname | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | act | Code Block |
---|
(act = 'Allow') ? 'accept' : 'deny' |
| str
| | reason | reason | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | cs2 | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| ✓ | hostchain | hostchain | | str
| | tag | tag | | str
| ✓ |
Anchor |
---|
| cef0.forcepoint.firewall |
---|
| cef0.forcepoint.firewall |
---|
| cef0.forcepoint.firewallField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | hostchain | Code Block |
---|
split(hostchain, "=", 0) |
| str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | act | Code Block |
---|
(act = 'Allow') ? 'accept' : 'deny' |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | cs1 | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | dvc | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| ✓ | hostchain | hostchain | | str
| | tag | tag | | str
| ✓ |
Anchor |
---|
| cef0.fortinet.fortigateAll |
---|
| cef0.fortinet.fortigateAll |
---|
| cef0.fortinet.fortigateAllField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | hostchain | Code Block |
---|
split(hostchain, "=", 0) |
| str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | act | | str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | - | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| ✓ | hostchain | hostchain | | str
| | tag | tag | | str
| ✓ |
Anchor |
---|
| cef0.paloAltoNetworks.lf |
---|
| cef0.paloAltoNetworks.lf |
---|
| cef0.paloAltoNetworks.lfField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | hostname | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | act | Code Block |
---|
(act = 'Allow') ? 'accept' : act |
| str
| | reason | reason | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | cs1 | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| ✓ | hostchain | hostchain | | str
| | tag | tag | | str
| ✓ |
Anchor |
---|
| cef0.paloAltoNetworks.panOs |
---|
| cef0.paloAltoNetworks.panOs |
---|
| cef0.paloAltoNetworks.panOsField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | hostchain | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | signatureID | Code Block |
---|
(signatureID = 'start') ? 'accept' : 'deny' |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | cs1 | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | dvchost | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| ✓ | hostchain | hostchain | | str
| | tag | tag | | str
| ✓ |
Anchor |
---|
| cef0.stonesoft.firewall |
---|
| cef0.stonesoft.firewall |
---|
| cef0.stonesoft.firewallField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | hostchain | Code Block |
---|
split(hostchain, "=", 0) |
| str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | act | Code Block |
---|
(act = 'Allow') ? 'accept' : 'deny' |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | cs1 | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | dvc | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| ✓ | hostchain | hostchain | | str
| | tag | tag | | str
| ✓ |
Anchor |
---|
| cef0.stonesoft.stonegate |
---|
| cef0.stonesoft.stonegate |
---|
| cef0.stonesoft.stonegateField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | hostchain | Code Block |
---|
split(hostchain, "=", 0) |
| str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | act | Code Block |
---|
(act = 'Allow') ? 'accept' : 'deny' |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | cs1 | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | dvc | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| ✓ | hostchain | hostchain | | str
| | tag | tag | | str
| ✓ |
Anchor |
---|
| cef0.zscaler.nssfwlog |
---|
| cef0.zscaler.nssfwlog |
---|
| cef0.zscaler.nssfwloField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"cef0 zscaler nssfwlog" |
| str
| | hostname | hostchain | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | act | Code Block |
---|
(act -> 'Allow') ? 'accept' : (act -> 'Drop') ? 'drop' : (act -> 'Reset') ? 'drop' : null('') |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | - | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| ✓ | hostchain | hostchain | | str
| | tag | tag | | str
| ✓ |
Anchor |
---|
| cloud.azure.firewall.application_rule |
---|
| cloud.azure.firewall.application_rule |
---|
| cloud.azure.firewall.application_ruleField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | hostname | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action -> 'Allow') ? 'accept' : (action -> 'Deny') ? 'deny' : null('') |
| str
| | reason | reason | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | - | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| cloud.azure.firewall.network_rule |
---|
| cloud.azure.firewall.network_rule |
---|
| cloud.azure.firewall.network_ruleField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | hostname | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action -> 'Allow') ? 'accept' : (action -> 'Deny') ? 'deny' : null('') |
| str
| | reason | reason | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | - | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| cloud.cloudflare.logpush.http |
---|
| cloud.cloudflare.logpush.http |
---|
| cloud.cloudflare.logpush.httpField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"cloud.cloudflare.logpush.http" |
| str
| | hostname | hostname | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | WAFAction | Code Block |
---|
decode(WAFAction, 'challenge allow', 'allow', 'drop', 'deny', WAFAction) |
| str
| | reason | WAFRuleMessage | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | WAFRuleID | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.falconstreaming.firewall_match |
---|
| edr.crowdstrike.falconstreaming.firewall_match |
---|
| edr.crowdstrike.falconstreaming.firewall_matchField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
'edr.crowdstrike.falconstreaming.firewall_match' |
| str
| | hostname | hostchain | Code Block |
---|
split(hostchain, "=", 0) |
| str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | ruleAction | Code Block |
---|
(ruleAction = '1') ? 'accept' : 'deny' |
| str
| | reason | ruleDescription | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | ruleName | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.checkpoint.fw |
---|
| firewall.checkpoint.fw |
---|
| firewall.checkpoint.fwField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action = 'reject') ? 'deny' : (action = 'drop') ? 'drop' : action |
| str
| | reason | reason | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | rule | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | fwIp | | str
| | firewall_ip | fwIp | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.checkpoint.gaia |
---|
| firewall.checkpoint.gaia |
---|
| firewall.checkpoint.gaiaField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | hostchain | Code Block |
---|
split(hostchain, "=", 0) |
| str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action = 'reject') ? 'deny' : (action = 'drop') ? 'drop' : action |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | rule | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| ✓ | hostchain | hostchain | | str
| | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.checkpoint.lea |
---|
| firewall.checkpoint.lea |
---|
| firewall.checkpoint.leaField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | hostchain | Code Block |
---|
split(hostchain, "=", 0) |
| str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action = 'reject') ? 'deny' : (action = 'drop') ? 'drop' : action |
| str
| | reason | reason | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | rule | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| ✓ | hostchain | hostchain | | str
| | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.checkpoint.log_exporter |
---|
| firewall.checkpoint.log_exporter |
---|
| firewall.checkpoint.log_exporterField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"checkpoint log_exporter" |
| str
| | hostname | host_aux | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action in {'Accept', 'Allow', 'Bypass', 'Key Install', 'Decrypt', 'Encrypt'}) ? 'accept' : (action in {'Block', 'Detect', 'Reject', 'Redirect'}) ? 'deny' : (action = 'Drop') ? 'drop' : action |
| str
| | reason | reason | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | rule_name | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.cisco.asa |
---|
| firewall.cisco.asa |
---|
| firewall.cisco.asaField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action in {'permitted', 'Built', 'est-allowed', 'executed', 'Pre-allocate SIP SIGNALLING UDP secondary channel', 'Pre-allocate SIP Via UDP secondary channel', 'Retrieved', 'granted', 'built', 'Teardown', 'teardown', 'assigned a session'}) ? 'accept' : (action in {'Deny', 'denied', 'Denied', 'Inbound TCP connection denied', 'No matching connection for ICMP', 'discarded', 'Duplicate TCP SYN'}) ? 'deny' : (action in {'AAA user authentication Successful', 'User authentication failed', 'Login permitted', 'User authentication succeeded', 'User logged out', 'User priv level changed', 'WebVPN session started', 'User', 'Username', 'authentication', 'Authorization', 'logout', 'WebVPN session terminated', 'Stored'}) ? 'user' : null('') |
| str
| | reason | reason | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | aclId | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | dstXIp | | str
| | firewall_ip | machine | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.cisco.fmc |
---|
| firewall.cisco.fmc |
---|
| firewall.cisco.fmcField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | accessControlRuleAction | Code Block |
---|
(accessControlRuleAction = 'Allow') ? 'accept' : (accessControlRuleAction = 'Block') ? 'deny' : null('') |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | accessControlRuleName | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.cisco.fmc_estreamer |
---|
| firewall.cisco.fmc_estreamer |
---|
| firewall.cisco.fmc_estreamerField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"cisco fmc_estreamer" |
| str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | at_computed__firewallRuleAction | Code Block |
---|
(at_computed__firewallRuleAction = 'Allow' or at_computed__firewallRuleAction = 'Trust') ? 'accept' : (at_computed__firewallRuleAction = 'Block' or at_computed__firewallRuleAction = 'Block with reset') ? 'deny' : null('') |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | at_computed__firewallRule | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.cisco.ftd |
---|
| firewall.cisco.ftd |
---|
| firewall.cisco.ftdField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | accessControlRuleAction | Code Block |
---|
(accessControlRuleAction = 'Allow') ? 'accept' : (accessControlRuleAction = 'Block') ? 'deny' : null('') |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | accessControlRuleName | Code Block |
---|
str(accessControlRuleName) |
| str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.cisco.fwsm |
---|
| firewall.cisco.fwsm |
---|
| firewall.cisco.fwsmField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action in {'permitted', 'Built', 'est-allowed', 'executed', 'Pre-allocate SIP SIGNALLING UDP secondary channel', 'Pre-allocate SIP Via UDP secondary channel', 'Retrieved', 'granted', 'built', 'Teardown', 'teardown', 'assigned a session'}) ? 'accept' : (action in {'Deny', 'denied', 'Denied', 'Inbound TCP connection denied', 'No matching connection for ICMP', 'discarded', 'Duplicate TCP SYN'}) ? 'deny' : (action in {'AAA user authentication Successful', 'User authentication failed', 'Login permitted', 'User authentication succeeded', 'User logged out', 'User priv level changed', 'WebVPN session started', 'User', 'Username', 'authentication', 'Authorization', 'logout', 'WebVPN session terminated', 'Stored'}) ? 'user' : null('') |
| str
| | reason | reason | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | aclId | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | dstXIp | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.cisco.pix |
---|
| firewall.cisco.pix |
---|
| firewall.cisco.pixField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action in {'permitted', 'Built', 'est-allowed', 'executed', 'Pre-allocate SIP SIGNALLING UDP secondary channel', 'Pre-allocate SIP Via UDP secondary channel', 'Retrieved', 'granted', 'built', 'Teardown', 'teardown', 'assigned a session'}) ? 'accept' : (action in {'Deny', 'denied', 'Denied', 'Inbound TCP connection denied', 'No matching connection for ICMP', 'discarded', 'Duplicate TCP SYN'}) ? 'deny' : (action in {'AAA user authentication Successful', 'User authentication failed', 'Login permitted', 'User authentication succeeded', 'User logged out', 'User priv level changed', 'WebVPN session started', 'User', 'Username', 'authentication', 'Authorization', 'logout', 'WebVPN session terminated', 'Stored'}) ? 'user' : null('') |
| str
| | reason | reason | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | aclId | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | dstXIp | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.fortinet.traffic |
---|
| firewall.fortinet.traffic |
---|
| firewall.fortinet.trafficField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | status action | Code Block |
---|
status ?: action |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | rule policyID | Code Block |
---|
isnotnull(rule) ? str(rule) : str(policyID) |
| str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.juniper.isg.traffic |
---|
| firewall.juniper.isg.traffic |
---|
| firewall.juniper.isg.trafficField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action -> 'Permit') ? 'accept' : (action -> 'Deny') ? 'deny' : null('') |
| str
| | reason | reason | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | policyId | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | dstXIp | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.juniper.nsm.traffic |
---|
| firewall.juniper.nsm.traffic |
---|
| firewall.juniper.nsm.trafficField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action -> 'accepted') ? 'accept' : (action -> 'conn dropped') ? 'deny' : null('') |
| str
| | reason | details | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | policyName | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | dstXIp | | str
| | firewall_ip | - | Code Block |
---|
str('deviceIp') |
| str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.juniper.srx.traffic |
---|
| firewall.juniper.srx.traffic |
---|
| firewall.juniper.srx.trafficField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action -> 'CREATE') ? 'accept' : (action -> 'DENY') ? 'deny' : null('') |
| str
| | reason | reason | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | policy | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | dstXIp | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.juniper.ssg.traffic |
---|
| firewall.juniper.ssg.traffic |
---|
| firewall.juniper.ssg.trafficField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action -> 'Permit') ? 'accept' : (action -> 'Deny') ? 'deny' : null('') |
| str
| | reason | reason | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | policyId | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | dstXIp | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.meraki.flows |
---|
| firewall.meraki.flows |
---|
| firewall.meraki.flowsField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action = 'allow') ? 'accept' : 'deny' |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | - | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | fwip | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.paloalto.traffic |
---|
| firewall.paloalto.traffic |
---|
| firewall.paloalto.trafficField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action = 'allow') ? 'accept' : action |
| str
| | reason | session_end_reason | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | rule | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | xff_ip | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.pfsense.filterlog |
---|
| firewall.pfsense.filterlog |
---|
| firewall.pfsense.filterlogField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | actionTaken | Code Block |
---|
(actionTaken -> 'pass') ? 'accept' : (actionTaken -> 'block') ? 'deny' : null('') |
| str
| | reason | reasonLogEntry | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | ruleNumber | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.pfsense.firewall |
---|
| firewall.pfsense.firewall |
---|
| firewall.pfsense.firewallField in union table | Field in custom table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action -> 'pass') ? 'accept' : (action -> 'block') ? 'deny' : null('') |
| str
| | reason | reason | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | rule | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.sangfor.app_control.event |
---|
| firewall.sangfor.app_control.event |
---|
| firewall.sangfor.app_control.eventField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"sangfor.app_control" |
| str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action in {'allow', 'Allow'}) ? 'accept' : (action in {'Block', 'block'}) ? 'deny' : null('') |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | policy_name | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.sonicwall.genv58 |
---|
| firewall.sonicwall.genv58 |
---|
| firewall.sonicwall.genv58Field in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"sonicwall.genv58" |
| str
| | hostname | hostchain | Code Block |
---|
split(hostchain, "=", 0) |
| str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | c | Code Block |
---|
(band(c, 1024) = 1024) ? 'accept' : 'deny' |
| str
| | reason | msg | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | rule | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.sophos.securenet.packetfilter |
---|
| firewall.sophos.securenet.packetfilter |
---|
| firewall.sophos.securenet.packetfilterField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action = 'drop') ? 'deny' : action |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | fwrule | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.sophos.xgfirewall.firewall |
---|
| firewall.sophos.xgfirewall.firewall |
---|
| firewall.sophos.xgfirewall.firewallField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | status log_subtype | Code Block |
---|
(status -> 'Allow') ? 'accept' : (status -> 'Deny') ? 'deny' : (log_subtype -> 'Denied') ? 'deny' : (log_subtype -> 'Allowed') ? 'accept' : null('') |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | fw_rule_id | Code Block |
---|
str(fw_rule_id) |
| str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.stonegate.leef |
---|
| firewall.stonegate.leef |
---|
| firewall.stonegate.leefField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | eventID | Code Block |
---|
(eventID = 'Connection_Allowed') ? 'accept' : (eventID = 'Connection_Discarded') ? 'deny' : null('') |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | - | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| ✓ | hostchain | hostchain | | str
| | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.stonegate.xml |
---|
| firewall.stonegate.xml |
---|
| firewall.stonegate.xmlField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | machine | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action = 'Allow') ? 'accept' : (action in {'Refuse', 'Discard'}) ? 'deny' : null('') |
| str
| | reason | infomsg | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | rule_id | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | nodeid | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.velocloud.traffic |
---|
| firewall.velocloud.traffic |
---|
| firewall.velocloud.trafficField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | hostchain | Code Block |
---|
split(hostchain, "=", 0) |
| str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | | str
| | reason | reason | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | - | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.vyatta.traffic |
---|
| firewall.vyatta.traffic |
---|
| firewall.vyatta.trafficField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"vyata.traffic" |
| str
| | hostname | hostchain | Code Block |
---|
split(hostchain, "=", 0) |
| str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action = 'PASS') ? 'accept' : (action = 'DROP') ? 'deny' : null('') |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | rule_name | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| firewall.watchguard.traffic |
---|
| firewall.watchguard.traffic |
---|
| firewall.watchguard.trafficField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | hostchain | Code Block |
---|
split(hostchain, "=", 0) |
| str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | Code Block |
---|
(action in {'Allow', 'allow'}) ? 'accept' : (action -> 'Deny') ? 'deny' : action |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | rule_name | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| network.meraki.firewall |
---|
| network.meraki.firewall |
---|
| network.meraki.firewallField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"meraki_firewall" |
| str
| | hostname | unknown2 | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | - | | str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | - | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawSource | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| network.meraki.l7_firewall |
---|
| network.meraki.l7_firewall |
---|
| network.meraki.l7_firewallField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | | str
| | hostname | hostname | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | decision | Code Block |
---|
(decision -> 'allowed') ? 'accept' : (decision -> 'blocked') ? 'deny' : null('') |
| str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | - | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| proxy.zscaler.nss_firewall |
---|
| proxy.zscaler.nss_firewall |
---|
| proxy.zscaler.nss_firewallField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"zscaler nss_firewall" |
| str
| | hostname | hostname | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | | str
| | reason | - | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | - | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
Anchor |
---|
| proxy.zscaler.zia.firewall |
---|
| proxy.zscaler.zia.firewall |
---|
| proxy.zscaler.zia.firewallField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | source | - | Code Block |
---|
"zscaler zia firewall" |
| str
| | hostname | hostname | | str
| | firewall_name | firewall_name | | str
| | firewall_cluster | firewall_cluster | | str
| | action | action | | str
| | reason | rulelabel | | str
| | source_ipv4 | source_ipv4 | | ip4
| | source_ip | source_ip | | str
| | destination_ipv4 | destination_ipv4 | | ip4
| | destination_ip | destination_ip | | str
| | source_port | source_port | | str
| | destination_port | destination_port | | str
| | source_zone | source_zone | | str
| | destination_zone | destination_zone | | str
| | application | application | | str
| | protocol | protocol | | str
| | rule | rulelabel | | str
| | source_interface | source_interface | | str
| | destination_interface | destination_interface | | str
| | source_service | source_service | | str
| | destination_service | destination_service | | str
| | packets_total | packets_total | | int8
| | packets_sent | packets_sent | | int8
| | packets_received | packets_received | | int8
| | bytes_total | bytes_total | | int8
| | bytes_sent | bytes_sent | | int8
| | bytes_received | bytes_received | | int8
| | source_username | source_username | | str
| | x_forwarded_for_ip | - | | str
| | firewall_ip | - | | str
| | rawSource | rawMessage | | str
| ✓ | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|