...
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|
Cisco Umbrella Secure Internet Gateway (SIG) | sig.cisco.umbrella
| sig.cisco.umbrella
|
sig.cisco.umbrella.audit
| sig.cisco.umbrella.audit
|
sig.cisco.umbrella.dlp
| sig.cisco.umbrella.dlp
|
sig.cisco.umbrella.dns
| sig.cisco.umbrella.dns
|
sig.cisco.umbrella.firewall
| sig.cisco.umbrella.firewall
|
sig.cisco.umbrella.intrusion
| sig.cisco.umbrella.intrusion
|
sig.cisco.umbrella.ip
| sig.cisco.umbrella.ip
|
sig.cisco.umbrella.proxy
| sig.cisco.umbrella.proxy
|
For more information, read more About Devo tags.
...
Rw ui tabs macro |
---|
sig.cisco.umbrellaField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | type | str
| vtype | | timestamp | timestamp
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | |
sig.cisco.umbrella.auditField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | id | int4
| | timestamp | str
| | email_address | str
| | user | str
| | type | str
| | action | str
| | source_IP | ip4
| | before_change | str
| | after_change | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
sig.cisco.umbrella.dlpField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | timestamp | timestamp
| | event_type | str
| | unique_event_id | str
| | severity | str
| | identity | str
| | owner | str
| | name | str
| | application | str
| | destination | str
| | action | str
| | rule | str
| | data_classification | str
| | data_identifier | str
| | content_type | str
| | file_size | int4
| | sha256_hash | str
| | file_label | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
sig.cisco.umbrella.dnsField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | timestamp | timestamp
| | | mostGranularIdentity | str
| | | identities | str
| | | internalAddress | str
| | | internalIp | ip4
| | | internalIpv6 | ip6
| | | externalAddress | str
| | | externalIp | ip4
| | | externalIpv6 | ip6
| | | action | str
| | | queryType | str
| | | responseCode | str
| | | relative_domain | str
| | | domain | str
| | | categories | str
| | | mostGranularIdentityType | str
| | | identityType | str
| | | blockedCategories | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | |
sig.cisco.umbrella.firewallField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | timestamp | timestamp
| | | originId | str
| | | identity | str
| | | identityType | str
| | | direction | str
| | | ipProtocol | str
| | | packetSize | int8
| | | srcIp | ip4
| | | srcPort | str
| | | dstIp | ip4
| | | dstPort | str
| | | dataCenter | str
| | | ruleId | str
| | | verdict | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | |
sig.cisco.umbrella.intrusionField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | timestamp | timestamp
| | identities | str
| | identity_types | str
| | generator_id | int4
| | signature_id | int4
| | signature_message | str
| | signature_list_id | int4
| | severity | str
| | attack_classification | str
| | CVEs | str
| | IP_protocol | str
| | session_id | int4
| | source_IP | ip4
| | source_port | int4
| | destination_IP | ip4
| | destination_port | int4
| | action | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
sig.cisco.umbrella.ipField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | timestamp | timestamp
| | | srcIp | ip4
| | | srcPort | str
| | | dstIp | ip4
| | | dstPort | str
| | | categories | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | |
sig.cisco.umbrella.proxyField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | timestamp | timestamp
| | | identities | str
| | | internalAddress | str
| | | internalIp | ip4
| | | internalIpv6 | ip6
| | | externalAddress | str
| | | externalIp | ip4
| | | externalIpv6 | ip6
| | | dstIp | ip4
| | | contentType | str
| | | verdict | str
| | | url | str
| | | referer | str
| | | userAgent | str
| | | statusCode | str
| | | requestSize | int8
| | | responseSize | int8
| | | responseBodySize | int8
| | | sha | str
| | | categories | str
| | | avDetections | str
| | | puas | str
| | | ampDisposition | str
| | | ampMalwareName | str
| | | ampScore | str
| | | identityType | str
| | | blockedCategories | str
| | | all_identities | str
| | | identity_types | str
| | | request_method | str
| | | dlp_status | str
| | | certificate_errors | str
| | | file_name | str
| | | ruleset_id | str
| | | rule_id | str
| | | destination_list_ids | str
| | | isolate_action | str
| | | file_action | str
| | | warn_status | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | |
|