Introduction
The tags beginning with firewall.cisco
identify log events generated by the following Cisco technologies:
...
Therefore, the valid tags include:
Product / Service | Tags | Data tables |
---|
Cisco Adaptive Security Appliance (ASA) Software | firewall.cisco.asa
| firewall.cisco.asa
|
Cisco Secure Firewall Management Center (FMC) | firewall.cisco.fmc
| firewall.cisco.fmc
|
firewall.cisco.fmc_audit
| firewall.cisco.fmc_audit
|
firewall.cisco.fmc_other
| firewall.cisco.fmc_other
|
firewall.cisco.fmc_system
| firewall.cisco.fmc_system
|
Cisco FMC eStreamer | firewall.cisco.fmc_estreamer
| firewall.cisco.fmc_estreamer
|
firewall.cisco.fmc_estreamer.connection
| firewall.cisco.fmc_estreamer.connection
|
firewall.cisco.fmc_estreamer.correlation
| firewall.cisco.fmc_estreamer.correlation
|
firewall.cisco.fmc_estreamer.event
| firewall.cisco.fmc_estreamer.event
|
firewall.cisco.fmc_estreamer.file_malware
| firewall.cisco.fmc_estreamer.file_malware
|
firewall.cisco.fmc_estreamer.intrusion
| firewall.cisco.fmc_estreamer.intrusion
|
firewall.cisco.fmc_estreamer.metadata
| firewall.cisco.fmc_estreamer.metadata
|
firewall.cisco.fmc_estreamer.packet
| firewall.cisco.fmc_estreamer.packet
|
firewall.cisco.fmc_estreamer.rna
| firewall.cisco.fmc_estreamer.rna
|
firewall.cisco.fmc_estreamer.rua
| firewall.cisco.fmc_estreamer.rua
|
Cisco Firepower Threat Defense (FTD) | firewall.cisco.ftd
| firewall.cisco.ftd
|
Cisco Firewall Services Module (FWSM) | firewall.cisco.fwsm
| firewall.cisco.fwsm
|
Cisco PIX (Private Internet eXchange) | firewall.cisco.pix
| firewall.cisco.pix
|
Cisco SFIMS | firewall.cisco.sfims
| firewall.cisco.sfims
|
For more information, read more about Devo tags.
...
Rw ui tabs macro |
---|
firewall.cisco.asaField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | machine | str
| | | | level | str
| | vlevel | | severity | int4
| | priority | | eventId | int8
| | | | action | str
| Code Block |
---|
(action1 -> 'Deny' or action1 -> 'denied') ? 'Denied' : action1 |
| action1 | | direction | str
| Code Block |
---|
isnotnull(direction_parsed) ? direction_parsed : direction_calculated |
| direction_calculated direction_parsed | | action_type | str
| | | | protocol | str
| Code Block |
---|
(protocol1 -> 'IP') ? 'TCP' : protocol1 |
| protocol1 | | ifaceIn | str
| | | | srcIp | ip4
| | | | srcIp_ip6 | ip6
| | | | srcIp_str | str
| | | | srcPort | int4
| | | | srcMac | str
| | | | srcMappedIp | ip4
| | | | srcMappedIp_ip6 | ip6
| | | | srcMappedIp_str | str
| | | | ifaceOut | str
| | | | dstIp | ip4
| | | | dstIp_ip6 | ip6
| | | | dstIp_str | str
| | | | dstPort | int4
| | | | dstMappedIp | ip4
| | | | dstMappedIp_ip6 | ip6
| | | | dstMappedIp_str | str
| | | | type | int4
| | | | code | int4
| | | | aclId | str
| | | | connId | str
| | | | duration | str
| | | | bytes | int8
| | | | bytesXmt | int8
| | | | bytesRcv | int8
| | | | reason | str
| | | | srcXIp | ip4
| | | | srcXIp_ip6 | ip6
| | | | srcXIp_str | str
| | | | srcXPort | int4
| | | | dstXIp | ip4
| | | | dstXIp_ip6 | ip6
| | | | dstXIp_str | str
| | | | dstXPort | int4
| | | | hitCnt | int4
| | | | hitInterval | str
| | | | hashCodes | str
| | | | fwUserIn | str
| | | | fwUserOut | str
| | | | user | str
| | | | userIP | ip4
| | | | userIP_ip6 | ip6
| | | | userIP_str | str
| | | | tcpFlags | str
| | | | srcSeqId | int4
| | | | dstXSeqId | int4
| | | | dstSeqId | int4
| | | | icmpType | int4
| | | | icmpCode | int4
| | | | ipaddr | ip4
| | | | ipaddr_ip6 | ip6
| | | | ipaddr_str | str
| | | | connection | str
| | | | dap_details | str
| | | | ipOptions | str
| | | | accelType | str
| | | | errorMessage | str
| | | | usrName | str
| | | | fromLevel | int4
| | | | toLevel | int4
| | | | service | str
| | | | authAction | str
| | | | sessionType | str
| | | | group | str
| | | | groupPolicy | str
| | | | message | str
| | | | running | str
| | | | executed | str
| | | | server | ip4
| | | | server_ip6 | ip6
| | | | server_str | str
| | | | publicIp | ip4
| | | | publicIp_ip6 | ip6
| | | | publicIp_str | str
| | | | assignedIp | ip4
| | assignedIpv4 | | assignedIp_ip6 | ip6
| | assignedIpv6 | | assignedIp_str4 | str
| | | | assignedIp_str6 | str
| | | | filename | str
| | | | userAgent | str
| | | | Object | str
| | | | currentBurstRate | int8
| | | | currentBurstMaxRate | int8
| | | | currentAverageRate | int8
| | | | currentAverageMaxRate | int8
| | | | cumulativeTotal | int8
| | | | block_size | int4
| | | | free_blocks | int4
| | | | max_blocks | int4
| | | | attrName | str
| | | | attrValue | str
| | | | size | int4
| | | | offset | int4
| | | | device | str
| | | | moduleId | str
| | | | appName | str
| | | | appVersion | str
| | | | state | str
| | | | connectionsInUse | int4
| | | | connectionsMostUsed | int4
| | | | url | str
| | | | numTries | int4
| | | | limitType | str
| | | | limitBytes | int8
| | | | hdrLen | int8
| | | | pktLen | int8
| | | | sessionNumber | int4
| | | | peerType | str
| | | | trustPoint | str
| | | | identityIp | ip4
| | | | identityIp_ip6 | ip6
| | | | identityIp_str | str
| | | | remote_proxy | ip4
| | | | remote_proxy_ip6 | ip6
| | | | remote_proxy_str | str
| | | | bay_number | str
| | | | serial_number | str
| | | | subject_name | str
| | | | cert_type | str
| | | | cert_name | str
| | | | expiration_date | str
| | | | issuer_name | str
| | | | pool | str
| | | | local_host | str
| | | | local_host_port | int4
| | | | remote_host | str
| | | | remote_host_port | int4
| | | | local_traffic_selector | str
| | | | local_traffic_protocol | str
| | | | local_traffic_port_range | str
| | | | remote_traffic_selector | str
| | | | remote_traffic_protocol | str
| | | | remote_traffic_port_range | str
| | | | session_id | str
| | | | attribute | str
| | | | ip6addr | str
| | | | hostOS | str
| | | | hostClient | str
| | | | luType | str
| | | | interface_number | int4
| | | | interface_name | str
| | | | unit | str
| | | | rawBrand | str
| | | | rawPhylum | str
| | | | rawFamily | str
| | | | rawGenus | str
| | | | rawSpecies | str
| | | | rawHostName | str
| | | ✓ | rawHostIp | str
| | | ✓ | rawMessage | str
| | | | hostchain | str
| | | ✓ | tag | str
| Code Block |
---|
"firewall.cisco.asa" |
| | ✓ |
firewall.cisco.fmcField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | machine | str
| | | level | str
| vlevel | | protocol | str
| | | srcIp | ip4
| | | origClientIp | str
| | | dstIp | ip4
| | | srcPort | str
| | | dstPort | str
| | | icmpType | str
| | | icmpCode | str
| | | tcpFlags | str
| | | ifaceIn | str
| | | ifaceOut | str
| | | priority | str
| | | de | str
| | | policy | str
| | | gid | str
| | | sid | str
| | | revision | str
| | | message | str
| | | impact | str
| | | hostname | str
| | | timestamp | timestamp
| | | classification | str
| | | connType | str
| | | accessControlRuleName | str
| | | accessControlRuleAction | str
| | | prefilterPolicy | str
| | | usrName | str
| | | userAgent | str
| | | clientName | str
| | | clientVersion | str
| | | applicationProtocol | str
| | | initiatorPackets | int4
| | | responderPackets | int4
| | | initiatorBytes | int8
| | | responderBytes | int8
| | | acPolicy | str
| | | napPolicy | str
| | | dnsQuery | str
| | | dnsRecordType | str
| | | dnsResponseType | str
| | | dnsTTL | int4
| | | sinkhole | str
| | | httpResponse | str
| | | httpReferer | str
| | | referencedHost | str
| | | urlCategory | str
| | | urlReputation | str
| | | url | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | ✓ |
firewall.cisco.fmc_auditField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | hostname | str
| | | level | str
| vlevel | | process | str
| | | sender | str
| | | user_name | str
| | | user_ip | str
| | | subsystem | str
| | | action | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
firewall.cisco.fmc_otherField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | hostname | str
| | | level | str
| vlevel | | message | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
firewall.cisco.fmc_systemField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | hostname | str
| | | level | str
| vlevel | | process | str
| | | message | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
firewall.cisco.fmc_estreamerField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | hostname | str
| | | level | str
| vlevel | | process | str
| | | message | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
firewall.cisco.fmc_estreamer.connectionField | Type | Extra fields |
---|
eventdate | timestamp
| | recordType | int4
| | recordLength | int4
| | archiveTimestamp | timestamp
| | checksum | int4
| | deviceId | int4
| | legacyIpAddress | str
| | macAddress | str
| | hasIpv6 | int4
| | eventSecond | int4
| | eventMicrosecond | int4
| | eventType | int4
| | eventSubtype | int4
| | ipv6Address | str
| | blockType | int4
| | blockLength | int4
| | ingressZone | str
| | egressZone | str
| | ingressInterface | str
| | egressInterface | str
| | initiatorIpAddress | str
| | responderIpAddress | str
| | policyRevision | str
| | ruleId | int8
| | ruleAction | int4
| | ruleReason | int4
| | initiatorPort | int4
| | responderPort | int4
| | tcpFlag | int4
| | protocol | int4
| | netflowSource | str
| | instanceId | int4
| | connectionCounter | int4
| | firstPacketTimestamp | timestamp
| | lastPacketTimestamp | timestamp
| | initiatorTransmittedPackets | int4
| | responderTransmittedPackets | int4
| | initiatorTransmittedBytes | int4
| | responderTransmittedBytes | int4
| | userId | int8
| | applicationId | int4
| | urlCategory | int4
| | urlReputation | int4
| | clientApplicationId | int4
| | webApplicationId | int4
| | clientUrl__blockType | int4
| | clientUrl__blockLength | int4
| | clientUrl__data | str
| | netbios__blockType | int4
| | netbios__blockLength | int4
| | netbios__data | str
| | clientApplicationVersion__blockType | int4
| | clientApplicationVersion__blockLength | int4
| | clientApplicationVersion__data | str
| | monitorRule1 | int8
| | monitorRule2 | int4
| | monitorRule3 | int4
| | monitorRule4 | int4
| | monitorRule5 | int4
| | monitorRule6 | int4
| | monitorRule7 | int4
| | monitorRule8 | int4
| | securityIntelligenceSourceDestination | int4
| | securityIntelligenceLayer | int4
| | fileEventCount | int4
| | intrusionEventCount | int4
| | initiatorCountry | int4
| | responderCountry | int4
| | iocNumber | int4
| | sourceAutonomousSystem | int4
| | destinationAutonomousSystem | int4
| | snmpIn | int4
| | snmpOut | int4
| | sourceTos | int4
| | destinationTos | int4
| | sourceMask | int4
| | destinationMask | int4
| | securityContext | str
| | vlanId | int4
| | referencedHost__blockType | int4
| | referencedHost__blockLength | int4
| | referencedHost__data | str
| | userAgent__blockType | int4
| | userAgent__blockLength | int4
| | userAgent__data | str
| | httpReferrer__blockType | int4
| | httpReferrer__blockLength | int4
| | httpReferrer__data | str
| | sslCertificateFingerprint | str
| | sslPolicyId | str
| | sslRuleId | int4
| | sslCipherSuite | int4
| | sslVersion | int4
| | sslServerCertificateStatus | int4
| | sslActualAction | int4
| | sslExpectedAction | int4
| | sslFlowStatus | int4
| | sslFlowError | int4
| | sslFlowMessages | int4
| | sslFlowFlags | int4
| | sslServerName__blockType | int4
| | sslServerName__blockLength | int4
| | sslServerName__data | str
| | sslUrlCategory | int4
| | sslSessionId | str
| | sslSessionIdLength | int4
| | sslTicketId | str
| | sslTicketIdLength | int4
| | networkAnalysisPolicyRevision | str
| | endpointProfileId | int4
| | securityGroupId | int4
| | locationIpv6 | str
| | httpResponse | int4
| | dnsQuery__blockType | int4
| | dnsQuery__blockLength | int4
| | dnsQuery__data | str
| | dnsRecordType | int4
| | dnsResponseType | int4
| | dnsTtl | int4
| | sinkholeUuid | str
| | securityIntelligenceList1 | int4
| | securityIntelligenceList2 | int4
| | at_computed__recordTypeCategory | str
| | at_computed__recordTypeDescription | str
| | at_computed__transportProtocol | str
| | at_computed__webApplication | str
| | at_computed__clientApplication | str
| | at_computed__applicationProtocol | str
| | at_computed__securityIntelligenceIp | str
| | at_computed__securityIntelligenceEvent | str
| | at_computed__urlCategory | str
| | at_computed__urlReputation | str
| | at_computed__firewallRule | str
| | at_computed__firewallRuleAction | str
| | at_computed__firewallRuleReason | str
| | at_computed__firewallPolicy | str
| | at_computed__ingressInterface | str
| | at_computed__egressInterface | str
| | at_computed__ingressSecurityZone | str
| | at_computed__egressSecurityZone | str
| | at_computed__sourceIpCountry | str
| | at_computed__destinationIpCountry | str
| | at_computed__user | str
| | at_computed_dnsRecordName | str
| | at_computed_dnsRecordDescription | str
| | at_computed__sslActualAction | str
| | at_computed__sslExpectedAction | str
| | at_computed__sslFlowStatus | str
| | at_computed__sslServerCertificateStatus | str
| | at_computed__sslCipherSuite | str
| | at_computed__sslVersion | str
| | at_computed__monitorRule1 | str
| | at_computed__monitorRule2 | str
| | at_computed__monitorRule3 | str
| | at_computed__monitorRule4 | str
| | at_computed__monitorRule5 | str
| | at_computed__monitorRule6 | str
| | at_computed__monitorRule7 | str
| | at_computed__sensor | str
| | at_computed__eventDescription | str
| | at_computed__eventSecond | timestamp
| | at_computed__eventDateTime | timestamp
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
firewall.cisco.fmc_estreamer.correlationField | Type | Extra fields |
---|
eventdate | timestamp
| | recordType | int4
| | recordLength | int4
| | correlationPolicyId | int4
| | nameLength | int4
| | name | str
| | descriptionLength | int4
| | description | str
| | uuid | int4
| | revisionUuid | int4
| | correlationBlockType | int4
| | correlationBlockLength | int4
| | deviceId | int4
| | eventSecond | int4
| | eventId | int4
| | policyId | int4
| | ruleId | int4
| | priority | int4
| | stringBlockType | int4
| | stringBlockLength | int4
| | eventType | int4
| | eventDeviceId | int4
| | signatureId | int4
| | signatureGeneratorId | int4
| | eventMicrosecond | int4
| | eventDefinedMask | str
| | eventImpactFlags | str
| | ipProtocol | int4
| | networkProtocol | int4
| | sourceIpAddress | str
| | sourceHostType | int4
| | sourceVlanId | int4
| | sourceOsFingerprintUuid | int4
| | sourceCriticality | int4
| | sourceUserId | int4
| | sourcePort | int4
| | sourceServerId | int4
| | destinationIpAddress | str
| | destinationHostType | int4
| | destinationVlanId | int4
| | destinationOsFingerprintUuid | int4
| | destinationCriticality | int4
| | destinationUserId | int4
| | destinationPort | int4
| | destinationServiceId | int4
| | blocked | int4
| | ingressInterfaceUuid | int4
| | egressInterfaceUuid | int4
| | ingressZoneUuid | int4
| | egressZoneUuid | int4
| | sourceIpv6Address | str
| | destinationIpv6Address | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
firewall.cisco.fmc_estreamer.eventField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | recordType | int4
| | | | recordLength | int4
| | | | intrusionImpactAlertBlockType | int4
| | | | intrusionImpactAlertBlockLength | int4
| | | | eventId | int4
| | | | deviceId | int4
| | | | eventSecond | int4
| | | | impact | str
| | | | sourceIpAddress | str
| | | | destinationIpAddress | str
| | | | stringBlockType | int4
| | | | stringBlockType_str | str
| Code Block |
---|
str(stringBlockType) |
| stringBlockType | | stringBlockLength | int4
| | | | description | str
| | | | eventExtraDataDataBlockType | int4
| | | | eventExtraDataDataBlockLength | int4
| | | | type | int4
| | | | blobBlockType | int4
| | | | length | int4
| | | | extraData | str
| | | | correlationBlockType | int4
| | | | correlationBlockLength | int4
| | | | policyId | int4
| | | | ruleId | int4
| | | | priority | int4
| | | | eventType | int4
| | | | eventDeviceId | int4
| | | | signatureId | int4
| | | | signatureGeneratorId | int4
| | | | eventMicrosecond | int4
| | | | eventDefinedMask | str
| | | | eventImpactFlags | str
| | | | ipProtocol | int4
| | | | networkProtocol | int4
| | | | sourceHostType | int4
| | | | sourceVlanId | int4
| | | | sourceOsFingerprintUuid | int4
| | | | sourceCriticality | int4
| | | | sourceUserId | int4
| | | | sourcePort | int4
| | | | sourceServerId | int4
| | | | destinationHostType | int4
| | | | destinationVlanId | int4
| | | | destinationOsFingerprintUuid | int4
| | | | destinationCriticality | int4
| | | | destinationUserId | int4
| | | | destinationPort | int4
| | | | destinationServiceId | int4
| | | | blocked | int4
| | | | intrusionPolicy | int4
| | | | ruleAction | int4
| | | | netbiosDomain | str
| | | | urlCategory | int4
| | | | urlReputation | int4
| | | | url | str
| | | | clientId | int4
| | | | clientVersion | str
| | | | accessControlPolicyRevision | int4
| | | | accessControlRuleId | int4
| | | | ingressInterfaceUuid | int4
| | | | egressInterfaceUuid | int4
| | | | ingressZoneUuid | int4
| | | | egressZoneUuid | int4
| | | | sourceIpv6Address | str
| | | | destinationIpv6Address | str
| | | | sourceCountry | int4
| | | | destinationCountry | int4
| | | | securityIntelligenceUuid | int4
| | | | securityContext | int4
| | | | sslPolicyId | int4
| | | | sslRuleId | int4
| | | | sslActualAction | int4
| | | | sslFlowStatus | int4
| | | | sslCertificateFingerprint | int4
| | | | ampforEndpointsFileTypeId | int4
| | | | ampforEndpointsFileTypeLength | int4
| | | | ampforEndpointsFileType | str
| | | | uuidStringDataBlockType | int4
| | | | uuidStringDataBlockLength | int4
| | | | sinkholeUuid | int4
| | | | sinkholeNameLength | int4
| | | | sinkholeName | str
| | | | accessControlPolicyMetadataBlockType | int4
| | | | accessControlPolicyMetadataBlockLength | int4
| | | | accessControlPolicyUuid | int4
| | | | sensorId | int4
| | | | name | str
| | | | accessControlRuleReasonBlockType | int4
| | | | accessControlRuleReasonBlockLength | int4
| | | | prefilterPolicyUuid | int4
| | | | archiveTimestamp | timestamp
| | | | checksum | int4
| | | | blockType | str
| | | | blockLength | int4
| | | | uuid | str
| | | | description_object | json
| | | | name_object | json
| | | | computed | json
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
firewall.cisco.fmc_estreamer.file_malwareField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | recordType | int4
| | recordLength | int4
| | archiveTimestamp | timestamp
| | checksum | int4
| | blockType | int4
| | blockLength | int4
| | deviceId | int4
| | connectionInstance | int4
| | connectionCounter | int4
| | connectionTimestamp | timestamp
| | fileEventTimestamp | timestamp
| | sourceIpAddress | str
| | destinationIpAddress | str
| | disposition | int4
| | speroDisposition | int4
| | fileStorageStatus | int4
| | fileAnalysisStatus | int4
| | localMalwareAnalysisStatus | int4
| | archiveFileStatus | int4
| | threatScore | int4
| | action | int4
| | shaHash | str
| | fileTypeId | int4
| | fileName__blockType | int4
| | fileName__blockLength | int4
| | fileName__data | str
| | fileSize | int4
| | direction | int4
| | applicationId | int4
| | userId | int8
| | uri__blockType | int4
| | uri__blockLength | int4
| | uri__data | str
| | signature__blockType | int4
| | signature__blockLength | int4
| | signature__data | str
| | sourcePort | int4
| | destinationPort | int4
| | protocol | int4
| | accessControlPolicyUuid | str
| | sourceCountry | int4
| | destinationCountry | int4
| | webApplicationId | int4
| | clientApplicationId | int4
| | securityContext | str
| | sslCertificateFingerprint | str
| | sslActualAction | int4
| | sslFlowStatus | int4
| | archiveSha__blockType | int4
| | archiveSha__blockLength | int4
| | archiveSha__data | str
| | archiveName__blockType | int4
| | archiveName__blockLength | int4
| | archiveName__data | str
| | archiveDepth | int4
| | httpResponse | int4
| | at_computed__recordTypeCategory | str
| | at_computed__recordTypeDescription | str
| | at_computed__filePolicy | str
| | at_computed__fileAction | str
| | at_computed__detection | str
| | at_computed__transportProtocol | str
| | at_computed__disposition | str
| | at_computed__speroDisposition | str
| | at_computed__fileStorageStatus | str
| | at_computed__fileType | str
| | at_computed__webApplication | str
| | at_computed__clientApplication | str
| | at_computed__applicationProtocol | str
| | at_computed__direction | str
| | at_computed__sourceIpCountry | str
| | at_computed__destinationIpCountry | str
| | at_computed__user | str
| | at_computed__sslActualAction | str
| | at_computed__sslFlowStatus | str
| | at_computed__malwareAnalysisStatus | str
| | at_computed__archiveFileStatus | str
| | at_computed__sensor | str
| | at_computed__eventSecond | timestamp
| | at_computed__eventDateTime | timestamp
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
firewall.cisco.fmc_estreamer.intrusionField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | recordType | int4
| | | | recordLength | int4
| | | | blockType | int4
| | | | blockLength | int4
| | | | deviceId | int4
| | | | eventId | int4
| | | | eventSecond | int4
| | | | eventMicrosecond | int4
| | | | ruleId | int4
| | | | generatorId | int4
| | | | ruleRevision | int4
| | | | classificationId | int4
| | | | priorityId | int4
| | | | sourceIpAddress | str
| | | | destinationIpAddress | str
| | | | sourcePort | int4
| | | | icmpType | int4
| | | | destinationPort | int4
| | | | icmpCode | int4
| | | | ipProtocolNumber | int4
| | | | impactFlags | str
| | | | impact | int4
| | | | blocked | int4
| | | | mplsLabel | int4
| | | | vlanId | int4
| | | | pad | int4
| | | | policyUuid_str | str
| | | | userId | int4
| | | | webApplicationId | int4
| | | | clientApplicationId | int4
| | | | applicationId | int4
| | | | applicationProtocolId | int4
| | | | accessControlRuleId | int4
| | | | accessControlPolicyUuid_str | str
| | | | interfaceIngressUuid_str | str
| | | | interfaceEgressUuid_str | str
| | | | securityZoneIngressUuid_str | str
| | | | securityZoneEgressUuid_str | str
| | | | connectionTimestamp | int4
| | | | connectionInstanceId | int4
| | | | connectionCounter | int4
| | | | sourceCountry | int4
| | | | destinationCountry | int4
| | | | iocNumber | int4
| | | | securityContext | int4
| | | | sslCertificateFingerprint | int4
| | | | sslActualAction | int4
| | | | sslFlowStatus | int4
| | | | networkAnalysisPolicyUuid_str | str
| | | | httpResponse | int4
| | | | sourcePortOrIcmpType | int4
| | | | destinationPortOrIcmpType | int4
| | | | ipProtocolId | int4
| | | | computed_record_type_category | str
| | | | computed_record_type_description | str
| | | | computed_message | str
| | | | computed_rendered_id | int4
| | | | computed_classification_description | str
| | | | computed_classifcation_name | str
| | | | computed_ids_policy | str
| | | | computed_firewall_rule | str
| | | | computed_firewall_policy | str
| | | | computed_priority | str
| | | | computed_blocked | str
| | | | computed_transport_protocol | str
| | | | computed_web_application | str
| | | | computed_client_application | str
| | | | computed_application_protocol | str
| | | | computed_ingress_interface | str
| | | | computed_egress_inferface | str
| | | | computed_ingress_security_zone | str
| | | | computed_egress_security_zone | str
| | | | computed_source_ip_country | str
| | | | computed_destination_ip_country | str
| | | | computed_user | str
| | | | computed_ssl_actual_action | str
| | | | computed_ssl_flow_status | str
| | | | computed_impact | int4
| | | | computed_impact_description | str
| | | | computed_network_analysis_policy | str
| | | | computed_sensor | str
| | | | computed_event_second | int4
| | | | computed_event_date_time | timestamp
| Code Block |
---|
parsedate(computed_event_date_time_str, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSS")) |
| computed_event_date_time_str | | computed_event_microsecond | int4
| | | | computed | json
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
firewall.cisco.fmc_estreamer.metadataField | Type | Extra fields |
---|
eventdate | timestamp
| | recordType | int4
| | recordLength | int4
| | archiveTimestamp | int4
| | checksum | int4
| | id | int4
| | length | int4
| | name | str
| | blockType | int4
| | blockLength | int4
| | protocol | int4
| | uuid | str
| | generatorId | str
| | ruleId | str
| | ruleRevision | str
| | signatureId | str
| | messageLength | int4
| | ruleUuid | str
| | ruleRevisionUuid | str
| | message | str
| | disposition | str
| | userDefined | str
| | shaHash | str
| | countryCode | str
| | nameLength | int4
| | vendor | str
| | vendorLength | int4
| | version | str
| | versionLength | int4
| | descriptionLength | int4
| | revisionUuid | str
| | code | int4
| | type | int4
| | computed | json
| | computed_record_type_category | str
| | computed_record_type_description | str
| | computed_disposition | str
| | category | json
| | eventType | json
| | name_json | json
| | description | json
| | fileName | json
| | country | json
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
firewall.cisco.fmc_estreamer.packetField | Type | Extra fields |
---|
eventdate | timestamp
| | recordType | int4
| | recordLength | int4
| | archiveTimestamp | timestamp
| | checksum | int4
| | deviceId | int4
| | eventId | int4
| | eventSecond | int4
| | packetSecond | int4
| | packetMicrosecond | int4
| | linkType | int4
| | packetLength | int4
| | packetData | str
| | computed | json
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
firewall.cisco.fmc_estreamer.rnaField | Type | Extra fields |
---|
eventdate | timestamp
| | recordType | int4
| | recordLength | int4
| | deviceId | int4
| | legacyIpAddress | int4
| | legacyIpAddress_str | str
| | macAddress | int4
| | macAddress_str | str
| | hasIpv6 | int4
| | eventSecond | int4
| | eventMicrosecond | int4
| | eventType | int4
| | eventSubtype | int4
| | fileNumber | str
| | filePosition | str
| | ipv6Address | str
| | hostServerBlockType | int4
| | hostServerBlockLength | int4
| | port | int4
| | hits | int4
| | lastUsed | int4
| | genericListBlockType | int4
| | genericListBlockLength | int4
| | serverInformationDataBlocks | str
| | confidence | int4
| | webApplicationDataBlocks | str
| | clientApplicationBlockType | int4
| | wlientApplicationBlockLength | int4
| | id | int4
| | applicationProtocolId | int4
| | stringBlockType | int4
| | stringBlockLength | int4
| | version | int4
| | hostMacAddressDataBlockType | int4
| | hostMacAddressDataBlockLength | int4
| | ttl | int4
| | primary | int4
| | lastSeen | int4
| | operatingSystemFingerprintDataBlockType | int4
| | operatingSystemDataBlockLength | int4
| | fingerprintUuid | int4
| | fingerprintType | int4
| | fingerprintSourceType | int4
| | fingerprintSourceId | int4
| | ttlDifference | int4
| | mobileDeviceInformationDataBlocks | str
| | identityDataBlockType | int4
| | identityDataBlockLength | int4
| | identityDataSourceType | int4
| | identityDataSourceId | int4
| | uuid | int4
| | protocol | int4
| | serverMapId | int4
| | integerBlockType | int4
| | integerBlockLength | int4
| | integer | int4
| | archiveTimestamp | timestamp
| | checksum | int4
| | computed | json
| | osfingerprint | json
| | client_object | json
| | networkProtocol | str
| | transportProtocol | str
| | hops | str
| | identity | json
| | mac | json
| | hostProfile | json
| | hostServer | json
| | id_object | json
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
firewall.cisco.fmc_estreamer.ruaField | Type | Extra fields |
---|
eventdate | timestamp
| | recordType | int4
| | recordLength | int4
| | deviceId | int4
| | legacyIpAddress_str | str
| | macAddress | str
| | hasIpv6 | int4
| | eventSecond | int4
| | eventMicrosecond | int4
| | eventType | int4
| | eventSubtype | int4
| | ipv6Address | str
| | timestamp | int4
| | ipv4Address | str
| | username_json | json
| | username | str
| | userId | int4
| | applicationId | int4
| | protocol | int4
| | email_json | json
| | email | str
| | loginType | int4
| | reportedBy_json | json
| | reportedBy | str
| | archiveTimestamp | timestamp
| | checksum | int4
| | user | json
| | userBlockLength | int4
| | userBlockType | int4
| | userIpv6Address | str
| | computed | json
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
firewall.cisco.ftdField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | machine | str
| | | | level | str
| | vlevel | | severity | int4
| | | | eventId | int8
| | | | reasonCode | str
| | | | deviceUUID | str
| | | | eventPriority | str
| | | | accessControlRuleAction | str
| | | | accessControlRuleReason | str
| | | | srcIP | str
| | | | dstIP | str
| | | | srcPort | str
| | | | dstPort | str
| | | | protocol | str
| | | | ingressInterface | str
| | | | egressInterface | str
| | | | ingressZone | str
| | | | egressZone | str
| | | | acPolicy | str
| | | | accessControlRuleName | str
| | | | prefilterPolicy | str
| | | | user | str
| | | | srcClient | str
| | | | applicationProtocol | str
| | | | interfaceProtocol | str
| | | | srcInterface | str
| | | | interfaceName | str
| | | | realIP | str
| | | | realPort | str
| | | | mappedInterface | str
| | | | mappedIP | str
| | | | mappedPort | str
| | | | initiatorPackets | str
| | | | responderPackets | str
| | | | initiatorBytes | str
| | | | responderBytes | str
| | | | napPolicy | str
| | | | secIntMatchingIP | str
| | | | ipReputationSICategory | str
| | | | connectionDuration | str
| | | | dnsRecordType | str
| | | | dnsResponseType | str
| dnsTTLstr
| | | dnsTTL | str
| | | | dnsQuery | str
| | | | dnsSICategory | str
| | | | instanceID | str
| | | | firstPacketSecond | str
| | | | firstPacketTime | str
| | | | connectionID | str
| | | | priority | str
| | | | gid | str
| | | | sid | str
| | | | revision | str
| | | | eventMessage | str
| | | | classification | str
| | | | intrusionPolicy | str
| | | | httpResponse | str
| | | | inlineResult | str
| | | | ingressVRF | str
| | | | egressVRF | str
| | | | fileDirection | str
| | | | fileAction | str
| | | | fileSHA256 | str
| | | | shaDisposition | str
| | | | speroDisposition | str
| | | | threatName | str
| | | | threatScore | str
| | | | fileName | str
| | | | fileType | str
| | | | fileSize | str
| | | | fileStorageStatus | str
| | | | filePolicy | str
| | | | webApplication | str
| | | | fileSandboxStatus | str
| | | | archiveFileName | str
| | | | archiveFileStatus | str
| | | | archiveSHA256 | str
| | | | archiveDepth | str
| | | | uri | str
| | | | url | str
| | | | connectionsInUse | str
| | | | connectionsMostUsed | str
| | | | connectionType | str
| | | | translation | str
| | | | idfw_user | str
| directionstr spilocalIPstr localPortlocalMacstr seqNumremoteIP | str
| netMask | str
| remotePort | str
| remoteMac | str
| tunnel | str
| object | str
| dropRate | str
| burstRate | str
| maxBurstRate | str
| currentRate | str
| maxCurrentRate | str
| totalRateCount | str
| dnsLookup | str
| failReason | str
| tunnelRequest | str
| tunnelGroup | str
| localSelectors | str
| remoteSelectors | str
| negotiationError | str
| tcp_flags | str
| source_interface_name | str
| destination_interface_name | str
| access_group | str
| connection_id | str
| duration | str
| bytes | str
| icmp_type | str
| type | str
| code | str
| route_type | str
| source | str
| before | str
| after | str
| clock | str
| device | str
| config_status | str
| application_name | str
| command | str
| message | str
| hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ | Anchor |
---|
| tag17 | tag17 | firewall.cisco.fwsmField | Type | Source field name |
---|
eventdate | timestamp
| |
machine | str
| |
tag | str
| |
level | str
| vlevel |
severity | int4
| |
eventId | int8
| |
action | str
| |
direction | str
| |
protocol | str
| |
ifaceIn | str
| |
srcHost | str
| |
srcIp | ip4
| |
srcPort | int4
| |
ifaceOut | str
| |
dstHost | str
| |
dstIp | ip4
| |
dstPort | int4
| |
aclId | str
| |
connId | str
| |
duration | str
| |
bytes | int8
| |
reason | str
| |
srcXIp | ip4
| |
srcXPort | int4
| |
dstXIp | ip4
| |
dstXPort | int4
| |
hitCnt | int4
| |
hitInterval | str
| |
hashCodes | str
| |
tcpFlags | str
| |
dstService | str
| |
fwUserIn | str
| |
fwUserOut | str
| |
user | str
| |
message Code Block |
---|
ifthenelse(direction = "inbound", spi, spi_inbound_value) |
| direction spi spi_inbound_value | |
spi_outbound | str
| Code Block |
---|
ifthenelse(direction = "outbound", spi, spi_outbound_value) |
| spi_outbound_value direction spi | |
localIP | str
| | | |
localPort | str
| | | |
localMac | str
| | | |
seqNum | str
| | | |
remoteIP | str
| | | |
netMask | str
| | | |
remotePort | str
| | | |
remoteMac | str
| | | |
tunnel | str
| | | |
object | str
| | | |
dropRate | str
| | | |
burstRate | str
| | | |
maxBurstRate | str
| | | |
currentRate | str
| | | |
maxCurrentRate | str
| | | |
totalRateCount | str
| | | |
dnsLookup | str
| | | |
failReason | str
| | | |
tunnelRequest | str
| | | |
tunnelGroup | str
| | | |
localSelectors | str
| | | |
remoteSelectors | str
| | | |
negotiationError | str
| | | |
tcp_flags | str
| | | |
source_interface_name | str
| | | |
destination_interface_name | str
| | | |
access_group | str
| | | |
connection_id | str
| | | |
duration | str
| | | |
bytes | str
| | | |
icmp_type | str
| | | |
type | str
| | | |
code | str
| | | |
route_type | str
| | | |
source | str
| | | |
before | str
| | | |
after | str
| | | |
clock | str
| | | |
peerIP | str
| | | |
crypto_map_tag | str
| | | |
transaction_description | str
| | | |
phase | str
| | | |
action | str
| | | |
group_name | str
| | | |
msg_id | str
| | | |
keepalive_type | str
| | | |
NAT_initiator_ip | str
| | | |
NAT_initiator_port | str
| | | |
NAT_responder_ip | str
| | | |
NAT_responder_port | str
| | | |
client_app_detector | str
| | | |
device | str
| | | |
config_status | str
| | | |
application_name | str
| | | |
command | str
| | | |
message | str
| | | |
hostchain | str
| | | ✓ |
tag | str
| | | ✓ |
rawMessage | str
| | | ✓ |
firewall.cisco.fwsmField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | |
machine | str
| | |
tag | str
| | |
level | str
| vlevel | |
severity | int4
| | |
eventId | int8
| | |
action | str
| | |
direction | str
| | |
protocol | str
| | |
ifaceIn | str
| | |
srcHost | str
| | |
srcIp | ip4
| | |
srcPort | int4
| | |
ifaceOut | str
| | |
dstHost | str
| | |
dstIp | ip4
| | |
dstPort | int4
| | |
aclId | str
| | |
connId | str
| | |
duration | str
| | |
bytes | int8
| | |
reason | str
| | |
srcXIp | ip4
| | |
srcXPort | int4
| | |
dstXIp | ip4
| | |
dstXPort | int4
| | |
hitCnt | int4
| | |
hitInterval | str
| | |
hashCodes | str
| | |
tcpFlags | str
| | |
dstService | str
| | |
fwUserIn | str
| | |
fwUserOut | str
| | |
user | str
| | |
message | str
| | ✓ |
hostchain | str
| | ✓ |
rawMessage | str
| | ✓ |
firewall.cisco.pixField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | |
machine | str
| | |
tag | str
| | |
level | str
| vlevel | |
severity | int4
| | |
eventId | int8
| | |
action | str
| | |
direction | str
| | |
protocol | str
| | |
ifaceIn | str
| | |
srcIp | ip4
| | |
srcPort | int4
| | |
ifaceOut | str
| | |
dstIp | ip4
| | |
dstPort | int4
| | |
aclId | str
| | |
connId | str
| | |
duration | str
| | |
bytes | int8
| | |
reason | str
| | |
srcXIp | ip4
| | |
srcXPort | int4
| | |
dstXIp | ip4
| | |
dstXPort | int4
| | |
hitCnt | int4
| | |
hitInterval | str
| | |
hashCodes | str
| | |
fwUserIn | str
| | |
fwUserOut | str
| | |
user | str
| | |
tcpFlags | str
| | |
srcSeqId | int4
| | |
dstXSeqId | int4
| | |
dstSeqId | int4
| | |
message | str
| | |
hostchain | str
| | ✓ |
rawMessage | str
| | ✓ |
firewall.cisco.sfimsField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | |
machine | str
| | |
level | str
| vlevel | |
protocol | str
| | |
srcIP | ip4
| | |
originalClientIP | str
| | |
dstIP | ip4
| | |
srcPort | int4
| | |
dstPort | int4
| | |
priority | str
| | |
DE | str
| | |
policy | str
| | |
napPolicy | str
| | |
acPolicy | str
| | |
gid | int8
| | |
sid | int8
| | |
revision | str
| | |
message | str
| | |
classification | str
| | |
httpResponse | str
| | |
httpReferer | str
| | |
tcpFlags | str
| | |
ingressInterface | str
| | |
egressInterface | str
| | |
egressZone | str
| | |
connectType | str
| | |
accessControlRuleName | str
| | |
accessControlRuleAction | str
| | |
prefilter_Policy | str
| | |
userName | str
| | |
userAgent | str
| | |
clientName | str
| | |
clientVersion | str
| | |
applicationProtocol | str
| | |
initiatorPackets | str
| | |
responderPackets | str
| | |
initiatorBytes | str
| | |
responderBytes | str
| | |
sinkhole | str
| | |
referencedHost | str
| | |
urlCategory | str
| | |
urlReputation | str
| | |
url | str
| | |
ingressZone | str
| | |
dnsResponseType | str
| | |
dnsQuery | str
| | |
dnsRecordType | str
| | |
accessControlRuleReason | str
| | |
secIntMatchingIP | str
| | |
ipReputationSICategory | str
| | |
dnsSICategory | str
| | |
ipsCount | str
| | |
hostchain | str
| |
rawMessage anchortag18tag18 | firewall.cisco.pix Anchor |
---|
tag19 | tag19 | firewall.cisco.sfims