.firewall.cisco.ftd vv7.9.0
- Juan Tomás Alonso Nieto (Unlicensed)
Introduction
The tags beginning with firewall.cisco.ftd identify events generated by Cisco Firepower Threat Defense.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed as firewall.cisco. The third level identifies the type of events sent.
Technology | Brand | Type |
|---|---|---|
Firewall | cisco | ftd |
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
|---|---|
| firewall.cisco.ftd | firewall.cisco.ftd |
How is the data sent to Devo?
Logs generated by Cisco Firepower Thread Defense Firewall must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:
Relay rule 1
Source Port → any free port available
- Source Data → %FTD-
Target Tag → firewall.cisco.ftd
Select the Stop Processing and Sent without syslog tag checkboxes
Log samples
The following are sample logs sent to each of the firewall.cisco.ftd data tables. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
firewall.cisco.ftd
2022-02-08 16:34:59.512 localhost=127.0.0.1 user.info firewall.cisco.ftd: %FTD-1-430002: DeviceUUID: bb1f99a4-8f64-11e7-98cc-b977c0a32636, AccessControlRuleAction: Allow, SrcIP: 1.9.2.9, DstIP: 192.168.33.14, SrcPort: 48078, DstPort: 25, Protocol: tcp, IngressInterface: SUW-DMZ, EgressInterface: SUW-QTS-WAN, IngressZone: SUW-DMZ, EgressZone: SUW-QTS-WAN, ACPolicy: SUW Policy, AccessControlRuleName: Allow - DMZ/DMZ4 - WAN, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: SMTP client, ApplicationProtocol: SMTP, InitiatorPackets: 5, ResponderPackets: 7, InitiatorBytes: 391, ResponderBytes: 570, NAPPolicy: Balanced Security and Connectivity, SecIntMatchingIP: Source, IPReputationSICategory: PMC_Blacklist_Misc_Attacker 2022-02-08 16:34:59.734 localhost=127.0.0.1 user.info firewall.cisco.ftd: %FTD-1-430002: EventPriority: High, DeviceUUID: 8ddc86de-73e2-11ec-92c9-e72558cc3301, InstanceID: 54, FirstPacketSecond: 2022-01-25T16:35:35Z, ConnectionID: 7286, AccessControlRuleAction: Domain Not Found, AccessControlRuleReason: DNS Block, SrcIP: 192.168.64.234, DstIP: 192.168.83.42, SrcPort: 17352, DstPort: 53, Protocol: udp, IngressInterface: Inside_Port_Channel, IngressZone: InsideZone, ACPolicy: DIR-ACP-Baseline, Prefilter Policy: TX-DIR-Prefilter, Client: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 101, ResponderBytes: 0, NAPPolicy: Connectivity Over Security, DNSQuery: ads.mydomain.com, DNSRecordType: a host address, DNSResponseType: No Error, DNSSICategory: DIR-Blacklist-Domain 2022-02-08 16:34:59.734 localhost=127.0.0.1 user.info firewall.cisco.ftd: %FTD-1-430003: DeviceUUID: bb1f99a4-8f64-11e7-98cc-b977c0a32636, AccessControlRuleAction: Allow, SrcIP: 10.99.2.91, DstIP: 192.168.222.222, SrcPort: 50719, DstPort: 53, Protocol: udp, IngressInterface: SUW-DMZ, EgressInterface: SUW-QTS-WAN, IngressZone: SUW-DMZ, EgressZone: SUW-QTS-WAN, ACPolicy: SUW Policy, AccessControlRuleName: Allow - DMZ/DMZ4 - WAN, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 84, ResponderBytes: 139, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNSResponseType: Non-Existent Domain, DNS_TTL: 1051 2022-02-08 16:34:59.735 localhost=127.0.0.1 user.info firewall.cisco.ftd: %FTD-0-430001: DeviceUUID: a1d6ae56-dcbe-11ea-8921-949392ecf875, InstanceID: 7, FirstPacketSecond: 2021-02-24T01:22:01Z, ConnectionID: 52386, SrcIP: 1.1.3.2, DstIP: 192.168.123.101, SrcPort: 80, DstPort: 4986, Protocol: tcp, IngressInterface: IF_ONPREM_DMZ, EgressInterface: IF_OUTSIDE, IngressZone: ONPREM_DMZ, EgressZone: ONPREM_OUTSIDE, Priority: 1, GID: 1, SID: 46840, Revision: 1, Message: MALWARE-OTHER GPON exploit download attempt, Classification: A Network Trojan was Detected, Client: Web browser, ApplicationProtocol: HTTP, IntrusionPolicy: PLAINS_ONPREM, ACPolicy: ACP_Q9BH, AccessControlRuleName: ACL_IF_OUTSIDE_IN_#21, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 302, InlineResult: Blocked, IngressVRF: Global, EgressVRF: Global 2022-02-08 16:35:00.098 localhost=127.0.0.1 user.info firewall.cisco.ftd: %FTD-1-430005: DeviceUUID: a1d6ae56-dcbe-11ea-8921-949392ecf875, InstanceID: 2, FirstPacketSecond: 2021-03-06T13:58:32Z, ConnectionID: 52507, SrcIP: 1.1.3.29, DstIP: 192.168.83.9, SrcPort: 58952, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: d80dfc72d315e6f0701b5ba4754e8480336e98eabff4a56a694b97fc5d455c38, SHA_Disposition: Clean, SperoDisposition: Spero detection not performed on file, ThreatScore: 39, FileName: mrt_map.dll, FileType: MSEXE, FileSize: 31008, ApplicationProtocol: HTTP, Client: Web browser, WebApplication: Microsoft, FilePolicy: PLAINS_MALWARE_FILE, FileSandboxStatus: Sent for Analysis, ArchiveFileName: bc2b77dd-5801-4779-b34d-77119629866c, ArchiveDepth: 1, URI: http://some.mydomain.org/folders/files/whatever?P1=1615039733&P2=404&P3=2&P4=ciXK0UwAi7DRMUppyTeY63AWMZDB7nE5YKUx8HG7NiEygsRiB1mpW5wjDcnb0esYgJY4qZvSagDL0OCqumSYTQ%3d%3d, IngressVRF: Global, EgressVRF: Global
And this is how the log would be parsed:
Field | Value | Type | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
|
| ||
machine |
|
| ||
level |
|
| vlevel | |
severity |
|
| ||
eventId |
|
| ||
reasonCode |
|
| ||
deviceUUID |
|
| ||
eventPriority |
|
| ||
accessControlRuleAction |
|
| ||
accessControlRuleReason |
|
| ||
srcIP |
|
| ||
dstIP |
|
| ||
srcPort |
|
| ||
dstPort |
|
| ||
protocol |
|
| ||
ingressInterface |
|
| ||
egressInterface |
|
| ||
ingressZone |
|
| ||
egressZone |
|
| ||
acPolicy |
|
| ||
accessControlRuleName |
|
| ||
prefilterPolicy |
|
| ||
user |
|
| ||
srcClient |
|
| ||
applicationProtocol |
|
| ||
interfaceProtocol |
|
| ||
srcInterface |
|
| ||
interfaceName |
|
| ||
realIP |
|
| ||
realPort |
|
| ||
mappedInterface |
|
| ||
mappedIP |
|
| ||
mappedPort |
|
| ||
initiatorPackets |
|
| ||
responderPackets |
|
| ||
initiatorBytes |
|
| ||
responderBytes |
|
| ||
napPolicy |
|
| ||
secIntMatchingIP |
|
| ||
ipReputationSICategory |
|
| ||
connectionDuration |
|
| ||
dnsRecordType |
|
| ||
dnsResponseType |
|
| ||
dnsTTL |
|
| ||
dnsQuery |
|
| ||
dnsSICategory |
|
| ||
instanceID |
|
| ||
firstPacketSecond |
|
| ||
firstPacketTime |
|
| ||
connectionID |
|
| ||
priority |
|
| ||
gid |
|
| ||
sid |
|
| ||
revision |
|
| ||
eventMessage |
|
| ||
classification |
|
| ||
intrusionPolicy |
|
| ||
httpResponse |
|
| ||
inlineResult |
|
| ||
ingressVRF |
|
| ||
egressVRF |
|
| ||
fileDirection |
|
| ||
fileAction |
|
| ||
fileSHA256 |
|
| ||
shaDisposition |
|
| ||
speroDisposition |
|
| ||
threatName |
|
| ||
threatScore |
|
| ||
fileName |
|
| ||
fileType |
|
| ||
fileSize |
|
| ||
fileStorageStatus |
|
| ||
filePolicy |
|
| ||
webApplication |
|
| ||
fileSandboxStatus |
|
| ||
archiveFileName |
|
| ||
archiveFileStatus |
|
| ||
archiveSHA256 |
|
| ||
archiveDepth |
|
| ||
uri |
|
| ||
connectionsInUse |
|
| ||
connectionsMostUsed |
|
| ||
translation |
|
| ||
idfw_user |
|
| ||
direction |
|
| ||
spi |
|
| ||
localIP |
|
| ||
localPort |
|
| ||
seqNum |
|
| ||
remoteIP |
|
| ||
remotePort |
|
| ||
tunnel |
|
| ||
object |
|
| ||
dropRate |
|
| ||
burstRate |
|
| ||
maxBurstRate |
|
| ||
currentRate |
|
| ||
maxCurrentRate |
|
| ||
totalRateCount |
|
| ||
dnsLookup |
|
| ||
failReason |
|
| ||
tunnelRequest |
|
| ||
tunnelGroup |
| |||
localSelectors |
|
| ||
remoteSelectors |
|
| ||
negotiationError |
|
| ||
message |
|
| ||
hostchain |
|
| ✓ | |
tag |
|
| ✓ | |
rawMessage |
|
| ✓ |