Document toolboxDocument toolbox

utm.cisco

Introduction

The tags beginning with utm.cisco identify events generated by Unified Threat Management systems belonging to Cisco.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as utm.cisco. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Cisco Secure Web Appliance

utm.cisco.wsa.access-std

utm.cisco.wsa.accessStd

utm.cisco.wsa.traffic-std

utm.cisco.wsa.trafficStd

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

utm.cisco.wsa.accessStd

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

host

str

vhost

 

rawMessage

str

rawSource

 

timestamp

timestamp

 

 

elapsedTimeMs

str

 

 

srcIp

ip4

 

 

resultCode

str

 

 

httpResponseCode

int4

 

 

responseSize

str

 

 

method

str

 

 

request

str

 

 

authUserName

str

 

 

serverCode

str

 

 

dataSrc

str

 

 

responseMIMEtype

str

 

 

aclDecisionTag

str

 

 

policyGroup

str

 

 

identityPolicyGroup

str

 

 

outboundMalwScannPolicy

str

 

 

dataSecurityPolicy

str

 

 

extDLPPolicy

str

 

 

routingPolicy

str

 

 

webCat

str

 

 

wbrsScore

str

 

 

webrootScanverdict

str

 

 

webrootThreatName

str

 

 

webrootTrr

str

 

 

webrootSpyId

str

 

 

webrootTraceId

str

 

 

mcafeeScanverdict

str

 

 

mcafeeFilename

str

 

 

mcafeeAvScanerror

str

 

 

mcafeeAvDetecttype

str

 

 

mcafeeAvVirustype

str

 

 

mcafeeVirusName

str

 

 

sophosScanverdict

str

 

 

sophosScanerror

str

 

 

sophosFileName

str

 

 

sophosVirusName

str

 

 

idsVerdict

str

 

 

icapVerdict

str

 

 

webcatReqCode

str

 

 

webcatRespCode

str

 

 

respDvsVerdictname

str

 

 

wbrsThreatType

str

 

 

avcApp

str

 

 

avcType

str

 

 

avcBehavior

str

 

 

requestRewrite

str

 

 

avgBw

str

 

 

bwThrottled

str

 

 

userType

str

 

 

reqDvsVerdictname

str

 

 

reqDvsThreatname

str

 

 

ampVerdict

str

 

 

ampMalwarename

str

 

 

ampScore

str

 

 

ampUpload

str

 

 

ampFilename

str

 

 

ampSha

str

 

 

suspectUserAgent

str

 

✓

hostchain

str

 

✓

tag

str

 

✓

utm.cisco.wsa.trafficStd

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

host

str

vhost

 

rawMessage

str

rawSource

 

srcIp

ip4

 

 

dstIp

ip4

 

 

discoveredFor

str

 

 

list

str

 

 

added

str

 

 

message

str

 

✓

hostchain

str

 

✓

tag

str

 

✓

Â