ips.cisco

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with ips.cisco identify events generated by Cisco IPS products.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as ips.cisco. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
Cisco Security Device Event Exchange	`ips.cisco.sdee.alerts`	`ips.cisco.sdee.alerts`
Cisco Security Device Event Exchange	`ips.cisco.sdee.sdee.collector`	`ips.cisco.sdee.sdeeCollector`
Cisco Sourcefire	`ips.cisco.sourcefire.network`	`ips.cisco.sourcefire.network`
Cisco Sourcefire 3D	`ips.cisco.sourcefire3d.snort`	`ips.cisco.sourcefire3d.snort`

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

ips.cisco.sdee.alerts
ips.cisco.sdee.sdeeCollector
ips.cisco.sourcefire.network
ips.cisco.sourcefire3d.snort

ips.cisco.sdee.alerts

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
sensor	`str`		vsensor
hostId	`str`
rawMessage	`str`
time	`timestamp`
severity	`str`
signature	`str`
attackerAddr	`ip4`
attackerPort	`int4`
targetAddr	`ip4`	`ip4(split(split(targets, ",")[0], ":")[0])`	targets
targetPort	`int4`	`int4(split(split(targets, ",")[0], ":")[1])`	targets
targets	`str`
protocol	`str`
riskRating	`int4`
threatRating	`int4`
signDetails	`str`
eventId	`str`
appName	`str`
appInstanceId	`str`
iface	`str`
ifaceGroup	`str`
vlan	`str`
marsCat	`str`
signVer	`str`
signId	`str`
subSignId	`str`
timeOffset	`int4`
timeZone	`str`
fromAttacker	`str`
fromTarget	`str`
unknown	`str`
hostchain	`str`			✓
tag	`str`			✓

ips.cisco.sdee.sdeeCollector

Field	Type	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
collector	`str`	vcollector
rawMessage	`str`
serverdate	`str`
level	`str`
component	`str`
message	`str`
hostchain	`str`		✓
tag	`str`		✓

ips.cisco.sourcefire.network

Field	Type	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
host	`str`	vhost
Protocol	`str`
SrcIp	`ip4`
OriginalClientIP	`str`
DstIP	`ip4`
SrcPort	`str`
DstPort	`str`
ICMPType	`str`
ICMPCode	`str`
TCPFlags	`str`
IngressInterface	`str`
IngressZone	`str`
EgressInterface	`str`
Priority	`str`
DE	`str`
Policy	`str`
GID	`str`
SID	`str`
Revision	`str`
Message	`str`
Impact	`str`
Hostname	`str`
Timestamp	`timestamp`
Classification	`str`
ConnectType	`str`
AccessControlRuleName	`str`
AccessControlRuleAction	`str`
AccessControlRuleReason	`str`
Prefilter_Policy	`str`
UserName	`str`
UserAgent	`str`
Client	`str`
ApplicationProtocol	`str`
WebApplication	`str`
FileCount	`int4`
InitiatorPackets	`int8`
ResponderPackets	`int8`
InitiatorBytes	`int8`
ResponderBytes	`int8`
ACPolicy	`str`
NAPPolicy	`str`
DNSResponseType	`str`
Sinkhole	`str`
ReferencedHost	`str`
URLCategory	`str`
URLReputation	`str`
URL	`str`
Device	`str`
Severity	`str`
EventType	`str`
ConnectionDuration	`int8`
VLAN_ID	`str`
rawMessage	`str`
hostchain	`str`		✓
tag	`str`		✓

ips.cisco.sourcefire3d.snort

Field	Type	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
host	`str`	vhost
syslog_facility	`str`
syslog_severity	`str`
event_type	`str`
reason	`str`
sensor	`str`
severity	`str`
message	`str`
criticality_message	`str`
threat_timestamp	`str`
signature_number	`str`
signature_name	`str`
impact	`str`
src_hostname	`str`
detected_timestamp	`str`
classification	`str`
priority	`str`
protocol	`str`
src_ip	`ip4`
src_port	`str`
src_country	`str`
dst_ip	`ip4`
dst_port	`str`
dst_country	`str`
unknown	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`		✓