Document toolboxDocument toolbox

proxy.ironport

Owned by Borja Moro Moreno, created
Aug 23, 2023
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 Table structure ]

Introduction

The tags beginning with proxy.ironport identify events generated by Cisco Web Security (formerly IronPort Proxy Server) belonging to Cisco.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as proxy.ironport. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Cisco Web Security (formerly IronPort Proxy Server)

proxy.ironport.access.squid

proxy.ironport.access.squid

For more information, read more About Devo tags.

Table structure

These are the fields displayed in this table:

proxy.ironport.access.squid

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

machine

str

vmachine

 

serverdate

timestamp

 

 

level

str

 

 

srcIp

ip4

 

 

user

str

 

 

dstHost

str

 

 

method

str

 

 

url

str

 

 

statusCode

int4

 

 

responseTime

int4

 

 

responseLength

int4

 

 

contentType

str

 

 

requestStat

str

 

 

hierarchyStat

str

 

 

aclTag

str

 

 

webcat

str

 

 

wbrsScore

str

 

 

webrootScanverdict

int4

 

 

webrootThreatName

str

 

 

webrootTrr

str

 

 

webrootSpyid

str

 

 

webrootTraceId

str

 

 

mcafeeScanverdict

int4

 

 

mcafeeFilename

str

 

 

mcafeeAvScanerror

str

 

 

mcafeeAvDetecttype

str

 

 

mcafeeAvVirustype

str

 

 

mcafeeVirusName

str

 

 

sophosScanverdict

int4

 

 

sophosScanerror

str

 

 

sophosFileName

str

 

 

sophosVirusName

str

 

 

idsVerdict

int4

 

 

icapVerdict

int4

 

 

webcatReqCode

str

 

 

webcatRespCode

str

 

 

respDvsVerdictname

str

 

 

wbrsThreatType

str

 

 

avcApp

str

 

 

avcType

str

 

 

avcBehavior

str

 

 

requestRewrite

str

 

 

avgBw

float8

 

 

bwThrottled

int4

 

 

userType

str

 

 

reqDvsVerdictname

str

 

 

reqDvsThreatName

str

 

 

ampVerdict

int4

 

 

ampMalwareName

str

 

 

ampScore

int4

 

 

ampUpload

int4

 

 

ampFilename

str

 

 

ampSha

str

 

 

userAgent

str

 

 

hostchain

str

 

✓

tag

str

 

✓

rawMessage

str

rawSource

✓