Parsers and Generated Fields
Tag Fields Created by Parser cisco-firepower
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser cisco-firepower
| Source Field | CPS Field |
|---|---|
| Vendor.InitiatorBytes | destination.bytes |
| Vendor.DstIP | destination.ip |
| Vendor.NAT_ResponderIP | destination.nat.ip |
| Vendor.NAT_ResponderPort | destination.nat.port |
| Vendor.InitiatorPackets | destination.packets |
| Vendor.DstPort | destination.port |
| Vendor.DeviceUUID | device.id |
| Vendor.DNS_TTL | dns.answers[0].ttl |
| Vendor.DNSQuery | dns.question.name |
| Vendor.DNSResponseType | dns.response_code |
| Vendor.AccessControlRuleAction | event.action |
| Vendor.mnemonic | event.code |
| Vendor.AccessControlRuleReason | event.reason |
| Vendor.EventPriority | event.severity |
| Vendor.FirstPacketSecond | event.start |
| Vendor.ArchiveFileName | file.name |
| Vendor.FileName | file.name |
| Vendor.InstanceID | host.id |
| source.bytes | network.bytes |
| destination.packets | network.packets |
| Vendor.EgressInterface | observer.egress.interface.alias |
| Vendor.EgressZone | observer.egress.zone |
| log.syslog.hostname | observer.hostname |
| Vendor.IngressInterface | observer.ingress.interface.alias |
| Vendor.IngressZone | observer.ingress.zone |
| AccessControlRuleReason | rule.description |
| Vendor.AccessControlRuleName | rule.name |
| Vendor.ResponderBytes | source.bytes |
| Vendor.SrcIP | source.ip |
| Vendor.NAT_InitiatorIP | source.nat.ip |
| Vendor.NAT_InitiatorPort | source.nat.port |
| Vendor.ResponderPackets | source.packets |
| Vendor.SrcPort | source.port |
| Vendor.SSLCipherSuite | tls.cipher |
| Vendor.SSLCertificate | tls.client.certificate |
| Vendor.SSLServerName | tls.client.server_name |
| Vendor.SSLVersion | tls.version |
| url.original | url.full |
| Vendor.URL | url.original |
| user.name | user.email |
| Vendor.User | user.id |
Tag Fields Created by Parser firepower-syslog
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser firepower-syslog
| Source Field | CPS Field |
|---|---|
| Vendor.InitiatorBytesa | destination.bytes |
| Vendor.DstIP | destination.ip |
| Vendor.NAT_ResponderIP | destination.nat.ip |
| Vendor.NAT_ResponderPort | destination.nat.port |
| Vendor.InitiatorPackets | destination.packets |
| Vendor.DstPort | destination.port |
| Vendor.DeviceUUID | device.id |
| Vendor.DNS_TTL | dns.answers.ttl |
| Vendor.DNSQuery | dns.question.name |
| Vendor.DNSResponseType | dns.response_code |
| Vendor.AccessControlRuleAction | event.action |
| Vendor.mnemonic | event.code |
| Vendor.AccessControlRuleReason | event.reason |
| Vendor.EventPriority | event.severity |
| Vendor.FirstPacketSecond | event.start |
| Vendor.ArchiveFileName | file.name |
| Vendor.FileName | file.name |
| Vendor.InstanceID | host.id |
| source.bytes | network.bytes |
| destination.packets | network.packets |
| Vendor.EgressInterface | observer.egress.interface.alias |
| Vendor.EgressZone | observer.egress.zone |
| log.syslog.hostname | observer.hostname |
| Vendor.IngressInterface | observer.ingress.interface.alias |
| Vendor.IngressZone | observer.ingress.zone |
| Vendor.AccessControlRuleName | rule.name |
| Vendor.ResponderBytes | source.bytes |
| Vendor.SrcIP | source.ip |
| Vendor.NAT_InitiatorIP | source.nat.ip |
| Vendor.NAT_InitiatorPort | source.nat.port |
| Vendor.ResponderPackets | source.packets |
| Vendor.SrcPort | source.port |
| Vendor.SSLCipherSuite | tls.cipher |
| Vendor.SSLCertificate | tls.client.certificate |
| Vendor.SSLServerName | tls.client.server_name |
| Vendor.SSLVersion | tls.version |
| url.original | url.full |
| Vendor.URL | url.original |
| user.name | user.email |
| Vendor.User | user.id |