Parsers and Generated Fields
Tag Fields Created by Parser cisco-firepower
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser cisco-firepower
Source Field | CPS Field |
---|---|
Vendor.InitiatorBytes | destination.bytes |
Vendor.DstIP | destination.ip |
Vendor.NAT_ResponderIP | destination.nat.ip |
Vendor.NAT_ResponderPort | destination.nat.port |
Vendor.InitiatorPackets | destination.packets |
Vendor.DstPort | destination.port |
Vendor.DeviceUUID | device.id |
Vendor.DNS_TTL | dns.answers[0].ttl |
Vendor.DNSQuery | dns.question.name |
Vendor.DNSRecordType | dns.question.type |
Vendor.DNSResponseType | dns.response_code |
Vendor.AccessControlRuleAction | event.action |
Vendor.AccessControlRuleReason | event.reason |
Vendor.EventPriority | event.severity |
Vendor.FirstPacketSecond | event.start |
Vendor.ArchiveFileName | file.name |
Vendor.FileName | file.name |
Vendor.InstanceID | host.id |
Vendor.HTTPReferer | http.request.referrer |
Vendor.HTTPResponse | http.response.status_code |
Vendor.WebApplication | network.application |
source.bytes | network.bytes |
destination.packets | network.packets |
Vendor.EgressInterface | observer.egress.interface.alias |
Vendor.EgressVRF | observer.egress.vlan.name |
Vendor.EgressZone | observer.egress.zone |
log.syslog.hostname | observer.hostname |
Vendor.IngressInterface | observer.ingress.interface.alias |
Vendor.IngressVRF | observer.ingress.vlan.name |
Vendor.IngressZone | observer.ingress.zone |
Vendor.DetectionType | rule.category |
Vendor.AccessControlRuleReason | rule.description |
Vendor.AccessControlRuleName | rule.name |
Vendor.ACPolicy | rule.ruleset |
Vendor.ResponderBytes | source.bytes |
Vendor.SrcIP | source.ip |
Vendor.NAT_InitiatorIP | source.nat.ip |
Vendor.NAT_InitiatorPort | source.nat.port |
Vendor.ResponderPackets | source.packets |
Vendor.SrcPort | source.port |
Vendor.SSLCipherSuite | tls.cipher |
Vendor.SSLCertificate | tls.client.certificate |
Vendor.SSLServerName | tls.client.server_name |
Vendor.SSLVersion | tls.version |
url.original | url.full |
Vendor.URL | url.original |
user.name | user.email |
Vendor.User | user.id |
Vendor.Client | user_agent.name |
Vendor.UserAgent | user_agent.original |
Vendor.ClientVersion | user_agent.version |
Tag Fields Created by Parser firepower-syslog
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser firepower-syslog
Source Field | CPS Field |
---|---|
Vendor.InitiatorBytesa | destination.bytes |
Vendor.DstIP | destination.ip |
Vendor.NAT_ResponderIP | destination.nat.ip |
Vendor.NAT_ResponderPort | destination.nat.port |
Vendor.InitiatorPackets | destination.packets |
Vendor.DstPort | destination.port |
Vendor.DeviceUUID | device.id |
Vendor.DNS_TTL | dns.answers.ttl |
Vendor.DNSQuery | dns.question.name |
Vendor.DNSResponseType | dns.response_code |
Vendor.AccessControlRuleAction | event.action |
Vendor.mnemonic | event.code |
Vendor.AccessControlRuleReason | event.reason |
Vendor.EventPriority | event.severity |
Vendor.FirstPacketSecond | event.start |
Vendor.ArchiveFileName | file.name |
Vendor.FileName | file.name |
Vendor.InstanceID | host.id |
source.bytes | network.bytes |
destination.packets | network.packets |
Vendor.EgressInterface | observer.egress.interface.alias |
Vendor.EgressZone | observer.egress.zone |
log.syslog.hostname | observer.hostname |
Vendor.IngressInterface | observer.ingress.interface.alias |
Vendor.IngressZone | observer.ingress.zone |
Vendor.AccessControlRuleName | rule.name |
Vendor.ResponderBytes | source.bytes |
Vendor.SrcIP | source.ip |
Vendor.NAT_InitiatorIP | source.nat.ip |
Vendor.NAT_InitiatorPort | source.nat.port |
Vendor.ResponderPackets | source.packets |
Vendor.SrcPort | source.port |
Vendor.SSLCipherSuite | tls.cipher |
Vendor.SSLCertificate | tls.client.certificate |
Vendor.SSLServerName | tls.client.server_name |
Vendor.SSLVersion | tls.version |
url.original | url.full |
Vendor.URL | url.original |
user.name | user.email |
Vendor.User | user.id |