Parsers and Generated Fields
Tag Fields Created by Parser cisco-firepower
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser cisco-firepower
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| @rawstring | @timestamp | Event timestamp | Extracted from syslog timestamp using findTimestamp() |
| source.address | client.address | Client address | Conditionally mapped from source.address based on event context |
| source.bytes | client.bytes | Client byte count | Conditionally mapped from source.bytes based on event context |
| source.ip | client.ip | Client IP address | Conditionally mapped from source.ip based on event context |
| source.port | client.port | Client port number | Conditionally mapped from source.port based on event context |
| destination.ip | destination.address | Destination address | Lowercased from destination.ip |
| Vendor.ResponderBytes | destination.bytes | Destination byte count | Copied from Vendor.ResponderBytes |
| destination.address | destination.domain | Destination domain | Copied from destination.address for non-IP addresses |
| Vendor.message, Vendor.DstIP | destination.ip | Destination IP address | Extracted from message using regex patterns or Vendor.DstIP |
| Vendor.NAT_ResponderIP | destination.nat.ip | NAT destination IP | Extracted from Vendor.NAT_ResponderIP using regex |
| Vendor.NAT_ResponderPort | destination.nat.port | NAT destination port | Copied from Vendor.NAT_ResponderPort |
| Vendor.ResponderPackets | destination.packets | Destination packet count | Copied from Vendor.ResponderPackets |
| Vendor.message, Vendor.DstPort | destination.port | Destination port number | Extracted from message using regex patterns or Vendor.DstPort |
| Vendor.DeviceUUID | device.id | Device identifier | Copied from Vendor.DeviceUUID |
| Vendor.DNS_TTL | dns.answers[0].ttl | DNS answer TTL | Copied from Vendor.DNS_TTL |
| Vendor.DNSQuery | dns.question.name | DNS query name | Copied from Vendor.DNSQuery |
| Vendor.DNSRecordType | dns.question.type | DNS record type | Normalized from Vendor.DNSRecordType |
| Vendor.DNSResponseType | dns.response_code | DNS response code | Copied from Vendor.DNSResponseType |
| None | ecs.version | ECS schema version | Static value: 9.2.0 |
| Vendor.AccessControlRuleAction, Vendor.message | event.action | Action taken | Copied from Vendor.AccessControlRuleAction or extracted from message |
| Vendor.mnemonic | event.category[] | Event category classification | Array populated based on event type conditions |
| None | event.dataset | Dataset identifier | Static value: firepower.log |
| None | event.kind | Event categorization | Static value: event |
| None | event.module | Module name | Static value: firepower |
| Vendor.mnemonic, Vendor.teardown_reason | event.outcome | Event outcome status | Conditional assignment based on event context |
| Vendor.AccessControlRuleReason, Vendor.message | event.reason | Reason for action | Copied from Vendor.AccessControlRuleReason or extracted from message |
| Vendor.EventPriority | event.severity | Event severity level | Mapped from Vendor.EventPriority |
| Vendor.FirstPacketSecond | event.start | Event start time | Copied from Vendor.FirstPacketSecond |
| Vendor.mnemonic | event.type[] | Event type classification | Array populated based on event type conditions |
| Vendor.ArchiveSHA256, Vendor.FileSHA256 | file.hash.sha256 | File SHA256 hash | Coalesced and lowercased from Vendor.ArchiveSHA256 and Vendor.FileSHA256 |
| Vendor.ArchiveFileName, Vendor.FileName | file.name | File name | Coalesced from Vendor.ArchiveFileName and Vendor.FileName |
| Vendor.InstanceID | host.id | Host identifier | Copied from Vendor.InstanceID |
| Vendor.HTTPReferer | http.request.referrer | HTTP referrer | Copied from Vendor.HTTPReferer |
| Vendor.HTTPResponse | http.response.status_code | HTTP response status | Copied from Vendor.HTTPResponse |
| @rawstring | log.syslog.appname | Syslog application name | Extracted from syslog header |
| @rawstring | log.syslog.hostname | Syslog hostname | Extracted from syslog header |
| @rawstring | log.syslog.priority | Syslog priority | Extracted from syslog header |
| @rawstring | log.syslog.procid | Syslog process ID | Extracted from syslog header |
| Vendor.mnemonic | log.syslog.severity.code | Syslog severity code | Extracted from Vendor.mnemonic |
| log.syslog.severity.code | log.syslog.severity.name | Syslog severity name | Mapped from log.syslog.severity.code |
| Vendor.message | message | Log message content | Copied from Vendor.message |
| Vendor.WebApplication | network.application | Network application | Copied from Vendor.WebApplication |
| source.bytes, destination.bytes | network.bytes | Total network bytes | Calculated from source.bytes + destination.bytes |
| Vendor.message | network.direction | Network direction | Extracted from message and lowercased |
| source.packets, destination.packets | network.packets | Total network packets | Calculated from source.packets + destination.packets |
| network.protocol, Vendor.ApplicationProtocol | network.protocol | Network protocol | Coalesced and lowercased from network.protocol and Vendor.ApplicationProtocol |
| network.transport, Vendor.Protocol | network.transport | Transport protocol | Coalesced and lowercased from network.transport and Vendor.Protocol |
| Vendor.EgressInterface, observer.egress.interface.name | observer.egress.interface.alias | Egress interface | Coalesced from Vendor.EgressInterface and observer.egress.interface.name |
| Vendor.EgressVRF | observer.egress.vlan.name | Egress VRF | Copied from Vendor.EgressVRF |
| Vendor.message, Vendor.EgressZone | observer.egress.zone | Egress zone | Extracted from message or copied from Vendor.EgressZone |
| log.syslog.hostname | observer.hostname | Observer hostname | Copied from log.syslog.hostname |
| Vendor.IngressInterface, observer.ingress.interface.name | observer.ingress.interface.alias | Ingress interface | Coalesced from Vendor.IngressInterface and observer.ingress.interface.name |
| Vendor.IngressVRF | observer.ingress.vlan.name | Ingress VRF | Copied from Vendor.IngressVRF |
| Vendor.message, Vendor.IngressZone | observer.ingress.zone | Ingress zone | Extracted from message or copied from Vendor.IngressZone |
| None | observer.type | Observer type | Static value: firewall |
| Vendor.DetectionType | rule.category | Rule category | Copied from Vendor.DetectionType |
| Vendor.AccessControlRuleReason | rule.description | Rule description | Copied from Vendor.AccessControlRuleReason |
| Vendor.AccessControlRuleName | rule.name | Rule name | Copied from Vendor.AccessControlRuleName |
| Vendor.ACPolicy | rule.ruleset | Rule set | Copied from Vendor.ACPolicy |
| destination.address | server.address | Server address | Conditionally mapped from destination.address based on event context |
| destination.bytes | server.bytes | Server byte count | Conditionally mapped from destination.bytes based on event context |
| destination.ip | server.ip | Server IP address | Conditionally mapped from destination.ip based on event context |
| destination.port | server.port | Server port number | Conditionally mapped from destination.port based on event context |
| source.ip | source.address | Source address | Lowercased from source.ip |
| Vendor.InitiatorBytes | source.bytes | Source byte count | Copied from Vendor.InitiatorBytes |
| source.address | source.domain | Source domain | Copied from source.address for non-IP addresses |
| Vendor.message, Vendor.SrcIP | source.ip | Source IP address | Extracted from message using regex patterns or Vendor.SrcIP |
| Vendor.message | source.mac | Source MAC address | Extracted and formatted from message |
| Vendor.NAT_InitiatorIP | source.nat.ip | NAT source IP | Extracted from Vendor.NAT_InitiatorIP using regex |
| Vendor.NAT_InitiatorPort | source.nat.port | NAT source port | Copied from Vendor.NAT_InitiatorPort |
| Vendor.InitiatorPackets | source.packets | Source packet count | Copied from Vendor.InitiatorPackets |
| Vendor.message, Vendor.SrcPort | source.port | Source port number | Extracted from message using regex patterns or Vendor.SrcPort |
| Vendor.SSLCipherSuite | tls.cipher | TLS cipher suite | Conditionally copied from Vendor.SSLCipherSuite if not "Unknown" |
| Vendor.SSLCertificate | tls.client.hash.sha1 | TLS certificate hash | Copied from Vendor.SSLCertificate and lowercased |
| Vendor.SSLServerName | tls.client.server_name | TLS server name | Copied from Vendor.SSLServerName |
| Vendor.SSLVersion | tls.version | TLS version | Conditionally copied from Vendor.SSLVersion if not "Unknown" |
| url.original | url.domain | URL domain | Parsed from url.original and lowercased |
| url.original | url.full | Full URL | Copied from url.original |
| Vendor.URL | url.original | Original URL | Copied from Vendor.URL |
| Vendor.message | user.domain | User domain | Extracted from message using regex patterns and lowercased |
| user.name | user.email | User email address | Derived from user.name if contains @ symbol and lowercased |
| Vendor.message | user.group.name | User group name | Extracted from message using regex patterns |
| Vendor.User | user.id | User identifier | Copied from Vendor.User |
| Vendor.message | user.name | Username | Extracted from message using regex patterns and lowercased |
| Vendor.Client | user_agent.name | User agent name | Copied from Vendor.Client |
| Vendor.UserAgent | user_agent.original | Original user agent | Copied from Vendor.UserAgent |
| Vendor.ClientVersion | user_agent.version | User agent version | Copied from Vendor.ClientVersion |