Parsers and Generated Fields
Tag Fields Created by Parser cisco-firepower
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser cisco-firepower
| Vendor Field | CPS Field | Description |
|---|---|---|
| `event.category[]` | Array | Vendor.mnemonic |
| `event.type[]` | Array | Vendor.mnemonic |
| `network.bytes` | Calculated | source.bytes, destination.bytes |
| `network.packets` | Calculated | source.packets, destination.packets |
| `event.outcome` | Conditional | Vendor.mnemonic |
| `destination.bytes` | Copied | Vendor.InitiatorBytes |
| `destination.nat.ip` | Copied | Vendor.NAT_ResponderIP |
| `destination.nat.port` | Copied | Vendor.NAT_ResponderPort |
| `destination.packets` | Copied | Vendor.InitiatorPackets |
| `device.id` | Copied | Vendor.DeviceUUID |
| `dns.answers[0].ttl` | Copied | Vendor.DNS_TTL |
| `dns.question.name` | Copied | Vendor.DNSQuery |
| `dns.question.type` | Copied | Vendor.DNSRecordType |
| `dns.response_code` | Copied | Vendor.DNSResponseType |
| `event.action` | Copied | Vendor.AccessControlRuleAction |
| `event.reason` | Copied | Vendor.AccessControlRuleReason |
| `event.start` | Copied | Vendor.FirstPacketSecond |
| `network.application` | Copied | Vendor.WebApplication |
| `network.protocol` | Copied | Vendor.ApplicationProtocol |
| `network.transport` | Copied | Vendor.Protocol |
| `observer.egress.vlan.name` | Copied | Vendor.EgressVRF |
| `observer.hostname` | Copied | log.syslog.hostname |
| `observer.ingress.vlan.name` | Copied | Vendor.IngressVRF |
| `source.bytes` | Copied | Vendor.ResponderBytes |
| `source.nat.ip` | Copied | Vendor.NAT_InitiatorIP |
| `source.nat.port` | Copied | Vendor.NAT_InitiatorPort |
| `source.packets` | Copied | Vendor.ResponderPackets |
| `tls.cipher` | Copied | Vendor.SSLCipherSuite |
| `tls.client.certificate` | Copied | Vendor.SSLCertificate |
| `tls.client.server_name` | Copied | Vendor.SSLServerName |
| `tls.version` | Copied | Vendor.SSLVersion |
| `url.full` | Copied | url.original |
| `url.original` | Copied | Vendor.URL |
| `user.id` | Copied | |
| `@timestamp` | Extracted | @rawstring |
| `client.ip` | Extracted | Vendor.message |
| `destination.address` | Extracted | Vendor.message |
| `destination.ip` | Extracted | Vendor.message, Vendor.DstIP |
| `destination.port` | Extracted | Vendor.message, Vendor.DstPort |
| `network.direction` | Extracted | Vendor.message |
| `observer.egress.interface.alias` | Extracted | Vendor.message, Vendor.EgressInterface |
| `observer.egress.zone` | Extracted | Vendor.message, Vendor.EgressZone |
| `observer.ingress.interface.alias` | Extracted | Vendor.message, Vendor.IngressInterface |
| `observer.ingress.zone` | Extracted | Vendor.message, Vendor.IngressZone |
| `source.ip` | Extracted | Vendor.message, Vendor.SrcIP |
| `source.mac` | Extracted | Vendor.message |
| `source.port` | Extracted | Vendor.message, Vendor.SrcPort |
| `event.severity` | Mapped | Vendor.EventPriority |
| `url.domain` | Parsed | url.original |
| `ecs.version` | Static | None |
| `event.dataset` | Static | None |
| `event.kind` | Static | None |
| `event.module` | Static | None |
| `observer.type` | Static | None |
| Vendor.InitiatorBytes | destination.bytes | |
| Vendor.DstIP | destination.ip | |
| Vendor.NAT_ResponderIP | destination.nat.ip | |
| Vendor.NAT_ResponderPort | destination.nat.port | |
| Vendor.InitiatorPackets | destination.packets | |
| Vendor.DstPort | destination.port | |
| Vendor.DeviceUUID | device.id | |
| Vendor.DNS_TTL | dns.answers[0].ttl | |
| Vendor.DNSQuery | dns.question.name | |
| Vendor.DNSRecordType | dns.question.type | |
| Vendor.DNSResponseType | dns.response_code | |
| Vendor.AccessControlRuleAction | event.action | |
| Vendor.AccessControlRuleReason | event.reason | |
| Vendor.FirstPacketSecond | event.start | |
| Vendor.ArchiveFileName | file.name | |
| Vendor.FileName | file.name | |
| Vendor.InstanceID | host.id | |
| Vendor.HTTPReferer | http.request.referrer | |
| Vendor.HTTPResponse | http.response.status_code | |
| Vendor.WebApplication | network.application | |
| source.bytes | network.bytes | |
| destination.packets | network.packets | |
| Vendor.EgressInterface | observer.egress.interface.alias | |
| Vendor.EgressVRF | observer.egress.vlan.name | |
| Vendor.EgressZone | observer.egress.zone | |
| log.syslog.hostname | observer.hostname | |
| Vendor.IngressInterface | observer.ingress.interface.alias | |
| Vendor.IngressVRF | observer.ingress.vlan.name | |
| Vendor.IngressZone | observer.ingress.zone | |
| Vendor.DetectionType | rule.category | |
| Vendor.AccessControlRuleReason | rule.description | |
| Vendor.AccessControlRuleName | rule.name | |
| Vendor.ACPolicy | rule.ruleset | |
| Vendor.ResponderBytes | source.bytes | |
| Vendor.SrcIP | source.ip | |
| Vendor.NAT_InitiatorIP | source.nat.ip | |
| Vendor.NAT_InitiatorPort | source.nat.port | |
| Vendor.ResponderPackets | source.packets | |
| Vendor.SrcPort | source.port | |
| Vendor.SSLCipherSuite | tls.cipher | |
| Vendor.SSLCertificate | tls.client.certificate | |
| Vendor.SSLServerName | tls.client.server_name | |
| Vendor.SSLVersion | tls.version | |
| url.host | url.domain | |
| url.original | url.full | |
| Vendor.URL | url.original | |
| user.name | user.email | |
| Vendor.User | user.id | |
| Vendor.Client | user_agent.name | |
| Vendor.UserAgent | user_agent.original | |
| Vendor.ClientVersion | user_agent.version |