Parsers and Generated Fields

Tag Fields Created by Parser cisco-firepower
  • #Cps.version

  • #Vendor

  • #ecs.version

  • #event.dataset

  • #event.kind

  • #event.module

  • #event.outcome

  • #observer.type

Fields Identified by Parser cisco-firepower
Source FieldCPS Field
Vendor.InitiatorBytesdestination.bytes
Vendor.DstIPdestination.ip
Vendor.NAT_ResponderIPdestination.nat.ip
Vendor.NAT_ResponderPortdestination.nat.port
Vendor.InitiatorPacketsdestination.packets
Vendor.DstPortdestination.port
Vendor.DeviceUUIDdevice.id
Vendor.DNS_TTLdns.answers[0].ttl
Vendor.DNSQuerydns.question.name
Vendor.DNSRecordTypedns.question.type
Vendor.DNSResponseTypedns.response_code
Vendor.AccessControlRuleActionevent.action
Vendor.AccessControlRuleReasonevent.reason
Vendor.EventPriorityevent.severity
Vendor.FirstPacketSecondevent.start
Vendor.ArchiveFileNamefile.name
Vendor.FileNamefile.name
Vendor.InstanceIDhost.id
Vendor.HTTPRefererhttp.request.referrer
Vendor.HTTPResponsehttp.response.status_code
Vendor.WebApplicationnetwork.application
source.bytesnetwork.bytes
destination.packetsnetwork.packets
Vendor.EgressInterfaceobserver.egress.interface.alias
Vendor.EgressVRFobserver.egress.vlan.name
Vendor.EgressZoneobserver.egress.zone
log.syslog.hostnameobserver.hostname
Vendor.IngressInterfaceobserver.ingress.interface.alias
Vendor.IngressVRFobserver.ingress.vlan.name
Vendor.IngressZoneobserver.ingress.zone
Vendor.DetectionTyperule.category
Vendor.AccessControlRuleReasonrule.description
Vendor.AccessControlRuleNamerule.name
Vendor.ACPolicyrule.ruleset
Vendor.ResponderBytessource.bytes
Vendor.SrcIPsource.ip
Vendor.NAT_InitiatorIPsource.nat.ip
Vendor.NAT_InitiatorPortsource.nat.port
Vendor.ResponderPacketssource.packets
Vendor.SrcPortsource.port
Vendor.SSLCipherSuitetls.cipher
Vendor.SSLCertificatetls.client.certificate
Vendor.SSLServerNametls.client.server_name
Vendor.SSLVersiontls.version
url.originalurl.full
Vendor.URLurl.original
user.nameuser.email
Vendor.Useruser.id
Vendor.Clientuser_agent.name
Vendor.UserAgentuser_agent.original
Vendor.ClientVersionuser_agent.version
Tag Fields Created by Parser firepower-syslog
  • #Cps.version

  • #Vendor

  • #ecs.version

  • #event.dataset

  • #event.kind

  • #event.module

  • #event.outcome

  • #observer.type

Fields Identified by Parser firepower-syslog
Source FieldCPS Field
Vendor.InitiatorBytesadestination.bytes
Vendor.DstIPdestination.ip
Vendor.NAT_ResponderIPdestination.nat.ip
Vendor.NAT_ResponderPortdestination.nat.port
Vendor.InitiatorPacketsdestination.packets
Vendor.DstPortdestination.port
Vendor.DeviceUUIDdevice.id
Vendor.DNS_TTLdns.answers.ttl
Vendor.DNSQuerydns.question.name
Vendor.DNSResponseTypedns.response_code
Vendor.AccessControlRuleActionevent.action
Vendor.mnemonicevent.code
Vendor.AccessControlRuleReasonevent.reason
Vendor.EventPriorityevent.severity
Vendor.FirstPacketSecondevent.start
Vendor.ArchiveFileNamefile.name
Vendor.FileNamefile.name
Vendor.InstanceIDhost.id
source.bytesnetwork.bytes
destination.packetsnetwork.packets
Vendor.EgressInterfaceobserver.egress.interface.alias
Vendor.EgressZoneobserver.egress.zone
log.syslog.hostnameobserver.hostname
Vendor.IngressInterfaceobserver.ingress.interface.alias
Vendor.IngressZoneobserver.ingress.zone
Vendor.AccessControlRuleNamerule.name
Vendor.ResponderBytessource.bytes
Vendor.SrcIPsource.ip
Vendor.NAT_InitiatorIPsource.nat.ip
Vendor.NAT_InitiatorPortsource.nat.port
Vendor.ResponderPacketssource.packets
Vendor.SrcPortsource.port
Vendor.SSLCipherSuitetls.cipher
Vendor.SSLCertificatetls.client.certificate
Vendor.SSLServerNametls.client.server_name
Vendor.SSLVersiontls.version
url.originalurl.full
Vendor.URLurl.original
user.nameuser.email
Vendor.Useruser.id