Package cisco/firepower Release Notes

Package cisco/firepower Release Notes Version 1.6.1

  • Improved regex pattern for inbound TCP connections to handle probe connections

  • Enhanced regex pattern for teardown connections to handle optional fields

Package cisco/firepower Release Notes Version 1.6.0

  • Adds additional support to parser logs with event ID 106023, 302013, 302014, 302015, 302016, 302020

  • Expands event.type for logs with event ID 109201, 109207, 109210

Package cisco/firepower Release Notes Version 1.5.0

  • Adds additional support to parser logs with rule 607002

  • The old parser firepower-syslog is now officially removed from the Cisco Firepower package

  • Improved array declaration within the parser

Package cisco/firepower Release Notes Version 1.4.0

  • Bumps the Parser.version to 3.0.0 and ecs.version to 8.16.0

  • Improves the field extraction and performance

  • Removes the event.code field as it does not conform to CPS standard

  • Further normalisation to ECS fields; observer.ingress.vlan.name, observer.egress.vlan.name, rule.ruleset, rule.category, user_agent.name, user_agent.original, user_agent.version, network.application, http.response.status_code, http.request.referrer

Package cisco/firepower Release Notes Version 1.3.0
Parser renaming and Deprecation notice

The old parser firepower-syslog is deprecated, and replaced by the new parser cisco-firepower. While the old parser will remain available during a tranisition period, all future changes will only go into the new cisco-firepower parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old firepower-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

Duplicated vendor fields dropped in new parser

The old firepower-syslog parser would duplicate certain fields, which the new cisco-firepower parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

  • Vendor.AccessControlRuleAction

  • Vendor.AccessControlRuleAction

  • Vendor.AccessControlRuleName

  • Vendor.AccessControlRuleReason

  • Vendor.ArchiveFileName

  • Vendor.DNSQuery

  • Vendor.DNSResponseType

  • Vendor.DNS_TTL

  • Vendor.DeviceUUID

  • Vendor.DstIP

  • Vendor.DstPort

  • Vendor.EgressInterface

  • Vendor.EgressZone

  • Vendor.EventPriority

  • Vendor.FileName

  • Vendor.FirstPacketSecond

  • Vendor.IngressInterface

  • Vendor.IngressZone

  • Vendor.InitiatorBytes

  • Vendor.InitiatorPackets

  • Vendor.InstanceID

  • Vendor.NAT_InitiatorIP

  • Vendor.NAT_InitiatorPort

  • Vendor.NAT_ResponderIP

  • Vendor.NAT_ResponderPort

  • Vendor.ResponderBytes

  • Vendor.ResponderPackets

  • Vendor.SSLCertificate

  • Vendor.SSLCipherSuite

  • Vendor.SSLServerName

  • Vendor.SSLVersion

  • Vendor.SrcIP

  • Vendor.SrcPort

  • Vendor.URL

  • Vendor.User

  • Vendor.mnemonic

Miscellaneous

  • Sets the dns.answers as an array.

  • Bug fix: Updates the field name from file.sha256 to file.hash.sha256 to better align with CPS standard.

  • Corrects a typo in the value of event.outcome field from sucess to success

Package cisco/firepower Release Notes Version 1.2.0

  • Exludes the empty fields when parsing events with kvParse() function.

Package cisco/firepower Release Notes Version 1.1.0

  • Improves the field extraction and performance.

  • Sets the event.category, event.type and the event.outcome fields based on the source security event ids.

  • Adds observer.type, network.protocol, network.transport, event.reason, event.action fields and more.

  • Now the ClassName and ClassDefintion fields are set without referring to the lookup file.

  • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

Package cisco/firepower Release Notes Version 1.0.1

  • Fix issue with trailing newlines when ingesting over UDP

Package cisco/firepower Release Notes Version 1.0.0

  • Adds new event.module and Cps.version fields

  • Removes the Product field

  • Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type

  • Extracts optional priority field from the syslog header

Package cisco/firepower Release Notes Version 0.2.0

  • Removed the Vendor.key keyspace and flattened it to Vendor.

  • Enables key-value extraction when fields names contain spaces or underscores

  • Added normalized fields: rule.name, event.action, network.transport, network.protocol, url.*

  • Fixed source.ip, source.address, destination.ip and destination.address field extraction