Skip to content

Cisco Firepower Firewall

Cisco Firepower Firewall

About

The Cisco Firepower® NGFW (next-generation firewall) is the industry’s first fully integrated, threat-focused next-gen firewall with unified management. It uniquely provides advanced threat protection before, during, and after attacks.

Product Details

Vendor URL: Cisco Firepower Firewall

Product Type: Firewall

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Cisco Firepower Firewall

Log Guide: Cisco Firepower Firewall)

Parser Details

Log Format: Syslog

Expected Normalization Rate: 90-100%

Data Label: CISCO_FIREPOWER_FIREWALL

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Event Classification
AccessControlRuleAction security_result.action
AccessControlRuleName security_result.rule_name
action security_result.action
app principal.application
ApplicationProtocol network.application_protocol
cert_issuer network.tls.server.certificate.issuer
cert_Subject network.tls.server.certificate.subject
Classification security_result.rule_name
Client network.http.user_agent
DeviceUUID observer.hostname
DeviceUUID principal.resource.id
direction network.direction
DNSQuery network.dns.questions
DNSRecordType security_result.about.labels.key.DNSRecordType
domain target.administrative_domain
dst target.ip
dst target.hostname
dst_port target.port
duration network.session_duration
EgressInterface principal.asset.attribute.labels.key.EgressInterface
EgressZone target.asset.attribute.cloud.availability_zone
EgressZone target.location.name
eventId metadata.product_event_type
FileAction security_result.summary
FileName target.file.full_path
FilePolicy security_result.rule_name
FileSandboxStatus security_result.description
FileSHA256 target.file.sha256
FileSize target.file.size
GID principal.asset.product_object_id
group_name target.group.group_display_name
HTTPReferer network.http.referral_url
HTTPResponse network.http.response_code
IngressInterface principal.asset.attribute.labels.key.IngressInterface
IngressZone principal.location.name
InitiatorBytes network.received_bytes
InlineResult security_result.action
int_IP intermediary.ip
IntHost intermediary.hostname
IntrusionPolicy security_result.rule_name
mac principal.mac
Message security_result.description
NAPPolicy security_result.category_details
NAPPolicy principal.asset.attribute.labels.key.NAPPolicy
Priority security_result.priority_details
process_name principal.process.command_line
proto network.ip_protocol
ResponderBytes network.sent_bytes
Revision security_result.about.labels.key.Singnature_Version
rule_name security_result.rule_name
rule_name target.resource.name
sent_bytes network.sent_bytes
serial_No network.tls.server.certificate.serial
session_id network.session_id
severity security_result.severity_details
severity security_result.severity
SID security_result.threat_id
src principal.hostname
src principal.ip
src_nat_ip principal.nat_ip
src_nat_ip principal.hostname
src_port principal.port
summary security_result.summary
ThreatName security_result.threat_name
tls_version network.tls.version
URI target.url
URLCategory security_result.category_details
URLReputation security_result.confidence_details
User extensions.auth.auth_details
user_id target.user.userid
userAgent network.http.user_agent
username target.user.userid
UserName target.user.userid
version principal.platform_version
WebApplication target.application

Product Event Types

eventId, AccessControlRuleAction UDM Event Classification Security Category alerting enabled
all others NETWORK_CONNECTION
Block ACL_VIOLATION
dst = blank
src = blank STATUS_UPDATE
Login USER_LOGIN
Task Queue SCHEDULED_TASK_UNCATEGORIZED
Rule Update Install USER_RESOURCE_UPDATE_CONTENT
Correlation Event USER_LOGIN
106023 ACL_VIOLATION
303002 NETWORK_FTP
419002 TRUE
313005 TRUE
302020 FILE_CREATION,FILE_UNCATEGORIZED POLICY_VIOLATION
733100 TRUE
430002 NETWORK_RECON TRUE
430003 NETWORK_RECON TRUE
430001 NETWORK_UNCATEGORIZED NETWORK_SUSPICIOUS TRUE

Log Sample

<190>2022-06-12T15:36:51Z host (null) %NGIPS-6-430003: EventPriority: Low, DeviceUUID: asl31010, InstanceID: 2, FirstPacketSecond: 2022-06-12T15:36:51Z, ConnectionID: 55887, AccessControlRuleAction: Allow, SrcIP: 10.1.1.2, DstIP: 10.1.1.5, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: EXT, EgressInterface: DMZ, IngressZone: Outside, EgressZone: Datacenter, ACPolicy: Datacenter, AccessControlRuleName: IPS Inspeccion, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 72, ResponderBytes: 72, NAPPolicy: Balanced Security and Connectivity

Sample Parsing

metadata.event_timestamp = "2022-06-12T15:36:50Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Cisco"
metadata.product_name = "Firepower Firewall"
metadata.product_event_type = "NGIPS-6-430003"
metadata.ingested_timestamp = "2022-06-12T15:38:02.863875Z"
principal.location.name = "Outside"
principal.resource.id = "asl31010"
principal.asset.attribute.labels.key = "EgressInterface"
principal.asset.attribute.labels.value = "DMZ"
principal.asset.attribute.labels.key = "IngressInterface"
principal.asset.attribute.labels.value = "EXT"
principal.asset.attribute.labels.key = "NAPPolicy"
principal.asset.attribute.labels.value = "Balanced Security and Connectivity"
target.location.name = "Datacenter"
target.asset.attribute.cloud.availability_zone = "Datacenter"
security_result.rule_name = "AccessControlRuleName : IPS Inspeccion"
security_result.summary = "NGIPS Severity:6"
security_result.action = "ALLOW"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "Informational message only"
network.sent_bytes = 72
network.received_bytes = 72
network.ip_protocol = "ICMP"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above.