Data Source: Cisco Secure Firewall Threat Defense Connection Event

Date: 2025-04-01

ID: 18878597-8f8a-4bca-a805-bfbe35e00032

Author: Nasreddine Bencherchali, Splunk

Description

Data source object for raw connection events from Cisco Secure Firewall Threat Defense

Details

Property Value
Source not_applicable
Sourcetype cisco:sfw:estreamer

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">AC_RuleAction</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">Application</span>
  
  <span class="pill kill-chain">bytes_in</span>
  
  <span class="pill kill-chain">bytes_out</span>
  
  <span class="pill kill-chain">ClientAppDetector</span>
  
  <span class="pill kill-chain">ClientApplication</span>
  
  <span class="pill kill-chain">connection_id</span>
  
  <span class="pill kill-chain">ConnectionDuration</span>
  
  <span class="pill kill-chain">ConnectionID</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_interface</span>
  
  <span class="pill kill-chain">dest_ip</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">dest_zone</span>
  
  <span class="pill kill-chain">device_id</span>
  
  <span class="pill kill-chain">DeviceUUID</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">EgressInterface</span>
  
  <span class="pill kill-chain">EgressVRF</span>
  
  <span class="pill kill-chain">EgressZone</span>
  
  <span class="pill kill-chain">EVE_Fingerprint</span>
  
  <span class="pill kill-chain">EVE_Process</span>
  
  <span class="pill kill-chain">EVE_ProcessConfidencePct</span>
  
  <span class="pill kill-chain">EVE_ThreatConfidenceIndex</span>
  
  <span class="pill kill-chain">EVE_ThreatConfidencePct</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">EventType</span>
  
  <span class="pill kill-chain">FirewallPolicy</span>
  
  <span class="pill kill-chain">FirewallRule</span>
  
  <span class="pill kill-chain">FirstPacketSecond</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">IngressInterface</span>
  
  <span class="pill kill-chain">IngressVRF</span>
  
  <span class="pill kill-chain">IngressZone</span>
  
  <span class="pill kill-chain">InitiatorBytes</span>
  
  <span class="pill kill-chain">InitiatorIP</span>
  
  <span class="pill kill-chain">InitiatorPackets</span>
  
  <span class="pill kill-chain">InitiatorPort</span>
  
  <span class="pill kill-chain">instance_id</span>
  
  <span class="pill kill-chain">InstanceID</span>
  
  <span class="pill kill-chain">LastPacketSecond</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">NAP_Policy</span>
  
  <span class="pill kill-chain">NAT_InitiatorIP</span>
  
  <span class="pill kill-chain">NAT_InitiatorPort</span>
  
  <span class="pill kill-chain">NAT_ResponderIP</span>
  
  <span class="pill kill-chain">NAT_ResponderPort</span>
  
  <span class="pill kill-chain">packets_in</span>
  
  <span class="pill kill-chain">packets_out</span>
  
  <span class="pill kill-chain">PrefilterPolicy</span>
  
  <span class="pill kill-chain">Protocol</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">ResponderBytes</span>
  
  <span class="pill kill-chain">ResponderIP</span>
  
  <span class="pill kill-chain">ResponderPackets</span>
  
  <span class="pill kill-chain">ResponderPort</span>
  
  <span class="pill kill-chain">rule</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src_interface</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">src_zone</span>
  
  <span class="pill kill-chain">SSL_ActualAction</span>
  
  <span class="pill kill-chain">SSL_CertFingerprint</span>
  
  <span class="pill kill-chain">SSL_CipherSuite</span>
  
  <span class="pill kill-chain">SSL_ExpectedAction</span>
  
  <span class="pill kill-chain">SSL_FlowStatus</span>
  
  <span class="pill kill-chain">ssl_hash</span>
  
  <span class="pill kill-chain">ssl_policies</span>
  
  <span class="pill kill-chain">SSL_Policy</span>
  
  <span class="pill kill-chain">SSL_ServerCertStatus</span>
  
  <span class="pill kill-chain">ssl_signature_algorithm</span>
  
  <span class="pill kill-chain">ssl_version</span>
  
  <span class="pill kill-chain">SSL_Version</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">transport</span>
  
  <span class="pill kill-chain">url</span>
  
  <span class="pill kill-chain">URL</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">WebApplication</span>
  
</div>

Example Log

1{"EventType":"ConnectionEvent", "FirstPacketSecond":1743500734, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", "InstanceID":1, "ConnectionID":259, "AC_RuleAction":"Block", "InitiatorIP":"172.16.3.110", "ResponderIP":"142.250.191.196", "InitiatorPort":62296, "ResponderPort":443, "Protocol":"tcp", "IngressInterface":"inside", "EgressInterface":"outside", "IngressZone":"inside", "EgressZone":"outside", "IngressVRF":"Global", "EgressVRF":"Global", "FirewallPolicy":"default", "FirewallRule":"NasBlock", "PrefilterPolicy":"Default Prefilter Policy", "ClientApplication":"Firefox", "Application":"HTTPS", "WebApplication":"Google", "InitiatorPackets":3, "ResponderPackets":1, "InitiatorBytes":840, "ResponderBytes":66, "NAP_Policy":"Balanced Security and Connectivity", "SSL_Policy":"None", "SSL_FlowStatus":"Success", "SSL_CipherSuite":"Unknown", "SSL_CertFingerprint":"2fcc05c514c4cda4260531f967407cd33974340c", "SSL_Version":"Unknown", "SSL_ServerCertStatus":"Not Checked", "SSL_ActualAction":"Do Not Decrypt", "SSL_ExpectedAction":"Do Not Decrypt", "URL":"https://www.google.com", "NAT_InitiatorPort":62296, "NAT_ResponderPort":443, "NAT_InitiatorIP":"172.16.2.10", "NAT_ResponderIP":"142.250.191.196", "EVE_Fingerprint":"tls/1/(0303)(130113031302c02bc02fcca9cca8c02cc030c00ac009c013c014009c009d002f0035)[(0000)(000500050100000000)(000a000e000c001d00170018001901000101)(000b00020100)(000d0018001604030503060308040805080604010501060102030201)(0010000e000c02683208687474702f312e31)(0012)(0017)(001c00024001)(0022)(0023)(002b00050403040303)(002d00020101)(0033)(fe0d)(ff01)]", "EVE_Process":"firefox browser", "EVE_ProcessConfidencePct":100, "EVE_ThreatConfidencePct":0, "EVE_ThreatConfidenceIndex":1, "ClientAppDetector":"Encrypted Visibility"}

Source: GitHub | Version: 1