Data Source: Cisco Secure Firewall Threat Defense File Event

Date: 2025-04-07

ID: 19878597-8f8a-4bca-a805-bfbe35e00032

Author: Nasreddine Bencherchali, Splunk

Description

Data source object for raw file events from Cisco Secure Firewall Threat Defense

Details

Property	Value
Source	`not_applicable`
Sourcetype	`cisco:sfw:estreamer`

Supported Apps

Cisco Security Cloud (version 3.1.1)

Event Fields

+ Fields

  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">Application</span>
  
  <span class="pill kill-chain">ClientApplication</span>
  
  <span class="pill kill-chain">connection_id</span>
  
  <span class="pill kill-chain">ConnectionID</span>
  
  <span class="pill kill-chain">date</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_ip</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">Device</span>
  
  <span class="pill kill-chain">device_id</span>
  
  <span class="pill kill-chain">DeviceIP</span>
  
  <span class="pill kill-chain">DeviceSerialNumber</span>
  
  <span class="pill kill-chain">DeviceUUID</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">EgressVRF</span>
  
  <span class="pill kill-chain">EventSecond</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">EventType</span>
  
  <span class="pill kill-chain">file_hash</span>
  
  <span class="pill kill-chain">file_name</span>
  
  <span class="pill kill-chain">file_size</span>
  
  <span class="pill kill-chain">FileAction</span>
  
  <span class="pill kill-chain">FileDirection</span>
  
  <span class="pill kill-chain">FileName</span>
  
  <span class="pill kill-chain">FilePolicy</span>
  
  <span class="pill kill-chain">FileSandboxStatus</span>
  
  <span class="pill kill-chain">FileSHA256</span>
  
  <span class="pill kill-chain">FileSize</span>
  
  <span class="pill kill-chain">FileStorageStatus</span>
  
  <span class="pill kill-chain">FileType</span>
  
  <span class="pill kill-chain">FirstPacketSecond</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">IngressVRF</span>
  
  <span class="pill kill-chain">InitiatorIP</span>
  
  <span class="pill kill-chain">InitiatorPort</span>
  
  <span class="pill kill-chain">instance_id</span>
  
  <span class="pill kill-chain">InstanceID</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">Protocol</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">ResponderIP</span>
  
  <span class="pill kill-chain">ResponderPort</span>
  
  <span class="pill kill-chain">sensor_name</span>
  
  <span class="pill kill-chain">SHA_Disposition</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">SperoDisposition</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">ThreatName</span>
  
  <span class="pill kill-chain">ThreatScore</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">transport</span>
  
  <span class="pill kill-chain">uri</span>
  
  <span class="pill kill-chain">URI</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">WebApplication</span>
  
</div>

Example Log

1{"EventType":"FileEvent", "EventSecond":1741199882, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", "InstanceID":1, "FirstPacketSecond":1741199881, "ConnectionID":10092, "InitiatorIP":"172.16.3.158", "ResponderIP":"85.215.35.144", "InitiatorPort":55988, "ResponderPort":80, "Protocol":"tcp", "FileDirection":"Download", "FileAction":"Malware Cloud Lookup", "FileSHA256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "SHA_Disposition":"Malware", "SperoDisposition":"Spero detection not performed on file", "ThreatName":"EICAR", "ThreatScore":76, "FileName":"csm-eicar.gif", "FileType":"EICAR", "FileSize":68, "Application":"HTTP", "ClientApplication":"Wget", "WebApplication":"Web Browsing", "FilePolicy":"Test", "FileStorageStatus":"File Size Is Too Small", "FileSandboxStatus":"File Size Is Too Small", "URI":"/csm-eicar.gif", "IngressVRF":"Global", "EgressVRF":"Global", "Device":"172.16.0.10", "DeviceIP":"172.16.0.10", "DeviceSerialNumber":"9AD5V8FSS0D"}

Source: GitHub | Version: 1