GitHub Repo

Data Source: Cisco Secure Access Firewall

Date: 2026-02-25

ID: 5dc07487-f834-4850-b6a7-4cc09e56549b

Author: Bhavin Patel, Splunk

Description

Captures firewall connection events from Cisco Secure Access including user identity, source and destination metadata, protocol details, and session statistics. Enables analysis of network traffic patterns, access policy enforcement, brute force attempts, and anomalous connection behavior across cloud-managed network access infrastructure.

Details

Property Value
Source cisco_secure_access:firewall
Sourcetype cisco:cloud_security:firewall
Name ▲▼ Technique ▲▼ Type ▲▼
Detect Large ICMP Traffic Non-Application Layer Protocol TTP
Detect Outbound LDAP Traffic Exploit Public-Facing Application, Command and Scripting Interpreter Hunting
Detect Outbound SMB Traffic File Transfer Protocols TTP
Windows Remote Desktop Network Bruteforce Attempt Password Guessing Anomaly

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">bytes_in</span>
  
  <span class="pill kill-chain">bytes_out</span>
  
  <span class="pill kill-chain">datacenter</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_ip</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">direction</span>
  
  <span class="pill kill-chain">duration</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">identity</span>
  
  <span class="pill kill-chain">identity_type</span>
  
  <span class="pill kill-chain">packets_in</span>
  
  <span class="pill kill-chain">packets_out</span>
  
  <span class="pill kill-chain">protocol</span>
  
  <span class="pill kill-chain">protocol_version</span>
  
  <span class="pill kill-chain">rule_id</span>
  
  <span class="pill kill-chain">session_id</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">transport</span>
  
  <span class="pill kill-chain">tunnel_id</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1"2026-03-05 17:29:39","[1360486514]","Joe Kehoe (joe.kehoe@d1.pseudoco.org)","AD Users","C2S","6","0","","","10.10.3.220","3389","prod_aws_us-west-2_1_0","1482901","ALLOW","","[]","1772731753","1772731779","93","82","20847","46067","2ef4dc5a90e31b4e2f7d21ec8f863accda6ad5db2d6feeff301ca05d298fcbdb-7-1772731753-45877","","aws-us-west-2","","178937","true","1145001","[]","2","[]","[]","8176184","","","f0b0ce3d69aeedfe"

Required Output Fields

  • dest_ip

  • dest_port

  • src_ip

  • user

  • action

Source: GitHub | Version: 1