<span class="pill kill-chain">Application</span>
<span class="pill kill-chain">Classification</span>
<span class="pill kill-chain">ClientApplication</span>
<span class="pill kill-chain">EgressZone</span>
<span class="pill kill-chain">EventType</span>
<span class="pill kill-chain">Impact</span>
<span class="pill kill-chain">IngressZone</span>
<span class="pill kill-chain">IntrusionRuleMessage</span>
<span class="pill kill-chain">WebApplication</span>
<span class="pill kill-chain">impact_desc</span>
<span class="pill kill-chain">ApplicationID</span>
<span class="pill kill-chain">ApplicationProductivityIndex</span>
<span class="pill kill-chain">ApplicationRiskIndex</span>
<span class="pill kill-chain">ClientApplicationID</span>
<span class="pill kill-chain">ClientApplicationProductivityIndex</span>
<span class="pill kill-chain">ClientApplicationRiskIndex</span>
<span class="pill kill-chain">ConnectionID</span>
<span class="pill kill-chain">Device</span>
<span class="pill kill-chain">DeviceIP</span>
<span class="pill kill-chain">DeviceSerialNumber</span>
<span class="pill kill-chain">DeviceUUID</span>
<span class="pill kill-chain">EgressInterface</span>
<span class="pill kill-chain">EgressInterfaceUUID</span>
<span class="pill kill-chain">EgressVRF</span>
<span class="pill kill-chain">EgressZoneUUID</span>
<span class="pill kill-chain">EventID</span>
<span class="pill kill-chain">EventMicrosecond</span>
<span class="pill kill-chain">EventSecond</span>
<span class="pill kill-chain">FirewallPolicy</span>
<span class="pill kill-chain">FirewallPolicyUUID</span>
<span class="pill kill-chain">FirewallRule</span>
<span class="pill kill-chain">FirewallRuleID</span>
<span class="pill kill-chain">FirstPacketSecond</span>
<span class="pill kill-chain">GeneratorID</span>
<span class="pill kill-chain">HTTP_Hostname</span>
<span class="pill kill-chain">HTTP_URI</span>
<span class="pill kill-chain">Hostname</span>
<span class="pill kill-chain">ICMP_Code</span>
<span class="pill kill-chain">ICMP_Type</span>
<span class="pill kill-chain">IngressInterface</span>
<span class="pill kill-chain">IngressInterfaceUUID</span>
<span class="pill kill-chain">IngressVRF</span>
<span class="pill kill-chain">IngressZoneUUID</span>
<span class="pill kill-chain">InitiatorContinent</span>
<span class="pill kill-chain">InitiatorContinentCode</span>
<span class="pill kill-chain">InitiatorCountry</span>
<span class="pill kill-chain">InitiatorCountryCode</span>
<span class="pill kill-chain">InitiatorCountryID</span>
<span class="pill kill-chain">InitiatorIP</span>
<span class="pill kill-chain">InitiatorPort</span>
<span class="pill kill-chain">InlineResult</span>
<span class="pill kill-chain">InlineResultID</span>
<span class="pill kill-chain">InlineResultReason</span>
<span class="pill kill-chain">InlineResultReasonID</span>
<span class="pill kill-chain">InstanceID</span>
<span class="pill kill-chain">IntrusionPolicy</span>
<span class="pill kill-chain">IntrusionPolicyRevUUID</span>
<span class="pill kill-chain">IntrusionPolicyUUID</span>
<span class="pill kill-chain">MitreAttackGroups</span>
<span class="pill kill-chain">NAP_Policy</span>
<span class="pill kill-chain">NAP_PolicyUUID</span>
<span class="pill kill-chain">PriorityID</span>
<span class="pill kill-chain">Protocol</span>
<span class="pill kill-chain">ProtocolID</span>
<span class="pill kill-chain">RealmID</span>
<span class="pill kill-chain">RealmName</span>
<span class="pill kill-chain">ResponderContinent</span>
<span class="pill kill-chain">ResponderContinentCode</span>
<span class="pill kill-chain">ResponderCountry</span>
<span class="pill kill-chain">ResponderCountryCode</span>
<span class="pill kill-chain">ResponderCountryID</span>
<span class="pill kill-chain">ResponderIP</span>
<span class="pill kill-chain">ResponderPort</span>
<span class="pill kill-chain">SSL_ActualAction</span>
<span class="pill kill-chain">SSL_ActualActionID</span>
<span class="pill kill-chain">SSL_Cert</span>
<span class="pill kill-chain">SSL_CertFingerprint</span>
<span class="pill kill-chain">SSL_FlowStatus</span>
<span class="pill kill-chain">SSL_FlowStatusID</span>
<span class="pill kill-chain">SensorID</span>
<span class="pill kill-chain">SignatureID</span>
<span class="pill kill-chain">SignatureRevision</span>
<span class="pill kill-chain">SnortRuleGroups</span>
<span class="pill kill-chain">SnortVersionID</span>
<span class="pill kill-chain">UserID</span>
<span class="pill kill-chain">WebApplicationHTTP</span>
<span class="pill kill-chain">WebApplicationID</span>
<span class="pill kill-chain">WebApplicationProductivityIndex</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">class_desc</span>
<span class="pill kill-chain">connection_id</span>
<span class="pill kill-chain">date</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dest_interface</span>
<span class="pill kill-chain">dest_ip</span>
<span class="pill kill-chain">dest_port</span>
<span class="pill kill-chain">dest_zone</span>
<span class="pill kill-chain">device_id</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">event_id</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">http_referrer</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">instance_id</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">rule</span>
<span class="pill kill-chain">sensor_name</span>
<span class="pill kill-chain">severity_id</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">signature_id</span>
<span class="pill kill-chain">signature_version</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">src_interface</span>
<span class="pill kill-chain">src_ip</span>
<span class="pill kill-chain">src_port</span>
<span class="pill kill-chain">src_zone</span>
<span class="pill kill-chain">ssl_hash</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">transport</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: Cisco Secure Firewall Threat Defense Intrusion Event
Description
Data source object for raw intrusion events from Cisco Secure Firewall Threat Defense
Details
| Property | Value |
|---|---|
| Source | not_applicable |
| Sourcetype | cisco:sfw:estreamer |
Supported Apps
- Cisco Security Cloud (version 3.2.0)
Event Fields
Fields
Example Log
1"EventType":"IntrusionEvent", "EventSecond":1744752707, "EventMicrosecond":709756, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", "InstanceID":1, "FirstPacketSecond":1744752707, "ConnectionID":27798, "InitiatorIP":"146.75.78.172", "ResponderIP":"172.16.3.110", "InitiatorPort":80, "ResponderPort":2604, "Protocol":"tcp", "IngressInterface":"outside", "EgressInterface":"inside", "IngressZone":"outside", "EgressZone":"inside", "PriorityID":1, "GeneratorID":1, "SignatureID":11192, "SignatureRevision":20, "Impact":5, "IntrusionRuleMessage":"FILE-EXECUTABLE download of executable content", "Classification":"Potential Corporate Policy Violation", "WebApplication":"Microsoft Update", "ClientApplication":"Parallels", "Application":"HTTP", "IntrusionPolicy":"default", "FirewallPolicy":"default", "FirewallRule":"Permit Outbound", "NAP_Policy":"Balanced Security and Connectivity", "InlineResult":"Would block", "InlineResultReason":"Intrusion Policy in \"Detection\" Inspection Mode", "IngressVRF":"Global", "EgressVRF":"Global", "HTTP_Hostname":"au.download.windowsupdate.com", "HTTP_URI":"/d/msdownload/update/software/defu/2025/04/am_delta_patch_1.427.242.0_5ac0bd95663c4357097204f23072019d82f2e8ce.exe", "SnortRuleGroups":"Rule Categories>File>Executable", "MitreAttackGroups":"MITRE>ATT&CK Framework>Enterprise>Execution>User Execution>Malicious File", "ApplicationID":676, "ApplicationProductivityIndex":3, "ApplicationRiskIndex":1, "ClientApplicationID":2802, "ClientApplicationProductivityIndex":4, "ClientApplicationRiskIndex":2, "Device":"172.16.0.10", "DeviceIP":"172.16.0.10", "DeviceSerialNumber":"9AD5V8FSS0D", "EgressInterfaceUUID":"efbb6160-f60a-11ef-a955-43d7eeccc024", "EgressZoneUUID":"efbcd7ac-f60a-11ef-a955-43d7eeccc024", "EventID":195, "FirewallPolicyUUID":"00000000-0000-0000-0000-000067fece37", "FirewallRuleID":268434433, "Hostname":"ip-172-16-0-50.us-east-2.compute.internal", "IngressInterfaceUUID":"ef9a2180-f60a-11ef-a955-43d7eeccc024", "IngressZoneUUID":"ef9c7c64-f60a-11ef-a955-43d7eeccc024", "InitiatorContinent":"North America", "InitiatorContinentCode":"na", "InitiatorCountry":"United States", "InitiatorCountryCode":"usa", "InitiatorCountryID":840, "InlineResultID":5, "InlineResultReasonID":2, "IntrusionPolicyRevUUID":"c1fab45a-f615-11ef-bd70-44d7eeccc024", "IntrusionPolicyUUID":"0210b9f5-95a7-0ed3-0000-004294971142", "NAP_PolicyUUID":"a6738542-f604-11ef-8765-a4eeeeccc024", "ProtocolID":6, "RealmID":0, "RealmName":"Invalid ID", "SensorID":2, "SnortVersionID":3, "UserID":9999997, "WebApplicationHTTP":"Microsoft Update", "WebApplicationID":731, "WebApplicationProductivityIndex":2}
Source: GitHub | Version: 1