QRadar eStreamer Fields

The following table is intended to show the fields that can be parsed when sending Firepower eStreamer connection events to QRadar. For more information on how to configure Cisco Firepower eStreamer and QRadar please refer to the vendor documentation.

Note: The following fields were taken from RAW output before being compiled. I have given brief descriptions next to the most common fields as an example.

 

Field

Description

 

Field

Description

flowStatistics.initiatorIPAddress

Flow initiator IP

 

flowStatistics.dnsTTL

 

flowStatistics.responderIPAddress

Flow responder IP

 

flowStatistics.managedDevice.managedDeviceId

Provides the FTD’s device ID

flowStatistics.originalClientIPAddress

 

 

flowStatistics.managedDevice.name

Provides the FTD’s device hostname

flowStatistics.policyRevision

 

 

flowStatistics.ingressSecurityZone.securityZoneUUID

 

flowStatistics.ruleId

Matched rule ID

 

flowStatistics.ingressSecurityZone.securityZoneName

 

flowStatistics.ruleAction

Rule action

 

flowStatistics.egressSecurityZone.securityZoneUUID

 

flowStatistics.tunnelRuleId

 

 

flowStatistics.egressSecurityZone.securityZoneName

Egress Interface Security Zone

flowStatistics.ruleReason

 

 

flowStatistics.ingressInterface.interfaceUUID

Ingress Interface Security Zone

flowStatistics.initiatorPort

Flow initiator port

 

flowStatistics.ingressInterface.interfaceName

Ingress Interface Name

flowStatistics.responderPort

Flow responder port

 

flowStatistics.egressInterface.interfaceUUID

 

flowStatistics.tcpFlags

 

 

flowStatistics.egressInterface.interfaceName

Egress Interface Name

flowStatistics.protocol

Flow initiator protocol

 

flowStatistics.user.userId

 

flowStatistics.netFlowIPAddress

 

 

flowStatistics.user.protocolRef

 

flowStatistics.instanceId

 

 

flowStatistics.user.userName

 

flowStatistics.connectionCounter

 

 

flowStatistics.urlCategoryRef

 

flowStatistics.firstPacketTimestamp

First Packet Seen Time

 

flowStatistics.urlReputation.urlReputationId

 

flowStatistics.lastPacketTimestamp

Last Packet Seen Time

 

flowStatistics.urlReputation.reputationName

 

flowStatistics.packetsSent

Number of Packets Sent

 

flowStatistics.webApp.applicationId

 

flowStatistics.packetsReceived

Number of Packets Received

 

flowStatistics.webApp.webApplicationName

 

flowStatistics.bytesSent

Total Bytes Sent

 

flowStatistics.initiatorCountry.geolocation.countryCode

Geolocation fields

flowStatistics.bytesReceived

Total Bytes Received

 

flowStatistics.initiatorCountry.geolocation.countryName

flowStatistics.initiatorPacketsDropped

 

 

flowStatistics.responderCountry.geolocation.countryCode

flowStatistics.responderPacketsDropped

 

 

flowStatistics.responderCountry.geolocation.countryName

flowStatistics.initiatorBytesDropped

 

 

flowStatistics.originalClientCountryRef

 

flowStatistics.responderBytesDropped

 

 

flowStatistics.IOCRef

 

flowStatistics.qosAppliedInterface

 

 

flowStatistics.securityContextRef

 

flowStatistics.qosRuleId

 

 

flowStatistics.sslPolicyRef

 

flowStatistics.applicationProtocolId

 

 

flowStatistics.sslCertificateFingerprintRef

 

flowStatistics.clientAppId

 

 

flowStatistics.sslCiperSuite.sslCipherId

 

flowStatistics.clientAppURL

 

 

flowStatistics.sslCiperSuite.sslCipherSuiteName

 

flowStatistics.netbiosName

 

 

flowStatistics.sslVersion.sslVersionId

 

flowStatistics.clientAppVersion

 

 

flowStatistics.sslVersion.sslVersionName

 

flowStatistics.monitorRule1

 

 

flowStatistics.sslServerCertificateStatus.sslServerCertificateStatus

 

flowStatistics.monitorRule2

 

 

flowStatistics.sslServerCertificateStatus.sslServerCertificateStatusDescription

 

flowStatistics.monitorRule3

 

 

flowStatistics.sslActualAction.sslActualAction

 

flowStatistics.monitorRule4

 

 

flowStatistics.sslActualAction.description

 

flowStatistics.monitorRule5

 

 

flowStatistics.sslExpectedActionRef

 

flowStatistics.monitorRule6

 

 

flowStatistics.sslFlowStatus.sslFlowStatus

 

flowStatistics.monitorRule7

 

 

flowStatistics.sslFlowStatus.description

 

flowStatistics.monitorRule8

 

 

flowStatistics.sslURLCategoryRef

 

flowStatistics.securityIntelligenceSrcOrDest

 

 

flowStatistics.securityGroupRef

 

flowStatistics.securityIntelligenceLayer

 

 

flowStatistics.sinkholeRef

 

flowStatistics.fileEventCount

 

 

flowStatistics.securityIntelligenceList1Ref

 

flowStatistics.intrusionEventCount

 

 

flowStatistics.securityIntelligenceList2Ref

 

flowStatistics.sourceAutonomousSystem

 

 

 

 

flowStatistics.destinationAutonomousSystem

 

 

 

 

flowStatistics.snmpIn

 

 

 

 

flowStatistics.snmpOut

 

 

 

 

flowStatistics.sourceTOS

 

 

 

 

flowStatistics.destinationTOS

 

 

 

 

flowStatistics.sourceMask

 

 

 

 

flowStatistics.destinationMask

 

 

 

 

flowStatistics.vlanId

 

 

 

 

flowStatistics.referencedHost

 

 

 

 

flowStatistics.userAgent

 

 

 

 

flowStatistics.httpReferrer

 

 

 

 

flowStatistics.sslRuleId

 

 

 

 

flowStatistics.sslFlowError

 

 

 

 

flowStatistics.sslFlowMessages

 

 

 

 

flowStatistics.sslFlowFlags

 

 

 

 

flowStatistics.sslServerNames

 

 

 

 

flowStatistics.sslSessionId

 

 

 

 

flowStatistics.sslSessionIdLength

 

 

 

 

flowStatistics.sslTicketId

 

 

 

 

flowStatistics.sslTicketIdLength

 

 

 

 

flowStatistics.networkAnalysisPolicyRevision

 

 

 

 

flowStatistics.endpointProfileId

 

 

 

 

flowStatistics.locationIPv6Address

 

 

 

 

flowStatistics.httpResponse

 

 

 

 

flowStatistics.dnsRecordType

 

 

 

 

flowStatistics.dnsQuery

 

 

 

 

flowStatistics.dnsResponseType

 

 

 

 

<!– /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-536870145 1107305727 0 0 415 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-469750017 -1073732485 9 0 511 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin-top:3.0pt; margin-right:0cm; margin-bottom:3.0pt; margin-left:0cm; mso-pagination:widow-orphan; font-size:10.0pt; mso-bidi-font-size:11.0pt; font-family:"Arial",sans-serif; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-ansi-language:EN-US; mso-fareast-language:EN-US;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:11.0pt; mso-ansi-font-size:11.0pt; mso-bidi-font-size:11.0pt; font-family:"Calibri",sans-serif; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-ansi-language:EN-US; mso-fareast-language:EN-US;} .MsoPapDefault {mso-style-type:export-only; margin-bottom:10.0pt; line-height:115%;}size:612.0pt 792.0pt; margin:72.0pt 72.0pt 72.0pt 72.0pt; mso-header-margin:36.0pt; mso-footer-margin:36.0pt; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: