Cisco Firepower Syslog
The IBM Security QRadar Custom Properties for Cisco Firepower (Syslog) Content Extension adds new syslog compatible custom event properties for Cisco Firepower.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).
IBM Security QRadar Custom Properties for Cisco Firepower (Syslog) Content Extension 1.0.1
The File Hash custom property is renamed to SHA256 Hash.
IBM Security QRadar Custom Properties for Cisco Firepower (Syslog) Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Cisco Firepower (Syslog) Content Extension 1.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Action | Yes | 1 | AccessControlRuleAction[:\s]*(.+?),\s+ FileAction[:\s]*(.+?),\s+ |
| BytesReceived | Yes | 1 | ResponderBytes[:\s]*(.+?),\s+ |
| BytesSent | Yes | 1 | InitiatorBytes[:\s]*(.+?),\s+ |
| Disposition | No | 1 | SHA_Disposition[:\s]*(.+?),\s+ |
| File Direction | No | 1 | FileDirection[:\s]*(.+?),\s+ |
| File Hash | Yes | 1 | FileSHA256[:\s]*(.+?),\s+ |
| File Size | No | 1 | FileSize[:\s]*(.+?),\s+ |
| File Type | No | 1 | FileType[:\s]*(.+?),\s+ |
| Filename | Yes | 1 | FileName[:\s]*(.+?),\s+ |
| Packets Received | No | 1 | ResponderPackets[:\s]*(.+?),\s+ |
| Packets Sent | No | 1 | InitiatorPackets[:\s]*(.+?),\s+ |
| Policy | No | 1 | ACPolicy[:\s]*(.+?),\s+ |
| Reason | Yes | 1 | AccessControlRuleReason[:\s]*(.+?),\s+ |
| Source Interface | No | 1 | IngressInterface[:\s]*(.+?),\s+ |
| Source Zone | No | 1 | IngressZone[:\s]*(.+?),\s+ |
| Threat Family | No | 1 | URI[:\shttp:\/\dW.]*(.+?)[\/,\s+] |
| Threat Name | Yes | 1 | ThreatName[:\s]*(.+?),\s+ |
| Threat Score | No | 1 | ThreatScore[:\s]*(.+?),\s+ |
| Web Category | Yes | 1 | URLReputation[:\s]*(.+?)[,\s+] |