Cisco Firepower Syslog

The IBM® QRadar® Custom Properties for Cisco Firepower (Syslog) Content Extension adds new syslog compatible custom event properties for Cisco Firepower.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Custom Properties for Cisco Firepower (Syslog) Content Extension 1.0.1

The File Hash custom property is renamed to SHA256 Hash.

IBM Security QRadar Custom Properties for Cisco Firepower (Syslog) Content Extension 1.0.0

The following table shows the custom properties in IBM Security QRadar Custom Properties for Cisco Firepower (Syslog) Content Extension 1.0.0.

Table 1. Custom Properties inIBM Security QRadar Custom Properties for Cisco Firepower (Syslog) Content Extension 1.0.0
Name Optimized Capture Group Regex
Action Yes 1 AccessControlRuleAction[:\s]*(.+?),\s+

FileAction[:\s]*(.+?),\s+

BytesReceived Yes 1 ResponderBytes[:\s]*(.+?),\s+
BytesSent Yes 1 InitiatorBytes[:\s]*(.+?),\s+
Disposition No 1 SHA_Disposition[:\s]*(.+?),\s+
File Direction No 1 FileDirection[:\s]*(.+?),\s+
File Hash Yes 1 FileSHA256[:\s]*(.+?),\s+
File Size No 1 FileSize[:\s]*(.+?),\s+
File Type No 1 FileType[:\s]*(.+?),\s+
Filename Yes 1 FileName[:\s]*(.+?),\s+
Packets Received No 1 ResponderPackets[:\s]*(.+?),\s+
Packets Sent No 1 InitiatorPackets[:\s]*(.+?),\s+
Policy No 1 ACPolicy[:\s]*(.+?),\s+
Reason Yes 1 AccessControlRuleReason[:\s]*(.+?),\s+
Source Interface No 1 IngressInterface[:\s]*(.+?),\s+
Source Zone No 1 IngressZone[:\s]*(.+?),\s+
Threat Family No 1 URI[:\shttp:\/\dW.]*(.+?)[\/,\s+]
Threat Name Yes 1 ThreatName[:\s]*(.+?),\s+
Threat Score No 1 ThreatScore[:\s]*(.+?),\s+
Web Category Yes 1 URLReputation[:\s]*(.+?)[,\s+]

(Back to top)