Cisco Firepower
The IBM® QRadar® Cisco Firepower Custom Properties Content Extension adds new custom event properties for Cisco Firepower.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled,
download the most recent version of the associated DSMs from IBM Fix Central
(https://www.ibm.com/support/fixcentral).
IBM Security QRadar Cisco Firepower Content Extension 1.0.3
The following table shows the new or updated custom properties in IBM Security QRadar Cisco Firepower Content Extension 1.0.3.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Destination Interface | Yes | 1 | egressInterface\.interfaceName=([^\s]*)\s |
| Destination Interface UUID | No | 1 | egressInterface\.interfaceUUID=([^\s]*)\s |
| Destination Zone | No | 1 | egressSecurityZone\.securityZoneName=([^\s]*)\s |
| Source Interface | No | 1 | ingressInterface\.interfaceName=([^\s]*)\s |
| Source Interface UUID | No | 1 | ingressInterface\.interfaceUUID=([^\s]*)\s |
| Source Zone | No | 1 | ingressSecurityZone\.securityZoneName=([^\s]*)\s |
The File Hash custom property is renamed to SHA256.
The Login Type custom property is optimized.
IBM Security QRadar Cisco Firepower Content Extension 1.0.2
The File Directory custom property was given a new ID to avoid a conflict with the File Directory custom property from the Cisco AMP content extension.
IBM Security QRadar Cisco Firepower Content Extension 1.0.1
The following table shows the new or updated custom properties in IBM Security QRadar Cisco Firepower Content Extension 1.0.1.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Blocked | False | 1 | blocked=(\d+) |
| BytesReceived | True | 1 | bytesReceived=(\d+) |
| BytesSent | True | 1 | bytesSent=(\d+) |
| Detection Engine Type | False | 1 | detectionEngineType=(.*?)\s*detectionEngine[a-zA-Z\.]*= |
| Disposition | False | 1 | disposition=(\d+) |
| File Direction | False | 1 | direction=(\d+) |
| File Directory | True | 1 | filePath=([^\t]*?)[^\\\/]*\t |
| File Hash | True | 1 | fileSHAHash=([^\s]+) |
| File Path | False | 1 | filePath=(.*?)\s*malwareEventData[a-zA-Z\.]*= |
| File Size | False | 1 | fileSize=(\d+) |
| Filename | True | 1 | fileName=(.*?)\s*malwareEventData[a-zA-Z\.]*= |
| Fingerprint UUID | False | 1 | fingerprintUUID=([^\s]+) |
| Login Type | False | 1 | loginType=(\d+) |
| Malware Event Type | False | 1 | malwareEventType=(.*?)\s*malwareEventData[a-zA-Z\.]*= |
| OS Name | False | 1 | osName=(.*?)\s*osFingerprint[a-zA-Z\.]*= |
| OS Vendor | False | 1 | osVendor=(.*?)\s*osFingerprint[a-zA-Z\.]*= |
| OS Version | False | 1 | osVersion=(.*?)\s*osFingerprint[a-zA-Z\.]*= |
| Packets Received | False | 1 | packetsReceived=(\d+) |
| Packets Sent | False | 1 | packetsSent=(\d+) |
| Priority | False | 1 | priorityId=(\d+) |
| Reported By | False | 1 | reportedBy=([^\s]+) |
| Rule Action | False | 1 | ruleAction=(\d+) |
| SSL Actual Action | True | 1 | sslActualAction=(\d+) |
| Threat Score | False | 1 | threatScore=(\d+) |
| User Protocol | False | 1 | protocolRef=(\d+) |
IBM Security QRadar Cisco Firepower Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Cisco Firepower Content Extension 1.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Action | True | 1 | action=(\d+) |
| Blocked | False | 1 | blocked=(\d+) |
| BytesReceived | False | 1 | bytesReceived=(\d+) |
| BytesSent | False | 1 | bytesSent=(\d+) |
| Detection Engine Type | False | 1 | detectionEngineType=(.*?)\s*detectionEngine[a-zA-Z\.]*= |
| Disposition | False | 1 | disposition=(\d+) |
| File Direction | False | 1 | direction=(\d+) |
| File Hash | False | 1 | fileSHAHash=([^\s]+) |
| File Path | False | 1 | filePath=(.*?)\s*malwareEventData[a-zA-Z\.]*= |
| File Size | False | 1 | fileSize=(\d+) |
| Filename | False | 1 | fileName=(.*?)\s*malwareEventData[a-zA-Z\.]*= |
| Fingerprint UUID | False | 1 | fingerprintUUID=([^\s]+) |
| Login Type | False | 1 | loginType=(\d+) |
| Malware Event Type | False | 1 | malwareEventType=(.*?)\s*malwareEventData[a-zA-Z\.]*= |
| OS Name | False | 1 | osName=(.*?)\s*osFingerprint[a-zA-Z\.]*= |
| OS Vendor | False | 1 | osVendor=(.*?)\s*osFingerprint[a-zA-Z\.]*= |
| OS Version | False | 1 | osVersion=(.*?)\s*osFingerprint[a-zA-Z\.]*= |
| Packets Received | False | 1 | packetsReceived=(\d+) |
| Packets Sent | False | 1 | packetsSent=(\d+) |
| Priority | False | 1 | priorityId=(\d+) |
| Reported By | False | 1 | reportedBy=([^\s]+) |
| Threat Score | False | 1 | threatScore=(\d+) |
| User Protocol | False | 1 | protocolRef=(\d+) |