--- title: Cisco fields description: Module for handling Cisco network device logs. Module for parsing Cisco AMP logs. Fields for Cisco ASA Firewall. Fields for Cisco Firepower Threat Defense... url: https://www.elastic.co/elastic/docs-builder/docs/3016/reference/beats/filebeat/exported-fields-cisco products: - Beats - Filebeat applies_to: - Elastic Cloud Serverless: Generally available - Elastic Stack: Generally available --- # Cisco fields Module for handling Cisco network device logs. ## cisco.amp - Elastic Stack: Beta Module for parsing Cisco AMP logs. The timestamp in Epoch nanoseconds. type: date A sub ID of the event, depending on event type. type: keyword The name of the malware detected. type: keyword The ID of the detection. type: keyword The GUID of the connector sending information to AMP. type: keyword An array of group GUIDS related to the connector sending information to AMP. type: keyword An array of related vulnerabilities to the malicious event. type: flattened Description of an event related to a scan being initiated, for example the specific directory name. type: keyword Boolean value if a scanned file was clean or not. type: boolean Count of files scanned in a directory. type: long Count of processes scanned related to a single scan event. type: long Count of different directories scanned related to a single scan event. type: long Count of malicious files or documents detected related to a single scan event. type: long The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved. type: keyword The external IP of the related host. type: ip If the current endpoint is active or not. type: boolean All network interface information on the related host. type: flattened Categorization of file, for example "Malicious" or "Clean". type: keyword Categorization of a network event related to a file, for example "Malicious" or "Clean". type: keyword The current direction based on source and destination IP. type: keyword An array of all related MAC addresses. type: keyword An array of all related MAC addresses. type: keyword Description of the related IOC for specific IOC events from AMP. type: keyword Short description of the related IOC for specific IOC events from AMP. type: keyword Categorization of a IOC for example "Malicious" or "Clean". type: keyword MD5 hash of the related IOC. type: keyword SHA1 hash of the related IOC. type: keyword SHA256 hash of the related IOC. type: keyword Categorization of a file archive related to a file, for example "Malicious" or "Clean". type: keyword MD5 hash of the archived file related to the malicious event. type: keyword SHA1 hash of the archived file related to the malicious event. type: keyword SHA256 hash of the archived file related to the malicious event. type: keyword The application name related to Exploit Prevention events. type: keyword Path to the executable or dll that was attacked and detected by Exploit Prevention. type: keyword The base memory address related to the exploit detected. type: keyword An array of related files when an attack is detected by Exploit Prevention. type: keyword Categorization of parrent, for example "Malicious" or "Clean". type: keyword Description of an endpoint error event. type: keyword The error code describing the related error event. type: keyword Severity result of the threat hunt registered to the malicious event. Can be Low-Critical. type: keyword The GUID of the related threat hunting report. type: keyword The GUID of the related investigation tracking issue. type: keyword Title of the incident related to the threat hunting activity. type: keyword Summary of the outcome on the threat hunting activity. type: keyword Recommendations to resolve the vulnerability or exploited host. type: keyword The id of the related incident for the threat hunting activity. type: keyword When the threat hunt finalized or closed. type: date When the threat hunt was initiated. type: date Different indicator types that matches the exploit detected, for example different MITRE tactics. type: flattened List of all MITRE tactics related to the incident found. type: flattened List of all MITRE techniques related to the incident found. type: flattened List of all MITRE tactics related to the incident found. type: flattened Array of all related mitre tactic ID's type: keyword List of all MITRE techniques related to the incident found. type: flattened Array of all related mitre technique ID's type: keyword The CLI arguments related to the Cloud Threat IOC reported by Cisco. type: keyword Endpoint isolation information type: flattened ## cisco.asa Fields for Cisco ASA Firewall. The Cisco ASA message identifier. type: keyword Optional suffix after %ASA identifier. type: keyword example: session Source interface for the flow or event. type: keyword Destination interface for the flow or event. type: keyword Name of the Access Control List rule that matched this event. type: keyword Name of the user that is the source for this event. type: keyword The Security Group Tag for the source user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. type: long Name of the user that is the destination for this event. type: keyword The Security Group Tag for the destination user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. type: long The translated source IP address. type: ip The translated source host. type: keyword The translated source port. type: long The translated destination IP address. type: ip The translated destination host. type: keyword The translated destination port. type: long Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. type: keyword Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. type: keyword Unique identifier for a flow. type: keyword ICMP type. type: short ICMP code. type: short The VPN connection type type: keyword The assigned DAP records type: keyword The command line arguments logged by the local audit log type: keyword The IP address assigned to a VPN client successfully connecting type: ip When a users privilege is changed this is the old value type: keyword When a users privilege is changed this is the new value type: keyword The related object for burst warnings type: keyword The related rate ID for burst warnings type: keyword The current burst rate seen type: keyword The current configured burst rate type: keyword The current average burst rate seen type: keyword The current configured average burst rate allowed type: keyword The total count of burst rate hits since the object was created or cleared type: keyword AAA name of user requesting termination type: keyword The WebVPN group name the user belongs to type: keyword Interface name of the side that initiated the teardown type: keyword SA type (remote access or L2L) type: keyword Session type (for example, IPsec or UDP) type: keyword ## cisco.ftd Fields for Cisco Firepower Threat Defense Firewall. The Cisco FTD message identifier. type: keyword Optional suffix after %FTD identifier. type: keyword example: session Source interface for the flow or event. type: keyword Destination interface for the flow or event. type: keyword Name of the Access Control List rule that matched this event. type: keyword Name of the user that is the source for this event. type: keyword Name of the user that is the destination for this event. type: keyword The translated source IP address. Use ECS source.nat.ip. type: ip The translated source host. type: keyword The translated source port. Use ECS source.nat.port. type: long The translated destination IP address. Use ECS destination.nat.ip. type: ip The translated destination host. type: keyword The translated destination port. Use ECS destination.nat.port. type: long Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. type: keyword Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. type: keyword Unique identifier for a flow. type: keyword ICMP type. type: short ICMP code. type: short Raw fields for Security Events. type: object The VPN connection type type: keyword The assigned DAP records type: keyword AAA name of user requesting termination type: keyword The WebVPN group name the user belongs to type: keyword Interface name of the side that initiated the teardown type: keyword ## cisco.ios Fields for Cisco IOS logs. Name of the IP access list. type: keyword The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. type: keyword example: SEC ## cisco.umbrella Fields for Cisco Umbrella. An array of the different identities related to the event. type: keyword The security or content categories that the destination matches. type: keyword The first identity type matched with this request. Available in version 3 and above. type: keyword The type of identity that made the request. For example, Roaming Computer or Network. type: keyword The categories that resulted in the destination being blocked. Available in version 4 and above. type: keyword The type of web content, typically text/html. type: keyword Hex digest of the response content. type: keyword The detection name according to the antivirus engine used in file inspection. type: keyword A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. type: keyword The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. type: keyword If Malicious, the name of the malware according to AMP. type: keyword The score of the malware from AMP. This field is not currently used and will be blank. type: keyword The name of the Umbrella Data Center that processed the user-generated traffic. type: keyword The unique identity of the network tunnel. type: keyword