Change log for CISCO_FIREPOWER_FIREWALL
| Date | Changes |
|---|---|
| 2025-1-22 | Enhancement:
- Added support for new pattern of syslog logs. |
| 2025-08-18 | Enhancement:
- Added a grok pattern to parse `principal.ip`. - `event.idm.read_only_udm.security_result.description`: Newly mapped `AccessControlRuleReason` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - `event.idm.read_only_udm.network.http.user_agent`: Newly mapped `Client` raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `IPSCount`, `ConnectionDuration` raw log field with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip`: Newly mapped `ReferencedHost` raw log field with `event.idm.read_only_udm.principal.ip` and `event.idm.read_only_udm.principal.asset.ip` UDM field. |
| 2025-08-11 | Enhancement:
- event.idm.read_only_udm.security_result.severity: Newly mapped CRITICAL raw log field with event.idm.read_only_udm.security_result.severity UDM field when severity is 0. - event.idm.read_only_udm.security_result.severity: Newly mapped INFORMATIONAL raw log field with event.idm.read_only_udm.security_result.severity UDM field when severity is 7. - event.idm.read_only_udm.security_result.severity_details: Newly mapped Emergency: System is unusable raw log field with event.idm.read_only_udm.security_result.severity_details UDM field when severity is 0. - event.idm.read_only_udm.security_result.severity_details: Newly mapped Debugging: Debugging messages raw log field with event.idm.read_only_udm.security_result.severity_details UDM field when severity is 7. - event.idm.read_only_udm.security_result.severity: Removed mapping of `INFORMATIONAL` from `event.idm.read_only_udm.security_result.severity` UDM field and mapped `HIGH` instead when severity is 1. - event.idm.read_only_udm.security_result.severity: Removed mapping of `INFORMATIONAL` from `event.idm.read_only_udm.security_result.severity` UDM field and mapped `LOW` instead when severity is 4. - event.idm.read_only_udm.security_result.severity_details: Removed mapping of `Immediate action needed` from `event.idm.read_only_udm.security_result.severity_details` UDM field and mapped `Alert: Immediate action needed` instead when severity is 1. - event.idm.read_only_udm.security_result.severity_details: Removed mapping of `Critical condition` from `event.idm.read_only_udm.security_result.severity_details` UDM field and mapped `Critical: Critical conditions` instead when severity is 2. - event.idm.read_only_udm.security_result.severity_details: Removed mapping of `Error condition` from `event.idm.read_only_udm.security_result.severity_details` UDM field and mapped `Error: Error conditions` instead when severity is 3. - event.idm.read_only_udm.security_result.severity_details: Removed mapping of `Warning condition` from `event.idm.read_only_udm.security_result.severity_details` UDM field and mapped `Warning: Warning conditions` instead when severity is 4. - event.idm.read_only_udm.security_result.severity_details: Removed mapping of `Normal but significant condition` from `event.idm.read_only_udm.security_result.severity_details` UDM field and mapped `Notice: Normal but significant condition` instead when severity is 5. - event.idm.read_only_udm.security_result.severity_details: Removed mapping of `Informational message only` from `event.idm.read_only_udm.security_result.severity_details` UDM field and mapped `Informational: Informational messages only` instead when severity is 6. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped EventPriority, PrefilterPolicy, ClientAppDetector raw log field(s) with event.idm.read_only_udm.security_result.detection_fields UDM field. - event.idm.read_only_udm.network.sent_packets: Mapped InitiatorPackets raw log field to event.idm.read_only_udm.network.sent_packets UDM field. - event.idm.read_only_udm.network.received_packets: Mapped ResponderPackets raw log field to event.idm.read_only_udm.network.received_packets UDM field. - event.idm.read_only_udm.principal.nat_port: Mapped NAT_InitiatorPort raw log field to event.idm.read_only_udm.principal.nat_port UDM field. - event.idm.read_only_udm.target.nat_port: Mapped NAT_ResponderPort raw log field to event.idm.read_only_udm.target.nat_port UDM field. - event.idm.read_only_udm.principal.nat_ip: Mapped NAT_InitiatorIP raw log field to event.idm.read_only_udm.principal.nat_ip UDM field. - event.idm.read_only_udm.target.nat_ip: Mapped NAT_ResponderIP raw log field to event.idm.read_only_udm.target.nat_ip UDM field. - event.idm.read_only_udm.principal.asset.attribute.labels: Mapped InstanceID, IngressVRF, EgressVRF raw log fields to event.idm.read_only_udm.principal.asset.attribute.labels UDM field. |
| 2025-08-05 | Enhancement:
- Added support for syslogs with eventId `199018` by adding a new Grok pattern. - event.idm.read_only_udm.principal.user.userid: Newly mapped `src_user1` log field to `event.idm.read_only_udm.principal.user.userid` and set `has_user` to `true`. - Added a condition to set `event.idm.read_only_udm.metadata.event_type` to `USER_UNCATEGORIZED` when `has_user` is `true`. - event.idm.read_only_udm.principal.ip: Newly mapped `srcip` log field to `event.idm.read_only_udm.principal.ip`. - event.idm.read_only_udm.principal.asset.ip: Newly mapped `srcip` log field to `event.idm.read_only_udm.principal.asset.ip`. - Concatenated `month`, `day` and `year` and `time` log fields to map with `event.idm.read_only_udm.metadata.event_timestamp` UDM field. |
| 2025-07-18 | Enhancement:
- `event.idm.read_only_udm.principal.user.userid`: Removed the mapping of `event.idm.read_only_udm.principal.user.userid` by adding new grok pattern to avoid parsing dns data as user data. - `event.idm.read_only_udm.principal.user.user_display_name`: Removed the mapping of `event.idm.read_only_udm.principal.user.user_display_name` by adding new grok pattern to avoid parsing dns data as user data. - `event.idm.read_only_udm.network.dns.questions.name`: Newly mapped `dns_question` raw log field to `event.idm.read_only_udm.network.dns.questions.name`. |
| 2025-07-16 | Enhancement:
- Added support for SYSLOG format with `kernel` messages by adding a new Grok pattern. - Enhanced date filter to separately handle formats having "year" data. - Added grok pattern to parse `product`, `severity`, and `eventID` from src_app. - event.idm.read_only_udm.metadata.product_event_type: Newly mapped `eventID` log field to `event.idm.read_only_udm.metadata.product_event_type`. - Added grok pattern to parse `Reg` and `Value` from `sec_desc` field. - event.idm.read_only_udm.additional.fields: Newly mapped `kernel_value` log field to event.idm.read_only_udm.additional.fields. event.idm.read_only_udm.additional.fields: Newly mapped `Reg` log field to event.idm.read_only_udm.additional.fields. event.idm.read_only_udm.additional.fields: Newly mapped `Value` log field to event.idm.read_only_udm.additional.fields. |
| 2025-07-01 | Enhancement:
- Added Grok pattern to correctly extract the value of `intermediary_ip` or `syslog` fields from the raw log. - event.idm.read_only_udm.network.session_id: Newly mapped `ConnectionID` raw log field to `event.idm.read_only_udm.network.session_id`. - Added a null check conditional for `sysloghost` field in "cisco_firepower_firewall_normalization.include" file. |
| 2025-04-03 | Enhancement:
- "event.idm.read_only_udm.network.http.user_agent": Mapped "UserAgent" to "event.idm.read_only_udm.network.http.user_agent". - "event.idm.read_only_udm.network.http.parsed_user_agent": Mapped "UserAgent" to "event.idm.read_only_udm.network.http.parsed_user_agent". - Modified the "message1" field by replacing all occurrences of "Prefilter Policy" with "Prefilter_Policy". |
| 2025-03-19 | Enhancement:
- Modified the Grok pattern to parse data to their respective mappings. |
| 2025-02-25 | Enhancement:
- Removed "is_alert" functionality from UDM mapping to avoid the discrepancy in the number of "ingested" events vs "normalized" events. |
| 2025-02-14 | Enhancement:
- Added "on_error" to fix the parsing errors. |
| 2025-02-07 | Enhancement:
- Changed mapping for "hostname" from "principal.hostname" and "principal.asset.hostname" to "intermediary.hostname" and "intermediary.asset.hostname". - Modified mapping from "intermediary.ip" to "target.ip". |
| 2025-01-30 | Enhancement:
- Added a new Grok pattern to parse the unparsed logs |
| 2025-01-23 | Enhancement:
- Mapped "event_id" to "additional.fields". |
| 2025-01-16 | Enhancement:
- Added "gsub" to support the new JSON log formats. |
| 2025-01-03 | Enhancement:
- Added support for the parsing of "ASA" logs, which were previously not being parsed. - Added a new Grok pattern to parse new log types. |
| 2024-12-06 | Enhancement:
- Added support for a new pattern of syslog logs. - Mapped "path" to "principal.process.file.full_path". - Mapped "event_name" to "metadata.product_event_type". - Mapped "description" to "metadata.description". - Mapped "host" to "principal.hostname" and "principal.asset.hostname". - Mapped "srcuser" to "principal.user.userid" and "user_display_name" , and set "metadata.event_type" to "USER_UNCATEGORIZED" - Mapped "src_ip" to "principal.ip" and "principal.asset.ip". - Mapped "src_port" to "principal.port". |
| 2024-12-05 | Enhancement:
- Added support for a new pattern of JSON logs. |
| 2024-11-28 | Enhancement:
- Added support for a new pattern of syslog logs. - Mapped "username2" to "target.user.userid". - Mapped "pwd" to "target.file.full_path". - Mapped "command" to "target.process.command_line". |
| 2024-11-13 | Enhancement:
- Added support for new pattern of syslog logs. - Mapped "username" to "principal.user.userid". - Mapped "action" to "metadata.ingestion_labels". - Mapped "bytes_transferred" to "network.sent_bytes". |
| 2024-11-06 | Enhancement:
- Added support for new pattern of syslog logs. |
| 2024-11-05 | Enhancement:
- Added support to parse a new format of syslog logs. |
| 2024-11-05 | Enhancement:
- Added support to parse a new format of syslog logs. |
| 2024-08-13 | Enhancement:
- Added support to parse a new format of unparsed KV logs. |
| 2024-08-08 | Enhancement:
- Added support to parse a new format of unparsed logs. |
| 2024-07-15 | Enhancement:
- Added support to parse the unparsed logs with "eventId" as "106016", "302021", and "302020". |
| 2024-07-08 | Enhancement:
- Added validation before setting the "metadata.event_type" to "FILE_CREATION" and "FILE_UNCATEGORIZED". - When "SrcIP" and "DstIP" are not null, set "metadata.event_type" to "NETWORK_CONNECTION". |
| 2024-06-28 | Enhancement:
- Changed mapping for "InitiatorBytes" from "network.received_bytes" to "network.sent_bytes". - Changed mapping for "ResponderBytes" from "network.sent_bytes" to "network.received_bytes". |
| 2024-06-11 | Enhancement:
- Modified a Grok pattern to parse the intermediary hostname. |
| 2024-06-11 | Enhancement:
- Modified a Grok pattern to parse the intermediary hostname. |
| 2024-04-12 | Enhancement:
- Mapped "HTTP_Hostname" to "target.resource.attribute.labels". - Mapped "HTTP_URI" to "target.resource.attribute.labels". - When "InlineResult" is nearly equal to "Alert", then set "security_result.action" to "ALLOW". - When "InlineResult" is nearly equal to "Dropped", then set "security_result.action" to "BLOCK". - Mapped "InlineResult" to "security_result.action_details". |
| 2024-04-06 | Enhancement -
- Added a Grok pattern to parse the unparsed logs with "eventId" as "302022". - Changed mapping of "metadata.product_event_type" from "eventId" to "action". - Changed mapping of "InitiatorBytes" from "network.received_bytes" to "network.sent_bytes". |
| 2024-01-04 | Enhancement:
- Added support for SFAUDIT syslog logs. - Mapped "user_id_field" to "principal.user.userid". - Mapped "http_method" to "network.http.method". - Mapped "HTTPReferer" to "network.http.referral_url". - Mapped "HTTPResponse" to "network.http.response_code". - Mapped "event_name" to "metadata.product_event_type". - Mapped "event_description" to "metadata.description". - Mapped "event_summary" to "security_result.summary". - Added Grok patterns to parse "intermediary.hostname" properly for new pattern of syslog logs. - When "sysloghost" is a valid IP, then mapped it to "intermediary.ip". - Added support for JSON logs. - Mapped "userId" to "principal.user.userid". - Mapped "sourceIpAddress" to "principal.ip". - Mapped "sourcePortOrIcmpType" to "principal.port". - Mapped "@computed.sensor" to "principal.hostname". - Mapped "@computed.user" to "principal.user.user_display_name". - Mapped "@computed.clientApplication" to "principal.application". - Mapped "@computed.ingressInterface" to "principal.asset.attribute.labels". - Mapped "@computed.sourceIpCountry" to "principal.location.country_or_region". - Mapped "destinationIpAddress" to "target.ip". - Mapped "destinationPortOrIcmpType" to "target.port". - Mapped "@computed.destinationIpCountry" to "target.location.country_or_region". - Mapped "ipProtocolId" to "network.ip_protocol". - Mapped "httpResponse" to "network.http.response_code". - Mapped "@computed.applicationProtocol" to "network.application_protocol". - Mapped "ruleId" to "security_result.rule_id". - Mapped "priorityId" to "security_result.priority_details". - Mapped "@computed.priority" to "security_result.priority". - Mapped "@computed.firewallPolicy" to "security_result.rule_name". - Mapped "@computed.message" to "security_result.threat_name". - Mapped "iocNumber" to "security_result.detection_fields". - Mapped "recordLength" to "security_result.detection_fields". - Mapped "@computed.classificationDescription" "security_result.description". - Mapped "@computed.recordTypeDescription" to "metadata.description". - Mapped "@computed.recordTypeCategory" to "metadata.product_event_type". |
| 2023-12-26 | Enhancement -
- Added a Grok pattern to parse the unparsed logs of type "%FTD-6-302303". - Added an on_error for a kv block. |
| 2023-09-12 | Enhancement -
- Mapped "user_name" to "principal.user.email_addresses" and "client_ip" to "principal.ip" for "metadata.product_event_type" = "716001". - Added a Grok pattern to parse the unparsed logs where "product" = "Intrusion". |
| 2023-08-08 | Bug-Fix -
- Added a Grok pattern to map the complete value present in the raw log to "intermediary.hostname". |
| 2023-06-15 | Enhancement -
- Added support for JSON format logs. |
| 2023-06-07 | Enhancement -
- Added new Grok pattern and mapped fields accordingly to parse unparsed logs. |
| 2023-05-03 | Enhancement -
- Modified Grok pattern to parse the failing logs. - Corrected the logic to correctly map "network.direction" to the values "INBOUND" and "OUTBOUND". |
| 2023-04-19 | Enhancement -
- Modified g=Grok pattern to get valid hostname. |
| 2023-04-06 | Enhancement -
- Added a Grok pattern and mappings for EventId 106006. |
| 2023-03-09 | Enhancement -
- Mapped hostname form Syslog header to "intermediary.hostname". - Removed mapping of src_ip/src_host to "observer.ip"/"observer.hostname". - Added new grok patterns and mappings for EventIds 106001, 302015, 302016, 713219, 302013, 305012, 305011. - Mapped severity to "security_result.severity" and "security_result.severity_details". - Modified "metadata.event_type" to "NETWORK_CONNECTION" where "eventId" is 305011,305012,607001,302303. - Mapped "network.direction" to INBOUND/OUTBOUND based on "src_interface_name", "dst_interface_name". - Mapped "src_interface_name","dst_interface_name" to "metadata.ingestion_labels". - Added check to "ApplicationProtocol" prior mapping to UDM. |
| 2023-02-27 | Enhancement
- Added Grok patterns and mappings for EventIds 302016,302014. |
| 2023-01-27 | Enhancement
- Mapped "observer.hostname","observer.ip" for thees product_event_type 430002,430003,430004,430005. - Modified grok patterns for these EventIds 721018, 722055, 722023, 113009, 722037 to parse data correctly. |
| 2022-11-25 | Enhancement
- Added grok pattern for product_event_type [199017]. - Mapped "AUTH_VIOLATION" to security_result.category for product_event_type [199017]. - Mapped "USER_LOGIN" and "STATUS_UPDATE" event_type for product_event_type [199017]. - Mapped "target.user.userid" for product_event_type [199017]. - Mapped "extensions.auth.auth_details" for product_event_type [199017]. - Added grok pattern and "on_error" for product_event_type [713902]. - Modified "event_description" mapping for product_event_type [713902]. - Added "on_error" in grok for product_event_type [713903]. |
| 2022-07-07 | Enhancement
- Removed is_alert where product_event_type is [430002,430003,313005,419002]. - Added is_alert where product_event_type is 430005. |
| 2022-06-27 | Mapped the following unparsed events:
[1:1000171:1] (Nmap), [122:1:1] (Portscan), [122:2:1] (Portscan), [122:8:1] (Portscan), [122:19:1] (Portsweep), [122:21:1] (Portscan), [122:22:1] (Portscan), [122:23:1], (Portsweep), [122:24:1] (Portscan), [122:7:1] (Portsweep),LOGSTASH[-]. Mapped "category" to "security_result.threat_name" where eventId is "http_inspect". Mapped "category" to "security_result.threat_name" where eventId is "0" and product is "SFIMS". Mapped "Classification" to "security_result.threat_name" where eventId is "430001". Mapped "DeviceUUID" to "principal.resource.id" where eventId is "430001". |
| 2022-06-09 | Bug-
Added new field mapping. ACPolicy mapped to "security_result.rule_labels". Removed field name from "security_result.confidence_details" value. Removed field name from "security_result.rule_name" value. |
| 2022-05-20 | Bug-Fixed an error where SFIMS product logs were not being parsed.
|
| 2022-05-05 | Enhancement-Moved customer specific to default and fixed incorrectly parsed metadata.event_timestamp.
|
| 2022-04-22 | Enhancement-Fixed incorrectly parsed metadata.event_timestamp.
|
| 2022-04-13 | Enhancement- mapped metadata.event_timestamp correctly for some unparsed logs
|
| 2022-04-04 | Enhancement- Zones, interfaces, policy, user, bytes, Urlcategory and urlreputation fields are mapped.
|
| 2022-03-22 | Enhancement-IngressZone,EgressZone,Priority,GID,SID,Revision,IntrusionPolicy fields are mapped.
|