File: //usr/share/filebeat/module/cisco/shared/security-mappings.csv
intrusion,430001,ACPolicy,
intrusion,430001,ApplicationProtocol,network.protocol
intrusion,430001,Classification,
intrusion,430001,Client,
intrusion,430001,DstIP,destination.address
intrusion,430001,DstPort,destination.port
intrusion,430001,EgressInterface,cisco.ftd.destination_interface
intrusion,430001,EgressZone,
intrusion,430001,GID,service.id
intrusion,430001,HTTPResponse,http.response.status_code
intrusion,430001,ICMPCode,
intrusion,430001,ICMPType,
intrusion,430001,IngressInterface,cisco.ftd.source_interface
intrusion,430001,IngressZone,
intrusion,430001,InlineResult,event.outcome
intrusion,430001,IntrusionPolicy,cisco.ftd.rule_name
intrusion,430001,MPLS_Label,
intrusion,430001,Message,message
intrusion,430001,NAPPolicy,
intrusion,430001,NumIOC,
intrusion,430001,Priority,
intrusion,430001,Protocol,network.transport
intrusion,430001,Revision,
intrusion,430001,SID,
intrusion,430001,SSLActualAction,
intrusion,430001,SrcIP,source.address
intrusion,430001,SrcPort,source.port
intrusion,430001,User,user.id,user.name
intrusion,430001,VLAN_ID,
intrusion,430001,WebApplication,network.application
flow_start,430002,AccessControlRuleAction,event.outcome
flow_start,430002,AccessControlRuleName,cisco.ftd.rule_name
flow_start,430002,AccessControlRuleReason,
flow_start,430002,ACPolicy,cisco.ftd.rule_name
flow_start,430002,ApplicationProtocol,network.protocol
flow_start,430002,Client,
flow_start,430002,ClientVersion,
flow_start,430002,DNS_Sinkhole,
flow_start,430002,DNS_TTL,
flow_start,430002,DNSQuery,dns.question.name
flow_start,430002,DNSRecordType,dns.question.type
flow_start,430002,DNSResponseType,dns.response_code
flow_start,430002,DNSSICategory,
flow_start,430002,DstIP,destination.address
flow_start,430002,DstPort,destination.port
flow_start,430002,EgressInterface,cisco.ftd.destination_interface
flow_start,430002,EgressZone,
flow_start,430002,Endpoint Profile,
flow_start,430002,FileCount,
flow_start,430002,HTTPReferer,http.request.referrer
flow_start,430002,HTTPResponse,http.response.status_code
flow_start,430002,ICMPCode,
flow_start,430002,ICMPType,
flow_start,430002,IngressInterface,cisco.ftd.source_interface
flow_start,430002,IngressZone,
flow_start,430002,IPReputationSICategory,
flow_start,430002,IPSCount,
flow_start,430002,NAPPolicy,
flow_start,430002,NetBIOSDomain,host.hostname
flow_start,430002,originalClientSrcIP,client.address
flow_start,430002,Prefilter Policy,
flow_start,430002,Protocol,network.transport
flow_start,430002,ReferencedHost,url.domain
flow_start,430002,SecIntMatchingIP,
flow_start,430002,Security Group,
flow_start,430002,SrcIP,source.address
flow_start,430002,SrcPort,source.port
flow_start,430002,SSLActualAction,event.outcome
flow_start,430002,SSLCertificate,
flow_start,430002,SSLExpectedAction,
flow_start,430002,SSLFlowStatus,
flow_start,430002,SSLPolicy,
flow_start,430002,SSLRuleName,
flow_start,430002,SSLServerCertStatus,
flow_start,430002,SSLServerName,server.domain
flow_start,430002,SSLSessionID,
flow_start,430002,SSLTicketID,
flow_start,430002,SSLURLCategory,
flow_start,430002,SSLVersion,
flow_start,430002,SSSLCipherSuite,
flow_start,430002,TCPFlags,
flow_start,430002,Tunnel or Prefilter Rule,
flow_start,430002,URL,url.original
flow_start,430002,URLCategory,
flow_start,430002,URLReputation,
flow_start,430002,URLSICategory,
flow_start,430002,User,user.name
flow_start,430002,UserAgent,user_agent.original
flow_start,430002,VLAN_ID,
flow_start,430002,WebApplication,network.application
flow_end,430003,AccessControlRuleAction,event.outcome
flow_end,430003,AccessControlRuleName,cisco.ftd.rule_name
flow_end,430003,AccessControlRuleReason,
flow_end,430003,ACPolicy,cisco.ftd.rule_name
flow_end,430003,ApplicationProtocol,network.protocol
flow_end,430003,Client,
flow_end,430003,ClientVersion,
flow_end,430003,ConnectionDuration,event.duration
flow_end,430003,DNS_Sinkhole,
flow_end,430003,DNS_TTL,
flow_end,430003,DNSQuery,dns.question.name
flow_end,430003,DNSRecordType,dns.question.type
flow_end,430003,DNSResponseType,dns.response_code
flow_end,430003,DNSSICategory,
flow_end,430003,DstIP,destination.address
flow_end,430003,DstPort,destination.port
flow_end,430003,EgressInterface,cisco.ftd.destination_interface
flow_end,430003,EgressZone,
flow_end,430003,Endpoint Profile,
flow_end,430003,FileCount,
flow_end,430003,HTTPReferer,http.request.referrer
flow_end,430003,HTTPResponse,http.response.status_code
flow_end,430003,ICMPCode,
flow_end,430003,ICMPType,
flow_end,430003,IngressInterface,cisco.ftd.source_interface
flow_end,430003,IngressZone,
flow_end,430003,InitiatorBytes,source.bytes
flow_end,430003,InitiatorPackets,source.packets
flow_end,430003,IPReputationSICategory,
flow_end,430003,IPSCount,
flow_end,430003,NAPPolicy,
flow_end,430003,NetBIOSDomain,host.hostname
flow_end,430003,originalClientSrcIP,client.address
flow_end,430003,Prefilter Policy,
flow_end,430003,Protocol,network.transport
flow_end,430003,ReferencedHost,url.domain
flow_end,430003,ResponderBytes,destination.bytes
flow_end,430003,ResponderPackets,destination.packets
flow_end,430003,SecIntMatchingIP,
flow_end,430003,Security Group,
flow_end,430003,SrcIP,source.address
flow_end,430003,SrcPort,source.port
flow_end,430003,SSLActualAction,event.outcome
flow_end,430003,SSLCertificate,
flow_end,430003,SSLExpectedAction,
flow_end,430003,SSLFlowStatus,
flow_end,430003,SSLPolicy,
flow_end,430003,SSLRuleName,
flow_end,430003,SSLServerCertStatus,
flow_end,430003,SSLServerName,server.domain
flow_end,430003,SSLSessionID,
flow_end,430003,SSLTicketID,
flow_end,430003,SSLURLCategory,
flow_end,430003,SSLVersion,
flow_end,430003,SSSLCipherSuite,
flow_end,430003,TCPFlags,
flow_end,430003,Tunnel or Prefilter Rule,
flow_end,430003,URL,url.original
flow_end,430003,URLCategory,
flow_end,430003,URLReputation,
flow_end,430003,URLSICategory,
flow_end,430003,User,user.name
flow_end,430003,UserAgent,user_agent.original
flow_end,430003,VLAN_ID,
flow_end,430003,WebApplication,network.application
file,430004,ApplicationProtocol,network.protocol
file,430004,ArchiveDepth,
file,430004,ArchiveFileName,file.name
file,430004,ArchiveFileStatus,
file,430004,ArchiveSHA256,file.hash.sha256
file,430004,Client,network.application
file,430004,DstIP,destination.address
file,430004,DstPort,destination.port
file,430004,FileAction,
file,430004,FileDirection,
file,430004,FileName,file.name
file,430004,FilePolicy,cisco.ftd.rule_name
file,430004,FileSandboxStatus,
file,430004,FileSHA256,file.hash.sha256
file,430004,FileSize,file.size
file,430004,FileStorageStatus,
file,430004,FileType,
file,430004,FirstPacketSecond,event.start
file,430004,Protocol,network.transport
file,430004,SHA_Disposition,
file,430004,SperoDisposition,
file,430004,SrcIP,source.address
file,430004,SrcPort,source.port
file,430004,SSLActualAction,
file,430004,SSLCertificate,
file,430004,SSLFlowStatus,
file,430004,URI,url.original
file,430004,User,user.name
file,430004,WebApplication,network.application
malware,430005,ApplicationProtocol,network.protocol
malware,430005,ArchiveDepth,
malware,430005,ArchiveFileName,file.name
malware,430005,ArchiveFileStatus,
malware,430005,ArchiveSHA256,file.hash.sha256
malware,430005,Client,network.application
malware,430005,DstIP,destination.address
malware,430005,DstPort,destination.port
malware,430005,FileAction,
malware,430005,FileDirection,
malware,430005,FileName,file.name
malware,430005,FilePolicy,cisco.ftd.rule_name
malware,430005,FileSandboxStatus,
malware,430005,FileSHA256,file.hash.sha256
malware,430005,FileSize,file.size
malware,430005,FileStorageStatus,
malware,430005,FileType,
malware,430005,FirstPacketSecond,event.start
malware,430005,Protocol,network.transport
malware,430005,SHA_Disposition,
malware,430005,SperoDisposition,
malware,430005,SrcIP,source.address
malware,430005,SrcPort,source.port
malware,430005,SSLActualAction,
malware,430005,SSLCertificate,
malware,430005,SSLFlowStatus,
malware,430005,ThreatName,cisco.ftd.threat_category
malware,430005,ThreatScore,cisco.ftd.threat_level
malware,430005,URI,url.original
malware,430005,User,user.name
malware,430005,WebApplication,network.application