cisco-firepower.json

{
  "extractors": [
    {
      "title": "Firepower SFIMS Messages",
      "extractor_type": "grok",
      "converters": [],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "",
      "extractor_config": {
        "grok_pattern": "%{HOSTNAME:fp_hostname} SFIMS: Protocol: %{DATA:fp_proto}, SrcIP: %{IPV4:fp_source_ip}, OriginalClientIP: %{GREEDYDATA:fp_orig_ip}, DstIP: %{IPV4:fp_dest_ip}, ?(SrcPort: %{INT:fp_source_port},)? ?(DstPort: %{INT:fp_dest_port},)? ?(ICMPType: %{DATA:fp_icmp_type},)? ?(ICMPCode: %{DATA:fp_icmp_code},)? TCPFlags: %{DATA:fp_tcp_flags}, IngressInterface: %{DATA:fp_ingreess_int}, EgressInterface: %{DATA:fp_egress_int}, IngressZone: %{DATA:fp_ingress_zone}, EgressZone: %{DATA:fp_egress_zone}, DE: %{GREEDYDATA:fp_detection_engine}, Policy: %{DATA:fp_policy}, ConnectType: %{DATA:fp_connect_type}, AccessControlRuleName: %{DATA:fp_access_rule_name}, AccessControlRuleAction: %{DATA:fp_access_rule_action}, Prefilter Policy: %{DATA:fp_prefilter_policy},?(UserName: %{DATA:fp_username},)? ?(Client: %{DATA:fp_client},)? ?(ApplicationProtocol: %{DATA:fp_app_proto},)? InitiatorPackets: %{DATA:fp_init_pkts}, ResponderPackets: %{DATA:fp_resp_pkts}, InitiatorBytes: %{DATA:fp_init_bytes}, ResponderBytes: %{DATA:fp_resp_bytes}, NAPPolicy: %{DATA:fp_nap_policy}, DNSResponseType: %{DATA:fp_dns_response}, Sinkhole:%{DATA:fp_sinkhole}, URLCategory: %{DATA:fp_url_category}, URLReputation: %{GREEDYDATA:fp_url_reputation}",
        "named_captures_only": true
      },
      "condition_type": "string",
      "condition_value": "SFIMS: Protocol:"
    }
  ],
  "version": "2.4.5"
}