Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (24)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.firewall.direction Traffic direction (e.g., inbound, outbound). | cisco.ftd.Direction | strings |
gen.file.name File name associated with the event. | cisco.ftd.Filename | strings |
gen.severity Normalized severity field across log sources. | cisco.ftd.Event.Severity cisco.ftd.Priority | strings |
gen.src.ip Source IP address. | cisco.ftd.Local_Ip cisco.ftd.SrcIP | text_general |
gen.src.port Source port number. | cisco.ftd.Local_Port cisco.ftd.ICMPType cisco.ftd.SrcPort | pint |
gen.dest.ip Destination IP address. | cisco.ftd.Remote_Ip cisco.ftd.DstIP | text_general |
gen.dest.port Destination port number. | cisco.ftd.Remote_Port cisco.ftd.DstPort | pint |
gen.username Username associated with the event. | cisco.ftd.Username | text_general |
gen.firewall.rule Firewall rule that triggered the event. | cisco.ftd.AccessControlRuleName | strings |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | cisco.ftd.ApplicationProtocol cisco.ftd.Protocol | strings |
gen.dest.interface Network interface used for the destination connection. | cisco.ftd.EgressInterface | strings |
gen.proxy.httpStatus HTTP response status code from the proxy. | cisco.ftd.HTTPResponse | pint |
gen.src.interface Network interface used for the source connection. | cisco.ftd.IngressInterface | strings |
gen.firewall.action Firewall action taken (e.g., allow, block, drop). | cisco.ftd.SSLActualAction cisco.ftd.AccessControlRuleAction | strings |
gen.dns.server DNS server used for the query. | cisco.ftd.DNS_Sinkhole | strings |
gen.dns.domain Queried DNS domain name. | cisco.ftd.DNSQuery | strings |
gen.dns.record DNS record type (e.g., A, AAAA, MX). | cisco.ftd.DNSRecordType | strings |
gen.process.process Name of the process. | cisco.ftd.EncryptedVisibilityProcessName | string |
gen.proxy.referrer HTTP referrer header value. | cisco.ftd.HTTPReferer | string |
gen.firewall.bytesSent Number of bytes sent through the firewall session. | cisco.ftd.InitiatorBytes | plong |
gen.firewall.bytesReceived Number of bytes received through the firewall session. | cisco.ftd.ResponderBytes | plong |
gen.hostname Normalized hostname of the system generating the log. | cisco.ftd.SSLServerName | text_general |
gen.proxy.endpoint Destination endpoint accessed through the proxy. | cisco.ftd.URL | string |
gen.proxy.userAgent User agent string from the HTTP request. | cisco.ftd.UserAgent | string |
Reference-Specific Fields (147)
| Field | Type |
|---|---|
cisco.ftd.BytesTotal Total number of bytes observed for the event or flow | plong |
cisco.ftd.Action Final action taken for the event or connection | string |
cisco.ftd.ACL_ID Identifier of the access control list that matched the traffic | string |
cisco.ftd.App Application identified for the traffic | string |
cisco.ftd.Command Command that was executed | text_general |
cisco.ftd.ConnectionType Type of connection or session as classified by the device | string |
cisco.ftd.CryptoMapTag Crypto map tag used for IPsec/VPN processing | string |
cisco.ftd.DesinationNetworkObjects Count of destination network objects referenced | plong |
cisco.ftd.Direction Flow direction relative to the firewall policy evaluation | string |
cisco.ftd.FailoverType Type of failover device associated to the event (Primary or Secondary) | string |
cisco.ftd.Filename Filename referenced by the event | string |
cisco.ftd.FurtherInfo Free-form additional information supplied by the device | text_general |
cisco.ftd.Gateway Gateway value associated with the event or route | string |
cisco.ftd.ICMPSeqNum ICMP sequence number | plong |
cisco.ftd.Id | plong |
cisco.ftd.InterfaceName Interface name associated with the event | string |
cisco.ftd.MessageNumber | string |
cisco.ftd.Offset | plong |
cisco.ftd.Options | string |
cisco.ftd.Phase IKE Phase | pint |
cisco.ftd.Policy Name of the affected policy | string |
cisco.ftd.PolicyType Type or category of the affected policy | string |
cisco.ftd.Reason Reason or explanation provided for the action or state | text_general |
cisco.ftd.SeqNumber | plong |
cisco.ftd.SessionType Session classification as determined by the device | string |
cisco.ftd.SIPRequest SIP method for signaling traffic (e.g., INVITE, BYE) | string |
cisco.ftd.Size | plong |
cisco.ftd.SourceNetworkObjects Count of source network objects referenced | plong |
cisco.ftd.SPI Security Parameter Index for IPsec-related traffic | string |
cisco.ftd.Subnet IP subnet associated with the event in Bitmask Notation | string |
cisco.ftd.TotalSearchEntries Total number of entries matched by a search operation | plong |
cisco.ftd.TranslationType NAT translation type applied to the flow | string |
cisco.ftd.TunnelType Type of tunnel used | string |
cisco.ftd.Event.Class Event Class Determined by the Message ID | string |
cisco.ftd.Event.Id Identifier of the event | plong |
cisco.ftd.Event.Msg Event Message (either raw for unparsed events or with extracted values removed) | text_general |
cisco.ftd.Event.ParsingState Enginsight parsing state when processing the log | string |
cisco.ftd.Event.Severity Severity level of the event | string |
cisco.ftd.Local_Ip Local endpoint IP address (typically client) | string |
cisco.ftd.Local_Proxy Local proxy ip | string |
cisco.ftd.Local_Port Local endpoint port (typically client source port) | pint |
cisco.ftd.Remote_Ip Remote endpoint IP address | string |
cisco.ftd.Remote_Proxy Remote proxy ip | string |
cisco.ftd.Remote_Port Remote endpoint port (typically server destination port) | pint |
cisco.ftd.ClientAppDetector Client application detector used or matched | string |
cisco.ftd.ConnectionID Unique identifier for the connection | plong |
cisco.ftd.EncryptPeerIP IP address of the encryption peer for VPN/IPsec | string |
cisco.ftd.Group Group or category associated with the event | string |
cisco.ftd.InstanceID Instance identifier for correlation within the platform | plong |
cisco.ftd.IP Generic IP address field (role unknown) | string |
cisco.ftd.NumConnections Number of connections counted for the context | plong |
cisco.ftd.Prefilter_Policy Prefilter policy name evaluated before main access control | string |
cisco.ftd.ResultantKeySet Nuber of entries in the final key set | plong |
cisco.ftd.SSLCipherSuite Cipher suite negotiated for the SSL/TLS session | string |
cisco.ftd.Username Authenticated or identified username associated with the event | string |
cisco.ftd.VPN_Action Action taken by VPN subsystem for the flow | string |
cisco.ftd.AccessControlRuleName Access control rule or default action that handled the connection | string |
cisco.ftd.ACPolicy Name of the access control policy associated with the event. | string |
cisco.ftd.ApplicationProtocol Detected application protocol for the traffic. | string |
cisco.ftd.Classification Intrusion rule classification that the triggering rule belongs to. | string |
cisco.ftd.Client Detected client application used in the connection. | string |
cisco.ftd.DeviceUUID Unique identifier of the device that generated the event. | string |
cisco.ftd.DstIP Destination IP address of the session responder. | string |
cisco.ftd.DstPort Destination transport port; ICMP uses code here. | pint |
cisco.ftd.EgressInterface Egress interface associated with the connection. | string |
cisco.ftd.EgressZone Egress security zone for the connection. | string |
cisco.ftd.FirstPacketSecond Timestamp when the first packet in the session was seen. | pdate |
cisco.ftd.GID Generator ID of the component that produced the event. | pint |
cisco.ftd.HTTPResponse HTTP status code observed in the connection. | pint |
cisco.ftd.ICMPCode ICMP code used by the responder. | pint |
cisco.ftd.ICMPType ICMP type used by the initiator. | pint |
cisco.ftd.IngressInterface Ingress interface associated with the connection. | string |
cisco.ftd.IngressZone Ingress security or tunnel zone for the connection. | string |
cisco.ftd.InlineResult Inline disposition for the packet (dropped or would-have-dropped). | string |
cisco.ftd.IntrusionPolicy Name of the intrusion policy that generated the event. | string |
cisco.ftd.MPLS_Label MPLS label associated with the packet. | pint |
cisco.ftd.Message Explanatory text for the event; may include GID:SID:revision metadata. | text_general |
cisco.ftd.NAPPolicy Network Analysis Policy associated with the event. | string |
cisco.ftd.NumIOC Number of IOCs | pint |
cisco.ftd.Priority Event priority (high, medium, low) assigned by Talos/engine. | string |
cisco.ftd.Protocol Transport protocol used in the connection (name or number). | string |
cisco.ftd.Revision Signature revision version associated with the event. | pint |
cisco.ftd.SID Signature ID (Snort ID) of the rule that generated the event. | pint |
cisco.ftd.SSLActualAction Actual SSL policy action applied to encrypted traffic. | string |
cisco.ftd.SrcIP Source IP address of the session initiator. | string |
cisco.ftd.SrcPort Source transport port; ICMP uses type here. | pint |
cisco.ftd.VLAN_ID Innermost VLAN identifier for the packet/connection. | pint |
cisco.ftd.WebApplication Detected web application for HTTP traffic. | string |
cisco.ftd.AccessControlRuleAction Access control action associated with the connection (allow, block, trust, fastpath, etc.). | string |
cisco.ftd.AccessControlRuleReason Reason the connection was logged | text_general |
cisco.ftd.ClientVersion Version string of the detected client application. | string |
cisco.ftd.ConnectionDuration Duration in seconds between first and last packet (end-of-connection only). | pint |
cisco.ftd.DetectionType Source of client detection | string |
cisco.ftd.DestinationSecurityGroup Text name of the destination Security Group (if available). | string |
cisco.ftd.DestinationSecurityGroupTag Numeric Security Group Tag (SGT) for the destination. | pint |
cisco.ftd.DestinationSecurityGroupType Source from which destination SGT was obtained (Inline, Session Directory, SXP). | string |
cisco.ftd.DNS_Sinkhole Name of the sinkhole server used for redirection. | string |
cisco.ftd.DNS_TTL Time-to-live in seconds for the DNS resource record. | pint |
cisco.ftd.DNSQuery DNS query domain submitted in the connection; may reflect URL filtering domain. | string |
cisco.ftd.DNSRecordType Type of DNS resource record used to resolve the query. | string |
cisco.ftd.DNSResponseType DNS response returned by the name server. | string |
cisco.ftd.DNSSICategory Security Intelligence category associated with blocked URL/domain/IP. | string |
cisco.ftd.EgressVRF VRF (Virtual Routing and Forwarding) name through which traffic exited. | string |
cisco.ftd.EncryptedVisibilityFingerprint TLS fingerprint detected by the Encrypted Visibility Engine (EVE). | string |
cisco.ftd.EncryptedVisibilityProcessName Process/client indicated by EVE from the TLS ClientHello. | string |
cisco.ftd.EncryptedVisibilityConfidenceScore EVE confidence (0-100) that the detected process name is correct. | pint |
cisco.ftd.EncryptedVisibilityThreatConfidence Threat confidence band reported by EVE (Very High-Very Low). | string |
cisco.ftd.EncryptedVisibilityThreatConfidenceScore Threat confidence score (0-100) reported by EVE. | pint |
cisco.ftd.EventPriority High/Low indicator whether the connection is high priority. | string |
cisco.ftd.FileCount Number of files detected or blocked in the connection. | pint |
cisco.ftd.HTTPReferer HTTP referrer indicating the referring URL/application. | string |
cisco.ftd.IngressVRF VRF (Virtual Routing and Forwarding) name through which traffic entered. | string |
cisco.ftd.InitiatorBytes Total bytes transmitted by the session initiator. | plong |
cisco.ftd.InitiatorPackets Total packets transmitted by the session initiator. | plong |
cisco.ftd.IPReputationSICategory Security Intelligence category related to IP reputation. | string |
cisco.ftd.IPSCount Number of intrusion events associated with the connection. | pint |
cisco.ftd.NAT_InitiatorIP NAT-translated IP address of the session initiator. | string |
cisco.ftd.NAT_ResponderIP NAT-translated IP address of the session responder. | string |
cisco.ftd.NAT_InitiatorPort NAT-translated port of the session initiator. | pint |
cisco.ftd.NAT_ResponderPort NAT-translated port of the session responder. | pint |
cisco.ftd.NetBIOSDomain NetBIOS domain used in the session. | string |
cisco.ftd.Prefilter Policy Prefilter policy that handled the connection. | string |
cisco.ftd.ReferencedHost Hostname referenced by HTTP/HTTPS traffic. | string |
cisco.ftd.ResponderBytes Total bytes transmitted by the session responder. | plong |
cisco.ftd.ResponderPackets Total packets received by the session responder. | plong |
cisco.ftd.SecIntMatchingIP Which IP matched Security Intelligence (None, Destination, Source). | string |
cisco.ftd.SourceSecurityGroup Text name of the source Security Group (if available). | string |
cisco.ftd.SourceSecurityGroupTag Numeric Security Group Tag (SGT) for the source. | pint |
cisco.ftd.SourceSecurityGroupType Source from which source SGT was obtained (Inline, Session Directory, SXP). | string |
cisco.ftd.SSLCertificate Parsed server certificate details | string |
cisco.ftd.SSLExpectedAction Expected SSL policy action based on rules. | string |
cisco.ftd.SSLFlowStatus Reason for SSL decryption success/failure for the flow. | string |
cisco.ftd.SSLPolicy Name of the SSL policy that handled the connection. | string |
cisco.ftd.SSLRuleName SSL rule or default action (and first Monitor rule) that handled the connection. | string |
cisco.ftd.SSLServerCertStatus Server certificate status values observed (e.g., Valid, Expired, Self Signed). | strings |
cisco.ftd.SSLServerName Server hostname from the encrypted connection. | string |
cisco.ftd.SSLSessionID Hexadecimal TLS/SSL session ID negotiated during handshake. | string |
cisco.ftd.SSLTicketID Hexadecimal TLS/SSL session ticket identifier. | string |
cisco.ftd.SSLURLCategory URL categories associated with encrypted traffic (CN-derived for TLS applications). | string |
cisco.ftd.SSLVersion TLS/SSL protocol version used by the connection. | string |
cisco.ftd.SSSLCipherSuite Cipher suite macro used to encrypt the TLS connection. | string |
cisco.ftd.TCPFlags TCP flags observed in the connection (NetFlow-derived). | string |
cisco.ftd.URL Requested URL for the session; may be blank when DNS filtering supplies domain. | string |
cisco.ftd.URLCategory Category of the requested URL or associated domain. | string |
cisco.ftd.URLReputation Reputation of the requested URL or associated domain. | string |
cisco.ftd.URLSICategory Security Intelligence category related to the URL/domain/IP. | string |
cisco.ftd.UserAgent User-Agent string extracted from HTTP traffic. | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.