Firewall Push Security Events

Secure Access Key	Type	Description
specversion	string	The version of the Push Security Event schema.
type	string	The type of the security event.
source	string	The unique label that describes the source of the security event.
orgid	integer	The unique identifier of the organization.
integrationid	string	The unique identifier of the integration.
id	string	The unique identifier for the push security event.
time	string	The date and time when the system sent the event. The system formats the timestamp in the ISO 8601 format.
datacontenttype	string	The type of the content in the push security event.
data	object	The properties of the data for the push security events.

data

Secure Access Key	Type	Description
events	array	The list of push security event messages.

data.events

Secure Access Key	OCSF Key	Type	Description
activity_id		integer	The unique identifier of the activity that triggered the security event.
category_uid		integer	The unique identifier of the security event category.
cisco_event_id	Event ID	string	The unique identifier of the security event.
cisco_event_type		string	The type of the security event.
cisco_organization_id	Organization ID	number	The unique identifier of the organization.
class_uid		integer	The unique identifier of the class.
cisco_fw_metadata		object	The properties of the metadata for the Cisco firewall.
cisco_origin		object	The properties of the origin.
cisco_other_origins		array	The list of the other origins.
cloud		object	The properties of the cloud deployment.
connection_info		object	The properties of the client connection information.
dst_endpoint		object	The properties of the destination.
metadata		object	The metadata for the security event.
policy		object	The properties of the components and profiles for the access rules in the Access policy.
src_endpoint		object	The properties of the client endpoint.
severity_id		number	The identifier of the severity.
time	Time	string	The date and time when the system recorded the security event. The system formats the timestamp in milliseconds since the Unix Epoch.
type_uid		integer	The identifier of the type for the security event.
url		object	The properties of the URL.

data.events.cisco_fw_metadata

Secure Access Key	OCSF Key	Type	Description
app_id	App ID	number	The identifier of the application.
app_protocol_id	App Protocol ID	number	The identifier of the application protocol.
bytes_received	Bytes Received	number	The number of bytes received by the application.
bytes_sent	Bytes Sent	number	The number of bytes sent by the application.
client_application_id	Client Application ID	string	The identifier of the client application.
client_version	Client Version	string	The version of the client application.
config_mask	Config Mask	number	The hash of the configuration.
direction	Direction	string	The label that describes the direction of the traffic flow.
dns_query	DNS Query	string	The DNS query sent by the client system.
egress_ip	Egress IP	string	The IPv4 or IPv6 address that support the egress of traffic from the client system.
fw_event_id	FW Event ID	string	The unique identifier of the firewall event.
http_response_code	HTTP Response Code	number	The HTTP response code of the firewall event.
is_reserved_ip	Is Reserved IP	boolean	Specifies whether the IP is reserved for the organization.
match_mask	Match Mask	number	The hash of the traffic that matches the signature.
packet_size	Packet Size	number	The size of the packet (network traffic).
packets_received	Packets Received	number	The number of packets received by the firewall.
packets_sent	Packets Sent	number	The number of packet sent by the firewall.
referenced_host	Referenced Host	string	The hostname referenced in the network traffic.
tcp_flag_bits	TCP Flag Bits	number	The flag bits set on the TCP message.
traffic_source	Traffic Source	string	The hostname associated with the traffic source.
user_agent	User Agent	string	The label for the user agent associated wit the network traffic.

data.events.cisco_origin

Secure Access Key	OCSF Key	Type	Description
id	Origin ID	integer	The unique identifier of the endpoint.
type	Origin Type	string	The type of the endpoint, for example: network, ad computer.

data.events.cisco_other_origins

Secure Access Key	OCSF Key	Type	Description
id	Origin ID	integer	The unique identifier of the endpoint.
type	Origin Type	string	The type of the endpoint.

data.events.cloud

Secure Access Key	OCSF Key	Type	Description
region	AWS Region	string	The region where the system deployed the firewall service.

data.events.connection_info

Secure Access Key	OCSF Key	Type	Description
direction_id		number	The numeric identifier of the direction.
protocol_num	IP Protocol	number	The numeric identifier of the protocol.
uid	Connection ID	string	The unique identifier of the connection.

data.events.dst_endpoint

Secure Access Key	OCSF Key	Type	Description
ip	Destination IP	string	The IPv4 or IPv6 addresses associated with the destination.
location	Destination Country	object	The regional information associated with the destination.
name		string	The hostname of the destination.
port	Destination Port	number	The number of the port associated with the destination.

data.events.dst_endpoint.location

Secure Access Key	OCSF Key	Type	Description
country	Destination Country	string	The two-character country code associated with the destination.

data.events.metadata

Secure Access Key	OCSF Key	Type	Description
product		object	The properties of the product.
version		string	The version of the product.

data.events.metadata.product

Secure Access Key	OCSF Key	Type	Description
name		string	The name of the product.

data.events.policy

Secure Access Key	OCSF Key	Type	Description
data	Content Category IDs	object	The properties of the data in the organization's Access policy.
uid	Rule ID	integer	The unique identifier of the access rule in the Access policy that matches the network traffic.
verdict	Verdict	string	The label of the verdict assigned to the destination.

data.events.policy.data

Secure Access Key	OCSF Key	Type	Description
casi_category_ids	CASI Category IDs	array(string)	The identifier of the security category.
content_category_ids	Content Category IDs	array(string)	The identifier of the content category.
content_category_list_ids	Content Category List IDs	array(string)	The identifier of the content category list.
destination_lists	Destination List ID	array(string)	The identifier of the destination list.
fw_block_reason	FW Block Reason	string	The description of why the system blocked the network traffic.
policy_revision	Policy Revision	string	The label associated with the revision of the policy.
posture_id	Posture ID	string	The identifier of the posture.
private_app_id	Private App ID	string	The identifier of the private application.
private_flow	Private Flow	boolean	Specifies whether the traffic flow is to a private destination.

data.events.src_endpoint

Secure Access Key	OCSF Key	Type	Description
ip	Source IP	string	The public IPv4 or IPv6 address of the client endpoint seen by the DNS resolver.
name		string	The hostname of the client endpoint.
port	Source Port	number	The number of the port associated with the client endpoint.

data.events.url

Secure Access Key	OCSF Key	Type	Description
url_string	URL	string	The URL of the destination.