IPS Push Security Events - Cloud Security API - Cisco DevNet

IPS Push Security Events

Secure Access Key	Type	Description
specversion	string	The version of the Push Security Event schema.
type	string	The type of the security event.
source	string	The unique label that describes the source of the security event.
orgid	integer	The unique identifier of the organization.
integrationid	string	The unique identifier of the integration.
id	string	The unique identifier for the push security event.
time	string	The date and time when the system sent the event. The system formats the timestamp in the ISO 8601 format.
datacontenttype	string	The type of the content in the push security event.
data	object	The properties of the data for the push security events.

data

Secure Access Key	Type	Description
events	array	The list of push security event messages.

data.events

Secure Access Key	OCSF Key	Type	Description
activity_id		integer	The unique identifier of the activity that triggered the security event.
category_uid		integer	The unique identifier of the security event category.
cisco_event_id	Event ID	string	The unique identifier of the security event.
cisco_event_type		string	The type of the security event.
cisco_organization_id	Organization ID	number	The unique identifier of the organization.
cisco_ips_metadata		object	The properties of the Cisco IPS metadata.
cisco_origin		object	The properties of the origin.
class_uid		integer	The unique identifier of the class.
cloud		object	The properties of the cloud deployment.
connection_info		object	The properties of the client connection information.
dst_endpoint		object	The properties of the destination.
firewall_rule		object	The properties of the access rule for the firewall.
metadata		object	The metadata for the security event.
policy		object	The properties of the components and profiles for the access rules in the Access policy.
severity_id		number	The unique identifier of the severity.
src_endpoint		object	The properties of the client endpoint.
time	Time	string	The date and time when the system recorded the security event. The system formats the timestamp in milliseconds since the Unix Epoch.
type_uid		integer	The identifier of the type for the security event.
url		object	The properties of the URL.

data.events.cisco_ips_metadata

Secure Access Key	OCSF Key	Type	Description
action	Action	string	The label that describes the action taken by the system for the network traffic.
attack_classification	Attack Classification	string	The type of attack associated with the network traffic.
correlation_uid		string	The unique identifier of the correlation.
direction	Direction	string	The direction of the traffic flow.
egress_ip	Egress IP	string	The IPv4 or IPv6 address associated with the egress of the traffic from the client system.
enforcement_point	Enforcement Point	string	The description of the point of enforcement.
ftd_enforcement_id	FTD Enforcement ID	number	The identifier of the Cisco Firepower Threat Defense (FTD) device.
ftd_enforcement_name	FTD Enforcement Name	string	The name of the Cisco Firepower Threat Defense (FTD) device.
fw_event_id	FW Event ID	string	The identifier of the firewall event.
is_reserved_ip	Is Reserved IP	boolean	Specifies whether the IP is reserved for the organization.
operation_mode	Operation Mode	string	The description of the operation mode.
snort_generator_id	Snort Generator ID	number	The identifier of the snort generator associated with the event.
snort_signature_id	Snort Signature ID	number	The identifier of the snort signature associated with the event.

data.events.cisco_origin

Secure Access Key	OCSF Key	Type	Description
id	Origin ID	integer	The unique identifier of the endpoint.
type	Origin Type	string	The type of the endpoint, for example: network, ad computer.

data.events.cloud

Secure Access Key	OCSF Key	Type	Description
region	AWS Region	string	The region where the system deployed the cloud firewall service.

data.events.connection_info

Secure Access Key	OCSF Key	Type	Description
direction_id		number	The numeric identifier of the direction.
protocol_num	IP Protocol	number	The numeric identifier of the protocol.

data.events.dst_endpoint

Secure Access Key	OCSF Key	Type	Description
ip		string	The IPv4 or IPv6 addresses associated with the destination.
name		string	The hostname of the destination.

data.events.firewall_rule

Secure Access Key	OCSF Key	Type	Description
uid	Firewall Rule ID	string	The unique identifier of the access rule.

data.events.metadata

Secure Access Key	OCSF Key	Type	Description
product		object	The properties of the product.
version		string	The version of the product.

data.events.metadata.product

Secure Access Key	OCSF Key	Type	Description
name		string	The name of the product.

data.events.policy

Secure Access Key	OCSF Key	Type	Description
data		object	The properties of the data in the organization's Access policy.

data.events.policy.data

Secure Access Key	OCSF Key	Type	Description
ips_config_type	IPS Config Type	string	The type of the IPS configuration.
ips_resource_id	Policy Resource ID	number	The identifier of the IPS profile.
priority	Priority	string	The priority that the system assigned to the IPS profile.

data.events.src_endpoint

Secure Access Key	OCSF Key	Type	Description
ip	Source IP	string	The public IPv4 or IPv6 address of the client endpoint.
name		string	The hostname of the client endpoint.
port	Source Port	number	The number of the port associated with the client endpoint.

data.events.url

Secure Access Key	OCSF Key	Type	Description
url_string	URL	string	The URL of the destination.