{"name":"FirePower-SFR-Graylog","description":"Graylog content pack for FirePower module with OTX score check","category":"firepower cisco SFR","inputs":[{"id":"5b2ccff345caeb7ce08ec2fa","title":"FIREPOWER[SFR]","configuration":{"expand_structured_data":false,"recv_buffer_size":262144,"port":5514,"override_source":null,"force_rdns":false,"allow_override_date":true,"bind_address":"0.0.0.0","store_full_message":false},"static_fields":{},"type":"org.graylog2.inputs.syslog.udp.SyslogUDPInput","global":true,"extractors":[{"title":"src_ip","type":"REGEX","cursor_strategy":"COPY","target_field":"src_ip","source_field":"message","configuration":{"regex_value":"((?<=SrcIP:\\s).+?(?=,))"},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"dst_ip","type":"REGEX","cursor_strategy":"COPY","target_field":"dst_ip","source_field":"message","configuration":{"regex_value":"((?<=DstIP:\\s).+?(?=,))"},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"src_port","type":"REGEX","cursor_strategy":"COPY","target_field":"src_port","source_field":"message","configuration":{"regex_value":"((?<=SrcPort:\\s).+?(?=,))"},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"dst_port","type":"REGEX","cursor_strategy":"COPY","target_field":"dst_port","source_field":"message","configuration":{"regex_value":"((?<=DstPort:\\s).+?(?=,))"},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"rule_name","type":"REGEX","cursor_strategy":"COPY","target_field":"rule_name","source_field":"message","configuration":{"regex_value":"((?<=AccessControlRuleName:\\s).+?(?=,))"},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"rule_action","type":"REGEX","cursor_strategy":"COPY","target_field":"rule_action","source_field":"message","configuration":{"regex_value":"((?<=AccessControlRuleAction:\\s).+?(?=,))"},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"ingress_zone","type":"REGEX","cursor_strategy":"COPY","target_field":"ingress_zone","source_field":"message","configuration":{"regex_value":"((?<=IngressZone:\\s).+?(?=,))"},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"egress_zone","type":"REGEX","cursor_strategy":"COPY","target_field":"egress_zone","source_field":"message","configuration":{"regex_value":"((?<=EgressZone:\\s).+?(?=,))"},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"NAP_policyname","type":"REGEX","cursor_strategy":"COPY","target_field":"NAP_policyname","source_field":"message","configuration":{"regex_value":"((?<=NAPPolicy:\\s).+?(?=,))"},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"app_protocol","type":"REGEX","cursor_strategy":"COPY","target_field":"app_protocol","source_field":"message","configuration":{"regex_value":"((?<=ApplicationProtocol:\\s).+?(?=,))"},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"OTX_dst","type":"LOOKUP_TABLE","cursor_strategy":"COPY","target_field":"OTX_dst","source_field":"dst_ip","configuration":{"lookup_table_name":"otx-api-ip"},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"OTX_src","type":"LOOKUP_TABLE","cursor_strategy":"COPY","target_field":"OTX_src","source_field":"src_ip","configuration":{"lookup_table_name":"otx-api-ip"},"converters":[],"condition_type":"NONE","condition_value":"","order":0}]}],"streams":[],"outputs":[],"dashboards":[{"title":"FirePower[SFR] - ZONE/RULE statistics","description":"Zone and Rule statistics [ 7 days ]","dashboard_widgets":[{"description":"rule_name | rule_action","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":604800},"field":"rule_name","query":"gl2_source_input:5b2ccff345caeb7ce08ec2fa AND _exists_:rule_name","show_data_table":true,"limit":5,"show_pie_chart":true,"sort_order":"desc","stacked_fields":"rule_action","data_table_limit":15},"col":1,"row":1,"height":3,"width":2},{"description":"dst_ip | OTX_dst","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":604800},"field":"dst_ip","query":"gl2_source_input:5b2ccff345caeb7ce08ec2fa AND _exists_:rule_name AND _exists_:dst_ip","show_data_table":true,"limit":5,"show_pie_chart":true,"sort_order":"desc","stacked_fields":"OTX_dst","data_table_limit":50},"col":3,"row":1,"height":3,"width":1},{"description":"src_ip | OTX_src","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":604800},"field":"src_ip","query":"gl2_source_input:5b2ccff345caeb7ce08ec2fa AND _exists_:rule_name AND _exists_:src_ip","show_data_table":true,"limit":5,"show_pie_chart":true,"sort_order":"desc","stacked_fields":"OTX_src","data_table_limit":50},"col":4,"row":2,"height":3,"width":1}]}],"grok_patterns":[],"lookup_tables":[],"lookup_caches":[],"lookup_data_adapters":[]}