Skip to content

Commit

Permalink
Updated parser for ASIM ciscoASA
Browse files Browse the repository at this point in the history
  • Loading branch information
@v-sabiraj
v-sabiraj committed Jan 10, 2025
1 parent 3a37130 commit 0e710b9
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 6 deletions.
9 changes: 6 additions & 3 deletions Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
Parser:
Title: Network Session ASIM parser for Cisco ASA
Version: '1.0'
LastUpdated: August 03, 2022
Version: '0.1.1'
LastUpdated: Jan 09, 2025
Product:
Name: CiscoASA
Normalization:
Schema: NetworkSession
Version: '0.2.4'
Version: '0.2.6'
References:
- Title: ASIM Network Session Schema
Link: https://aka.ms/ASimNetworkSessionDoc
Expand Down Expand Up @@ -273,6 +273,9 @@ ParserQuery: |
let all_106023_unparsed = unparsedData
| where DeviceEventClassID == "106023" and not(Message has "protocol 41")
| parse Message with * ":" DeviceAction " " Protocol " src " SrcInterfaceName ":" SrcIpAddrAndPort "(" SrcUsername ") dst " DstInterfaceName ":" DstIpAddrAndPort " " NetworkIcmpInfo 'by access-group "' NetworkRuleName '" [' * "]"
| parse Message with * ":" DeviceAction " " Protocol " src " SrcInterfaceName ":" SrcIpAddrAndPort " dst " DstInterfaceName ":" DstIpAddrAndPort " " NetworkIcmpInfo 'by access-group "' NetworkRuleName '" [' * "]"
| extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, "(")[0]
| extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, "")
| parse NetworkIcmpInfo with "(type " NetworkIcmpType ", code " NetworkIcmpCode:int ") "
| extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,"/"), DstIpAddrAndPort = split(DstIpAddrAndPort,"/")
| extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),
Expand Down
9 changes: 6 additions & 3 deletions Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
Parser:
Title: Network Session ASIM parser for Cisco ASA
Version: '1.0'
LastUpdated: August 03, 2022
Version: '0.1.1'
LastUpdated: Jan 09, 2025
Product:
Name: CiscoASA
Normalization:
Schema: NetworkSession
Version: '0.2.4'
Version: '0.2.6'
References:
- Title: ASIM Network Session Schema
Link: https://aka.ms/ASimNetworkSessionDoc
Expand Down Expand Up @@ -329,6 +329,9 @@ ParserQuery: |
let all_106023_unparsed = unparsedData
| where DeviceEventClassID == "106023" and not(Message has "protocol 41")
| parse Message with * ":" DeviceAction " " Protocol " src " SrcInterfaceName ":" SrcIpAddrAndPort "(" SrcUsername ") dst " DstInterfaceName ":" DstIpAddrAndPort " " NetworkIcmpInfo 'by access-group "' NetworkRuleName '" [' * "]"
| parse Message with * ":" DeviceAction " " Protocol " src " SrcInterfaceName ":" SrcIpAddrAndPort " dst " DstInterfaceName ":" DstIpAddrAndPort " " NetworkIcmpInfo 'by access-group "' NetworkRuleName '" [' * "]"
| extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, "(")[0]
| extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, "")
| parse NetworkIcmpInfo with "(type " NetworkIcmpType ", code " NetworkIcmpCode:int ") "
| extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,"/"), DstIpAddrAndPort = split(DstIpAddrAndPort,"/")
| extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),
Expand Down

0 comments on commit 0e710b9

Please sign in to comment.