parse event reason for new events

SEKOIA-IO · Dec 13, 2024 · ecefc9e · ecefc9e
1 parent a474535
commit ecefc9e
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 2 deletions.
diff --git a/Cisco/cisco-secure-firewall/ingest/parser.yml b/Cisco/cisco-secure-firewall/ingest/parser.yml
@@ -123,15 +123,15 @@ pipeline:
           CISCO_106021: "%{CISCO_ACTION:action_name} %{DATA:network_transport} reverse path check from %{IP:source_ip} to %{IP:destination_ip} on interface %{GREEDYDATA:destination_address}"
           CISCO_106023: '%{CISCO_ACTION:action_name}( protocol)? %{DATA:network_transport} src %{DATA:source_address}:%{DATA:source_ip}(/%{INT:source_port})?(\(%{DATA}\))? dst %{DATA:destination_address}:%{DATA:destination_ip}(/%{INT:destination_port})?(\(%{DATA}\))?( \(type %{INT:icmp_type}, code %{INT:icmp_code}\))? by access-group "?%{DATA:action_outcome_reason}"? \[%{DATA}, %{DATA}\]'
           CISCO_106100: 'access-list %{NOTSPACE:action_outcome_reason} %{CISCO_ACTION:action_name} %{DATA:network_transport} %{DATA:source_address}/%{IP:source_ip}\(%{INT:source_port}\)(\(%{DATA}\))? -> %{DATA:destination_address}/%{IP:destination_ip}\(%{INT:destination_port}\)(\(%{DATA}\))? hit-cnt %{INT:network_packets} %{CISCO_INTERVAL:network_duration} \[%{DATA}, %{DATA}\]'
-          CISCO_109201: "UAUTH: Session=%{DATA}, User=%{DATA:user_name}, Assigned IP=%{IP:source_ip}, Succeeded adding entry."
+          CISCO_109201: "UAUTH: Session=%{DATA}, User=%{DATA:user_name}, Assigned IP=%{IP:source_ip}, (?P<action_outcome_reason>Succeeded adding entry.)"
           CISCO_110002: "%{CISCO_REASON:action_name} for %{DATA:network_transport} from %{DATA:source_address}:%{IP:source_ip}/%{INT:source_port} to %{IP:destination_ip}/%{INT:destination_port}"
           CISCO_110003: '%{GREEDYDATA:action_name} from %{WORD}\:%{IP:source_ip}\/([1-2]?[0-9]|3[0-2]) to %{WORD}\:%{IP:destination_ip}\/([1-2]?[0-9]|3[0-2])(, %{GREEDYDATA:action_outcome_reason})?'
           CISCO_111007: '%{GREEDYDATA:action_name}: %{IP:source_ip} reading from %{NOTSPACE:network_transport} \[%{DATA:http_method}\]'
           CISCO_111008: "User '%{DATA:user_name}' executed the '%{GREEDYDATA:action_name}' command"
           CISCO_113004: "%{GREEDYDATA} user (authentication|authorization) %{WORD} : server = (\\s*)?%{IP:destination_ip} : user = %{DATA:user_name}"
           CISCO_113012: "%{GREEDYDATA} user authentication %{WORD} : local database : user = %{DATA:user_name}"
           CISCO_113019: "Group = %{GREEDYDATA:user_group}, Username = %{WORD:user_name}, IP = %{IP:source_ip}, %{DATA:action_outcome_reason}.Session Type: %{DATA:session_type}, Duration: %{DATA:special_duration}, Bytes xmt: %{DATA:bytes_xmt}, Bytes rcv: %{DATA:bytes_rcv}, Reason: %{GREEDYDATA:action_outcome_reason}"
-          CISCO_113039: "Group <%{GREEDYDATA:user_group}> User <%{WORD:user_name}> IP <%{IP:source_ip}> AnyConnect parent session started."
+          CISCO_113039: "Group <%{GREEDYDATA:user_group}> User <%{WORD:user_name}> IP <%{IP:source_ip}> (?P<action_outcome_reason>AnyConnect parent session started.)"
           CISCO_199019: '%{GREEDYDATA} %{DURATION} %{WORD:process_name}\[%{GREEDYDATA:process_id}\]: %{WORD:log_host} %{GREEDYDATA:result}'
           CISCO_302013_302014_302015_302016: '%{CISCO_ACTION:action_name}(?: %{CISCO_DIRECTION:network_direction})? %{DATA:network_transport} connection %{INT} for %{DATA:source_address}:%{IP:source_ip}/%{INT:source_port}( \(%{IP:source_nat_ip}/%{INT:source_nat_port}\))?(\(%{DATA}\))? to %{DATA:destination_address}:%{IP:destination_ip}/%{INT:destination_port}( \(%{IP:destination_nat_ip}/%{INT:destination_nat_port}\))?(\(%{DATA}\))?( duration %{DATA:network_duration} bytes %{INT:network_bytes})?%{DATA}( \(%{DATA:user_name}\))?'
           CISCO_302020_302021: '%{CISCO_ACTION:action_name}(?: %{CISCO_DIRECTION:network_direction})? %{DATA:network_transport} connection for faddr %{IP:source_ip}/%{INT:source_port}(\(%{DATA:user_group}\\%{DATA}\))? gaddr %{IP}/%{INT} laddr %{IP:destination_ip}/%{INT:destination_port}( \(%{DATA:user_name}\))?( type %{INT:icmp_type} code %{INT:icmp_code})?%{DATA}'

diff --git a/Cisco/cisco-secure-firewall/tests/test_FTD_109201.json b/Cisco/cisco-secure-firewall/tests/test_FTD_109201.json
@@ -9,6 +9,7 @@
         "iam"
       ],
       "code": "109201",
+      "reason": "Succeeded adding entry.",
       "type": [
         "user"
       ]

diff --git a/Cisco/cisco-secure-firewall/tests/test_FTD_113039.json b/Cisco/cisco-secure-firewall/tests/test_FTD_113039.json
@@ -9,6 +9,7 @@
         "session"
       ],
       "code": "113039",
+      "reason": "AnyConnect parent session started.",
       "type": [
         "start"
       ]
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,6 +9,7 @@ @@
             "iam"
           ],
           "code": "109201",
+          "reason": "Succeeded adding entry.",
           "type": [
             "user"
           ]
@@ Expand Down @@