OCSF Logo OCSF.ai

Asa

713172

Vendor: Cisco
Type: 713172
Subtype: 713172
OCSF Version: 1.4.0
Created by: Fleak Team

Templates provide pre-built configurations for transforming common log formats into OCSF. They save you time by handling the complex mapping logic for popular security tools and services. Learn more about using templates →

Parser Configuration

The parser transforms raw log data into structured fields. This step is necessary because OCSF needs specific information in a standardized format, and most logs don't provide this structure by default. To define these transformation rules, the configuration below uses Fleak's Log Parsing Syntax. This syntax lets you specify how to extract structured data from raw log text - identifying and capturing specific pieces of information like timestamps, IP addresses, usernames, or error codes from unstructured log messages. The parser can handle various log formats including syslog, Windows events, and custom patterns. Once parsed, the extracted fields become available for mapping to OCSF format using the mapping configuration below.

[
  {
    "targetField": "__raw__",
    "removeTargetField": true,
    "extractionConfig": {
      "type": "grok",
      "grokExpression": "%{GREEDYDATA:timestamp} %{HOSTNAME:hostname} %{DATA:program}\\[%{POSINT:pid}\\]: %ASA-%{INT:level}-%{INT:message_number}: Automatic NAT Detection Status: Remote end is behind a NAT device This end is not behind a NAT device"
    }
  }
]

Mapping Configuration

The mapping configuration transforms parsed log fields into OCSF format. This step is required to convert your specific log structure into OCSF's standardized schema. To define these field mappings, the configuration below uses the Fleak Eval Expression Language (FEEL). This language lets you specify how to transform data from Cisco 713172 logs into OCSF fields - converting timestamps to standard formats, restructuring nested data, and applying conditional logic to determine field values.

dict(
  time=ts_str_to_epoch($.timestamp, 'MMM dd yyyy HH:mm:ss'),
  device=dict(
    name=$.hostname,
    type='Virtual',
    type_id=6,
    hostname=$.hostname,
    network_interfaces=array(
      dict(
        name='utun0',
        type='NAT Tunnel',
        type_id=4
      )
    )
  ),
  status="Success",
  message="Automatic NAT Detection Status: Remote end is behind a NAT device This end is not behind a NAT device",
  metadata=dict(
    product=dict(
      name="Cisco ASA",
      vendor_name="Cisco"
    ),
    version="1.4.0",
    log_level=$.level,
    event_code=$.message_number,
    log_provider=$.program
  ),
  type_uid=4014 * 100 + 3,
  class_uid=4014,
  status_id=1,
  activity_id=3,
  severity_id=case(
    $.level == '6' => 1,
    _ => 0
  ),
  status_code=$.message_number,
  tunnel_type='NAT',
  category_uid=4,
  dst_endpoint=dict(
    type_id=1
  ),
  src_endpoint=dict(
    type_id=0
  ),
  status_detail="Automatic NAT Detection Status: Remote end is behind a NAT device This end is not behind a NAT device",
  tunnel_type_id=1,
  timezone_offset=0,
  tunnel_interface=dict(
    name="utun0",
    type="NAT Tunnel",
    type_id=4
  )
)

Template ID: a45864d3-4ea0-4cd8-883f-b3f94af1d0b6

Text Mapping: Yes

Ready to use this template?