OCSF Logo OCSF.ai

Asa

502102

Vendor: Cisco
Type: 502102
Subtype: 502102
OCSF Version: 1.6.0
Created by: buer shen

Templates provide pre-built configurations for transforming common log formats into OCSF. They save you time by handling the complex mapping logic for popular security tools and services. Learn more about using templates →

Parser Configuration

The parser transforms raw log data into structured fields. This step is necessary because OCSF needs specific information in a standardized format, and most logs don't provide this structure by default. To define these transformation rules, the configuration below uses Fleak's Log Parsing Syntax. This syntax lets you specify how to extract structured data from raw log text - identifying and capturing specific pieces of information like timestamps, IP addresses, usernames, or error codes from unstructured log messages. The parser can handle various log formats including syslog, Windows events, and custom patterns. Once parsed, the extracted fields become available for mapping to OCSF format using the mapping configuration below.

[
  {
    "targetField": "__raw__",
    "removeTargetField": false,
    "extractionConfig": {
      "type": "syslog",
      "componentList": [
        "TIMESTAMP",
        "DEVICE",
        "APP"
      ],
      "timestampPattern": "MMM dd yyyy HH:mm:ss"
    },
    "dispatchConfig": null
  },
  {
    "targetField": "content",
    "removeTargetField": true,
    "extractionConfig": {
      "type": "grok",
      "grokExpression": "%ASA-%{INT:level}-%{INT:message_number}: User deleted from local dbase: Uname: %{DATA:user} Priv: %{NUMBER:privilege_level} Encpass: %{GREEDYDATA:encpass}"
    },
    "dispatchConfig": null
  }
]

Mapping Configuration

The mapping configuration transforms parsed log fields into OCSF format. This step is required to convert your specific log structure into OCSF's standardized schema. To define these field mappings, the configuration below uses the Fleak Eval Expression Language (FEEL). This language lets you specify how to transform data from Cisco 502102 logs into OCSF fields - converting timestamps to standard formats, restructuring nested data, and applying conditional logic to determine field values.

dict(
  time=ts_str_to_epoch($.timestamp, 'MMM dd yyyy HH:mm:ss'),
  user=dict(
    name=$.user,
    type_id=1,
    programmatic_credentials=array(
      dict(
        uid=$.encpass
      )
    )
  ),
  actor=dict(
    user=dict(
      name=$.user,
      type_id=1
    )
  ),
  status=case(
    $.message_number == '502102' => 'Success',
    _ => 'Unknown'
  ),
  message=case(
    $.message_number == '502102' => 'User deleted from local dbase: Uname: ' + $.user + ' Priv: ' + $.privilege_level + ' Encpass: ' + $.encpass,
    _ => $.__raw__
  ),
  metadata=dict(
    product=dict(
      name="CiscoASA",
      vendor_name="Cisco"
    ),
    version="1.6.0",
    log_level=$.level,
    event_code=$.message_number,
    logged_time=ts_str_to_epoch($.timestamp, 'MMM dd yyyy HH:mm:ss')
  ),
  raw_data=$.__raw__,
  type_uid=300106,
  class_uid=3001,
  status_id=1,
  activity_id=6,
  severity_id=case(
    $.level == '5' => 5,
    _ => 0
  ),
  status_code=$.message_number,
  user_result=dict(
    name=$.user,
    type_id=1,
    programmatic_credentials=array(
      dict(
        uid=$.encpass
      )
    )
  ),
  category_uid=3,
  src_endpoint=dict(
    owner=dict(
      name=$.user
    ),
    hostname=$.deviceId
  ),
  status_detail=case(
    $.message_number == '502102' => 'User deleted from local database with privilege level ' + $.privilege_level,
    _ => $.__raw__
  ),
  timezone_offset=0
)

Template ID: c2a3d85b-d064-43fa-8578-80a5a3e3478f

Text Mapping: Yes

Ready to use this template?