OCSF Logo OCSF.ai

Asa

111002

Vendor: Cisco
Type: 111002
Subtype: 111002
OCSF Version: 1.5.0
Created by: Fleak Team

Templates provide pre-built configurations for transforming common log formats into OCSF. They save you time by handling the complex mapping logic for popular security tools and services. Learn more about using templates →

Parser Configuration

The parser transforms raw log data into structured fields. This step is necessary because OCSF needs specific information in a standardized format, and most logs don't provide this structure by default. To define these transformation rules, the configuration below uses Fleak's Log Parsing Syntax. This syntax lets you specify how to extract structured data from raw log text - identifying and capturing specific pieces of information like timestamps, IP addresses, usernames, or error codes from unstructured log messages. The parser can handle various log formats including syslog, Windows events, and custom patterns. Once parsed, the extracted fields become available for mapping to OCSF format using the mapping configuration below.

[
  {
    "targetField": "__raw__",
    "removeTargetField": false,
    "extractionConfig": {
      "type": "syslog",
      "componentList": [
        "TIMESTAMP",
        "DEVICE",
        "APP"
      ],
      "timestampPattern": "MMM dd yyyy HH:mm:ss"
    },
    "dispatchConfig": null
  },
  {
    "targetField": "content",
    "removeTargetField": true,
    "extractionConfig": {
      "type": "grok",
      "grokExpression": "%ASA-%{INT:level}-%{INT:message_number}: Begin configuration: %{IP:ip} %{GREEDYDATA:read_action}"
    },
    "dispatchConfig": null
  }
]

Mapping Configuration

The mapping configuration transforms parsed log fields into OCSF format. This step is required to convert your specific log structure into OCSF's standardized schema. To define these field mappings, the configuration below uses the Fleak Eval Expression Language (FEEL). This language lets you specify how to transform data from Cisco 111002 logs into OCSF fields - converting timestamps to standard formats, restructuring nested data, and applying conditional logic to determine field values.

dict(
  time=ts_str_to_epoch($.timestamp, 'MMM dd yyyy HH:mm:ss'),
  state="Enabled",
  device=dict(
    ip=$.ip,
    type="Firewall",
    type_id=9,
    hostname=$.deviceId
  ),
  status='Success',
  message=$.message_number + ': ' + $.read_action,
  metadata=dict(
    product=dict(
      name='Cisco ASA',
      feature=dict(
        name=case(
          str_contains($.message_number, '111002') => 'Configuration',
          _ => 'Security'
        )
      )
    ),
    version="1.5.0",
    log_name='ASA',
    event_code=$.message_number,
    log_provider=$.appName,
    original_time=$.timestamp
  ),
  raw_data=$.__raw__,
  state_id=case(
    str_contains($.message_number, '111002') => 2,
    _ => 0
  ),
  type_uid=501901,
  class_uid=5019,
  status_id=1,
  activity_id=case(
    str_contains($.message_number, '111002') => 1,
    _ => 99
  ),
  severity_id=parse_int($.level),
  status_code=$.message_number,
  category_uid=5,
  status_detail=case(
    str_contains($.message_number, '111002') => 'Begin configuration: ' + $.ip + ' ' + $.read_action,
    _ => null
  ),
  security_level=case(
    $.level == '5' => 'High',
    _ => 'Unknown'
  ),
  security_states=array(
    dict(
      state="Policy mismatch",
      state_id=2
    )
  ),
  timezone_offset=0,
  security_level_id=case(
    $.level == '5' => 2,
    _ => 0
  )
)

Template ID: fe4f8c59-9c2d-463d-8c50-52eee56717dc

Text Mapping: Yes

Ready to use this template?