Update: minor pipeline refactoring

manan-crest · manan-crest · commit 8a31a6acccbd · 2025-11-27T17:18:53.000+05:30
diff --git a/cisco_asa/assets/logs/cisco-asa.yaml b/cisco_asa/assets/logs/cisco-asa.yaml
@@ -160,20 +160,23 @@ pipeline:
               110002 OR 110003 OR 110004 OR 746001 OR 746002 OR 746003 OR 746005
               OR 746007 OR 746016)"
           name: firewall
+        - name: other
+          filter:
+            query: "@message_id:*"
       target: service
     - type: service-remapper
       name: Define `service` as the official service of the log
       enabled: true
       sources:
         - service
     - type: pipeline
-      name: Threat Protection
+      name: Threat Detection
       enabled: true
       filter:
         query: "@message_id:(733100 OR 733102 OR 733103 OR 733104 OR 733105)"
       processors:
         - type: grok-parser
-          name: Parse Threat Protection logs
+          name: Parse Threat Detection Logs
           enabled: true
           source: message
           samples:
@@ -191,20 +194,21 @@ pipeline:
               (10.10.10.10/52340). Burst rate of 200 SYNs/sec exceeded the
               threshold of 150.
           grok:
-            supportRules: _space %{regex("\\s*")}
+            supportRules: ""
             matchRules: >-
-              rule_733100 \[%{_space}%{data:object}%{_space}\] drop rate(-|
+              rule_733100 \[\s*%{regex("[^\\]]*"):object}\] drop rate(-|
               )%{number:rate_id} exceeded. Current burst rate is
-              %{number:current_burst_rate} per second, max configured rate is
-              %{number:max_configured_burst_rate}; Current average rate is
-              %{number:current_average_rate} per second, max configured rate is
+              %{number:current_burst_rate} per (second, max|second_max)
+              configured rate is %{number:max_configured_burst_rate}; Current
+              average rate is %{number:current_average_rate} per (second,
+              max|second_max) configured rate is
               %{number:max_configured_average_rate}; Cumulative total count is
               %{number:cumulative_total}( \(%{number:received_instances}
               instances received\))?
 
               rule_733102_733103 Threat-detection %{word:action} host %{ipOrHost:host} (to|from) shun list
 
-              rule_733104_733105 %{word:protocol} Intercept SYN flood attack detected to %{ip:network.destination.ip}/%{port:network.destination.port}%{_space}\(%{ip:network.client.ip}/%{port:network.client.port}\). %{word:rate_type} rate of %{number:rate} %{notSpace:rate_unit} exceeded the threshold of %{number:rate_threshold}
+              rule_733104_733105 %{word:protocol} Intercept SYN flood attack detected to %{ip:network.destination.ip}/%{port:network.destination.port}\s*\(%{ip:real_ip}/%{port:real_port}\). %{word:rate_type} rate of %{number:rate} %{notSpace:rate_unit} exceeded the threshold of %{number:rate_threshold}
     - type: pipeline
       name: User Authentication
       enabled: true
@@ -231,16 +235,16 @@ pipeline:
             supportRules: ""
             matchRules: >-
               rule_109005_109006 Authentication %{notSpace:evt.outcome} for user
-              '%{data:usr.name}' from
+              '%{regex("[^']*"):usr.name}' from
               %{ip:network.client.ip}/%{port:network.client.port} to
               %{ip:network.destination.ip}/%{port:network.destination.port} on
               interface %{data:interface}
 
-              rule_109010 Auth from %{ip:network.client.ip}/%{port:network.client.port} to %{ip:network.destination.ip}/%{port:network.destination.port} %{notSpace:evt.outcome} \(%{data:reason}\) on interface %{data:interface}
+              rule_109010 Auth from %{ip:network.client.ip}/%{port:network.client.port} to %{ip:network.destination.ip}/%{port:network.destination.port} %{notSpace:evt.outcome} \(%{regex("[^\\)]*"):reason}\) on interface %{data:interface}
 
-              rule_109023 User from %{ip:network.client.ip}/%{port:network.client.port} to %{ip:network.destination.ip}/%{port:network.destination.port} on interface %{data:interface} using %{data:service_name} must authenticate before using this service
+              rule_109023 User from %{ip:network.client.ip}/%{port:network.client.port} to %{ip:network.destination.ip}/%{port:network.destination.port} on interface %{regex(".*(?= using )"):interface} using %{regex(".*(?= must authenticate)"):service_name} must authenticate before using this service
 
-              rule_109033_109034 Authentication %{notSpace:evt.outcome} for %{notSpace:user_type} user %{data:usr.name} from (%{ip:network.client.ip}|%{ip:network.client.ip}/%{port:network.client.port} to %{ip:network.destination.ip}/%{port:network.destination.port}). Interactive challenge processing is not supported for %{notSpace:protocol}( connections)?
+              rule_109033_109034 Authentication %{notSpace:evt.outcome} for %{notSpace:user_type} user %{regex(".*(?= from )"):usr.name} from (%{ip:network.client.ip}|%{ip:network.client.ip}/%{port:network.client.port} to %{ip:network.destination.ip}/%{port:network.destination.port}). Interactive challenge processing is not supported for %{notSpace:protocol}( connections)?
     - type: pipeline
       name: User Authorization
       enabled: true
@@ -267,12 +271,12 @@ pipeline:
             supportRules: ""
             matchRules: >-
               rule_109007_109008 Authorization %{word:evt.outcome} for user
-              '%{data:usr.name}' from
+              '%{regex("[^']*"):usr.name}' from
               %{ip:network.client.ip}/%{port:network.client.port} to
               %{ip:network.destination.ip}/%{port:network.destination.port} on
               interface %{data:interface}
 
-              rule_109024_109025 Authorization %{word:evt.outcome} (\(acl=%{data:acl_id}\) for user '%{data:usr.name}' )?from %{ip:network.client.ip}/%{port:network.client.port} to %{ip:network.destination.ip}/%{port:network.destination.port} (\(not authenticated\) )?on interface %{data:interface} using %{notSpace:protocol}( to)?
+              rule_109024_109025 Authorization %{word:evt.outcome} (\(acl=%{regex("[^\\)]*"):acl_id}\))?( for user '%{regex("[^']*"):usr.name}' )?from %{ip:network.client.ip}/%{port:network.client.port} to %{ip:network.destination.ip}/%{port:network.destination.port} (\(not authenticated\) )?on interface %{regex(".*(?= using )"):interface} using %{notSpace:protocol}( to)?
     - type: pipeline
       name: User Management
       enabled: true
@@ -292,10 +296,11 @@ pipeline:
               privilege_level"
           grok:
             supportRules: ""
-            matchRules: "rule_502101_502102_502103 %{data:action}: Uname: %{data:usr.name}
-              (Priv: %{notSpace:privilege_level} %{data}|From:
+            matchRules: 'rule_502101_502102_502103 %{regex(".*(?=: Uname)"):action}: Uname:
+              %{regex(".*(?= (Priv:|From:))"):usr.name} (Priv:
+              %{notSpace:privilege_level}%{data}|From:
               %{notSpace:previous_privilege_level} To:
-              %{notSpace:new_privilege_level})"
+              %{notSpace:new_privilege_level})'
     - type: pipeline
       name: Application Firewall
       enabled: true
@@ -324,18 +329,19 @@ pipeline:
               requests exceeded drop inside test:10.10.10.10/51822 to
               outside:10.10.10.10/443"
           grok:
-            supportRules: _space %{regex("(\\s)*")}
+            supportRules: _parse_till_colon %{regex(".*(?=\\:)")}
             matchRules: >-
-              rule_415001_415002_415003_415005 HTTP - matched
-              ("%{data:matched_string}"|%{data:matched_string}) in policy-map
-              %{data:policy_map},%{_space}%{regex("header field count
+              rule_415001_415002_415003_415005 HTTP - matched ("%{regex(".*(?=\"
+              in policy-map)"):matched_string}"|%{regex(".*(?= in
+              policy-map)"):matched_string}) in policy-map
+              %{regex("[^,]*"):policy_map},\s+%{regex("header field count
               exceeded|header field length exceeded|body length exceeded|URI
               length exceeded"):reason}
-              %{notSpace:connection_action}%{_space}%{notSpace:source_interface}:%{ip:network.client.ip}/%{port:network.client.port}
+              %{notSpace:connection_action}\s+%{_parse_till_colon:source_interface}:%{ip:network.client.ip}/%{port:network.client.port}
               to
-              %{notSpace:destination_interface}:%{ip:network.destination.ip}/%{port:network.destination.port}
+              %{_parse_till_colon:destination_interface}:%{ip:network.destination.ip}/%{port:network.destination.port}
 
-              rule_415013_415016 (HTTP - )?policy-map %{notSpace:policy_map}%{_space}:%{_space}%{regex("Maximum number of unanswered HTTP requests exceeded|Malformed chunked encoding"):reason} %{notSpace:connection_action}%{_space}%{data:source_interface}:%{ip:network.client.ip}/%{port:network.client.port} to %{data:destination_interface}:%{ip:network.destination.ip}/%{port:network.destination.port}
+              rule_415013_415016 (HTTP - )?policy-map %{regex("[^:]*"):policy_map}\s*:\s*%{regex("Maximum number of unanswered HTTP requests exceeded|Malformed chunked encoding"):reason} %{notSpace:connection_action}\s+%{_parse_till_colon:source_interface}:%{ip:network.client.ip}/%{port:network.client.port} to %{_parse_till_colon:destination_interface}:%{ip:network.destination.ip}/%{port:network.destination.port}
     - type: pipeline
       name: Transparent Firewall
       enabled: true
@@ -356,16 +362,16 @@ pipeline:
               zone-new/eth0:192.0.2.5/443(192.0.2.2/1199 ) to
               zone-dest/br0:192.0.2.2/1194(192.0.2.7/443 )
           grok:
-            supportRules: _space %{regex("(\\s)*")}
+            supportRules: _parse_till_colon %{regex(".*(?=\\:)")}
             matchRules: >-
               rule_110002_110003 %{regex("Failed to locate egress
               interface|Routing failed to locate next-hop"):reason} for
               %{notSpace:protocol} from
-              %{data:source_interface}%{_space}:%{ip:network.client.ip}/%{port:network.client.port}
+              %{_parse_till_colon:source_interface}\s*:%{ip:network.client.ip}/%{port:network.client.port}
               to
-              (%{data:destination_interface}%{_space}:)?%{ip:network.destination.ip}/%{port:network.destination.port}
+              (%{_parse_till_colon:destination_interface}\s*:)?%{ip:network.destination.ip}/%{port:network.destination.port}
 
-              rule_110004 %{regex("Egress interface changed"):reason} from %{data:old_interface} to %{data:new_interface} on %{notSpace:protocol} connection %{number:connection_id} for %{notSpace:outside_interface_zone}%{_space}/%{_space}%{notSpace:outside_interface}%{_space}:%{ip:outside_ip}%{_space}/%{_space}%{port:outside_port}%{_space}\(%{ip:outside_mapped_ip}%{_space}/%{_space}%{port:outside_mapped_port}%{_space}\) to %{notSpace:inside_interface_zone}%{_space}/%{_space}%{notSpace:inside_interface}%{_space}:%{ip:inside_ip}%{_space}/%{_space}%{port:inside_port}%{_space}\(%{ip:inside_mapped_ip}%{_space}/%{_space}%{port:inside_mapped_port}%{_space}\)
+              rule_110004 %{regex("Egress interface changed"):reason} from %{regex(".*(?= to )"):old_interface} to %{regex(".*(?= on )"):new_interface} on %{notSpace:protocol} connection %{number:connection_id} for %{notSpace:outside_interface_zone}\s*/\s*%{_parse_till_colon:outside_interface}\s*:%{ip:outside_ip}\s*/\s*%{port:outside_port}\s*\(%{ip:outside_mapped_ip}\s*/\s*%{port:outside_mapped_port}\s*\) to %{notSpace:inside_interface_zone}\s*/\s*%{_parse_till_colon:inside_interface}\s*:%{ip:inside_ip}\s*/\s*%{port:inside_port}\s*\(%{ip:inside_mapped_ip}\s*/\s*%{port:inside_mapped_port}\s*\)
     - type: pipeline
       name: Identity Firewall
       enabled: true
@@ -386,17 +392,17 @@ pipeline:
               memory"
             - "user-identity: identity_lookup_store started"
           grok:
-            supportRules: _space %{regex("(\\s)*"):}
+            supportRules: ""
             matchRules: >-
               rule_746005 user-identity: The AD Agent %{ip:network.client.ip}
               cannot be reached -
-              (%{regex("[^\\[]*"):reason}(\[%{_space}%{regex("[^\\]]*"):action}%{_space}\])?|%{data:reason})
+              (%{regex("[^\\[]*"):reason}(\[\s*regex("[^\\]]*"):action}\s*\])?|%{data:reason})
 
-              rule_746007 user-identity: NetBIOS response failed from User %{data:usr.name} at %{ip:network.client.ip}
+              rule_746007 user-identity: NetBIOS response failed from User %{regex(".*(?= at )"):usr.name} at %{ip:network.client.ip}
 
-              rule_746016 user-identity: DNS lookup for %{ip:network.client.ip} failed, reason:%{_space}%{data:reason}
+              rule_746016 user-identity: DNS lookup for %{ip:network.client.ip} failed, reason:\s+%{data:reason}
 
-              rule_746001_746002_746003 user-identity: %{data:database} %{notSpace:download_status}(%{_space}-%{_space}%{data:reason})?
+              rule_746001_746002_746003 user-identity: %{data:database} %{notSpace:download_status}(\s+-\s+%{data:reason})?
     - type: pipeline
       name: ARP Collision Insights
       enabled: true
@@ -417,9 +423,10 @@ pipeline:
           grok:
             supportRules: ""
             matchRules: rule_405001 Received ARP (request|response) collision from
-              %{ip:network.client.ip}/%{mac:source_mac_address} on interface
-              %{data:interface} with existing ARP entry
-              %{ip:existing_arp_ip}/%{mac:existing_arp_ip_mac_address}
+              %{ip:network.client.ip}\s*/\s*%{mac:source_mac_address} on
+              interface %{regex(".*(?= with existing ARP)"):interface} with
+              existing ARP entry
+              %{ip:existing_arp_ip}\s*/\s*%{mac:existing_arp_ip_mac_address}
     - type: pipeline
       name: Connection insights
       enabled: true
@@ -442,13 +449,12 @@ pipeline:
             - Deny inbound UDP from 192.0.2.10/1194 to 192.0.2.12/1195 on
               interface Ethernet0
           grok:
-            supportRules: _space %{regex("\\s*")}
+            supportRules: ""
             matchRules: >-
               rule_106001 %{regex("Inbound TCP connection denied"):reason} from
               %{ip:network.client.ip}/%{port:network.client.port} to
               %{ip:network.destination.ip}/%{port:network.destination.port}
-              flags %{notSpace:tcp_flag}%{_space}on%{_space}interface
-              %{data:interface}
+              flags %{notSpace:tcp_flag}\s+on\s+interface %{data:interface}
 
               rule_106002 %{notSpace:protocol} Connection denied by outbound list %{notSpace:outbound_list} src %{ip:network.client.ip} dest %{ip:network.destination.ip}
 
@@ -491,15 +497,15 @@ pipeline:
               local list: mycoolapp-preview.mock, threat-level: 0, category:
               malware"
           grok:
-            supportRules: _space %{regex("\\s*")}
+            supportRules: _parse_till_colon %{regex(".*(?=:)")}
             matchRules: 'rule Dynamic (Filter|filter)
               %{regex("monitored|permitted|dropped|denied|action"):action}
               %{regex("blacklisted|black listed|whitelisted|white
               listed|greylisted|grey listed"):traffic_type} %{notSpace:protocol}
               traffic from
-              %{data:in_interface}:%{ip:network.client.ip}/%{port:network.client.port}%{_space}\(%{ipOrHost:client_mapped_ip}/%{port:client_mapped_port}\)(\))?
+              %{_parse_till_colon:in_interface}:%{ip:network.client.ip}/%{port:network.client.port}\s*\(%{ipOrHost:client_mapped_ip}/%{port:client_mapped_port}\)(\))?
               to
-              %{data:out_interface}:%{ip:network.destination.ip}/%{port:network.destination.port}%{_space}\(%{ipOrHost:destination_mapped_ip}/%{port:destination_mapped_port}\)(\),|,\),|,)?
+              %{_parse_till_colon:out_interface}:%{ip:network.destination.ip}/%{port:network.destination.port}\s*\(%{ipOrHost:destination_mapped_ip}/%{port:destination_mapped_port}\)(\),|,\),|,)?
               (source|destination)
               (%{ip:malicious_address}/%{notSpace:malicious_address_netmask}|%{notSpace:malicious_address})
               resolved from %{notSpace:list_type} list:
