diff --git a/.github/workflows/config/labeler.yml b/.github/workflows/config/labeler.yml index 8ec25433d895b..f8815645b70c9 100644 --- a/.github/workflows/config/labeler.yml +++ b/.github/workflows/config/labeler.yml @@ -135,6 +135,8 @@ integration/cilium: - cilium/**/* integration/cisco_aci: - cisco_aci/**/* +integration/cisco_asa: +- cisco_asa/**/* integration/cisco_duo: - cisco_duo/**/* integration/cisco_sdwan: diff --git a/cisco_asa/CHANGELOG.md b/cisco_asa/CHANGELOG.md new file mode 100644 index 0000000000000..9b694c4ed481b --- /dev/null +++ b/cisco_asa/CHANGELOG.md @@ -0,0 +1,4 @@ +# CHANGELOG - Cisco ASA + + + diff --git a/cisco_asa/README.md b/cisco_asa/README.md new file mode 100644 index 0000000000000..b2678f3fc6903 --- /dev/null +++ b/cisco_asa/README.md @@ -0,0 +1,151 @@ +## Overview + +[Cisco ASA][4] is a robust firewall platform that provides enterprise-class protection with high availability and scalable performance. It adapts to evolving security needs and supports dynamic routing for modern networks and data centers. + +Integrate Cisco ASA with Datadog to gain insights into Threat Detection, User Authentication, User Authorization, User Management, Dynamic Traffic Insights, Connection Insights, ARP Collision Insights, Application Firewall, Transparent Firewall and Identity Firewall using pre-built dashboard visualizations. Datadog uses its built-in log pipelines to parse and enrich these logs, facilitating easy search and detailed insights. The integration can also be used for Cloud SIEM detection rules for enhanced monitoring and security. + +**Minimum Agent version:** 7.74.0 + +**Disclaimer**: Your use of this integration, which may collect data that includes personal information, is subject to your agreements with Datadog. Cisco is not responsible for the privacy, security or integrity of any end-user information, including personal data, transmitted through your use of the integration. + +## Setup + +### Configuration + +#### Log collection + +1. Collecting logs is disabled by default in the Datadog Agent. Enable it in `datadog.yaml`: +/root/Bitbucket/datadog-security-connectors + ```yaml + logs_enabled: true + ``` + +2. Add this configuration block to your `cisco_asa.d/conf.yaml` file to start collecting your Cisco ASA logs. + + ```yaml + logs: + - type: tcp # or 'udp' + port: + service: cisco-asa + source: cisco-asa + ``` + + See the sample [cisco_asa.d/conf.yaml][6] for available configuration options. + + **Note**: Do not change the `source` and `service` values, as these parameters are integral to the pipeline's operation. + +3. [Restart the Agent][3]. + +#### Syslog Configuration from Cisco ASA CLI: + +1. Connect to the Cisco ASA CLI +2. Enter privileged EXEC mode by running: + ```shell + enable + ``` + - When prompted, enter the password. +3. Enable global configuration mode: + ```shell + configure terminal + ``` +4. Enable logging: + ```shell + logging enable + ``` +5. Configure syslog log forwarding: + + Replace the placeholders with actual values: + - **interface_name**: interface that the syslog server is associated with + - **ip_address**: ip address of syslog server + - **port**: port on which the syslog server is listening. + + For UDP: + ```shell + logging host udp/ + ``` + For TCP: + ```shell + logging host tcp/ + ``` +6. Set logging level to debugging: + ```shell + logging trap debugging + ``` +7. Enable RFC 5424 timestamp format: + ```shell + logging timestamp rfc5424 + ``` + +**Note**: The `port` value should be similar to the port provided in the `Log Collection` section. + +### Validation + +[Run the Agent's status subcommand][2] and look for `cisco_asa` under the Logs Agent section. + +## Data Collected + +### Log Collection + +The Cisco ASA integration collects Threat Detection, User Authentication, User Authorization, User Management, Dynamic traffic Insights, Connection Insights, ARP Collision Insights, Application Firewall, Transparent Firewall, Identity Firewall logs. + +### Metrics + +The Cisco ASA does not include any metrics. + +### Events + +The Cisco ASA integration does not include any events. + +## Troubleshooting + +**Permission denied while port binding:** + +If you see a **Permission denied** error while port binding in the Agent logs, see the following instructions: + + 1. Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the `setcap` command: + + - Grant access to the port using the `setcap` command: + + ```shell + sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent + ``` + + - Verify the setup is correct by running the `getcap` command: + + ```shell + sudo getcap /opt/datadog-agent/bin/agent/agent + ``` + + With the expected output: + + ```shell + /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep + ``` + + **Note**: Re-run this `setcap` command every time you upgrade the Agent. + + 2. [Restart the Agent][3]. + +**Data is not being collected:** + +Make sure that traffic is bypassed from the configured port if the firewall is enabled. + +**Port already in use:** + +If you see the **Port Already in Use** error, see the following instructions. The example below is for a PORT_NUMBER equal to 514: + +On systems using Syslog, if the Agent listens for logs on port 514, the following error can appear in the Agent logs: `Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use`. + +This error occurs because by default, Syslog listens on port 514. To resolve this error, take **one** of the following steps: + +- Disable Syslog. +- Configure the Agent to listen on a different, available port. + +Need help? Contact [Datadog support][1]. + +[1]: https://docs.datadoghq.com/help/ +[2]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information +[3]: https://docs.datadoghq.com/agent/configuration/agent-commands/#start-stop-and-restart-the-agent +[4]: https://www.cisco.com/c/en_in/products/security/adaptive-security-appliance-asa-software/index.html +[5]: https://docs.datadoghq.com/agent/guide/integration-management/?tab=linux#install +[6]: https://github.com/DataDog/integrations-core/blob/master/watchguard_firebox/datadog_checks/watchguard_firebox/data/conf.yaml.example diff --git a/cisco_asa/assets/cisco-asa.svg b/cisco_asa/assets/cisco-asa.svg new file mode 100644 index 0000000000000..b1f6ae27b1e50 --- /dev/null +++ b/cisco_asa/assets/cisco-asa.svg @@ -0,0 +1,35 @@ + + + + + + + + + + + diff --git a/cisco_asa/assets/configuration/spec.yaml b/cisco_asa/assets/configuration/spec.yaml new file mode 100644 index 0000000000000..b627cdf494725 --- /dev/null +++ b/cisco_asa/assets/configuration/spec.yaml @@ -0,0 +1,10 @@ +name: Cisco ASA +files: +- name: cisco_asa.yaml + options: + - template: logs + example: + - type: tcp/udp + port: + source: cisco-asa + service: cisco-asa diff --git a/cisco_asa/assets/dashboards/cisco_asa_firewall_details.json b/cisco_asa/assets/dashboards/cisco_asa_firewall_details.json new file mode 100644 index 0000000000000..8718011422dd1 --- /dev/null +++ b/cisco_asa/assets/dashboards/cisco_asa_firewall_details.json @@ -0,0 +1,3009 @@ +{ + "title": "Cisco ASA Firewall Details", + "description": "This dashboard provides centralized visibility into Cisco ASA firewall activity across Application Firewall, Transparent Firewall, and Identity Firewall.", + "widgets": [ + { + "id": 3678466852429260, + "definition": { + "type": "image", + "url": "https://upload.wikimedia.org/wikipedia/commons/0/08/Cisco_logo_blue_2016.svg", + "url_dark_theme": "", + "sizing": "none", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 7797669545623664, + "definition": { + "type": "note", + "content": "This dashboard provides centralized visibility into Cisco ASA firewall activity across Application Firewall, Transparent Firewall, and Identity Firewall.\n\nFor more information, see the [Cisco ASA Integration Documentation](https://docs.datadoghq.com/integrations/cisco_asa/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "16", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 7579119718473155, + "definition": { + "title": "Application Firewall", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2787205431176012, + "definition": { + "type": "note", + "content": "This group highlights events inspected by the application-layer controls, offering insight into traffic patterns, HTTP anomalies, and policy enforcement outcomes. It helps quickly spot abnormal request behavior, interface-level trends, and sources or destinations associated with application-level violations or failures.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 4250103828897205, + "definition": { + "title": "Total events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(415001 OR 415002 OR 415003 OR 415005 OR 415013 OR 415016) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#96beeb" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 4, + "height": 3 + } + }, + { + "id": 3556237258840621, + "definition": { + "title": "Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "response_format": "timeseries", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(415001 OR 415002 OR 415003 OR 415005 OR 415013 OR 415016) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 3 + } + }, + { + "id": 556095215252680, + "definition": { + "title": "Top policy maps", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(415001 OR 415002 OR 415003 OR 415005 OR 415013 OR 415016) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@policy_map" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 5, + "height": 4 + } + }, + { + "id": 8720574504806193, + "definition": { + "title": "Distribution by status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(415001 OR 415002 OR 415003 OR 415005 OR 415013 OR 415016) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "status" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 5, + "y": 4, + "width": 7, + "height": 4 + } + }, + { + "id": 135235249555372, + "definition": { + "title": "Request failure reasons distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(415001 OR 415002 OR 415003 OR 415005 OR 415013 OR 415016) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@reason" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + }, + { + "id": 3147437817847140, + "definition": { + "title": "Top source IP & port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(415001 OR 415002 OR 415003 OR 415005 OR 415013 OR 415016) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.client.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 6, + "height": 4 + } + }, + { + "id": 7069597956204384, + "definition": { + "title": "Top destination IP & port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(415001 OR 415002 OR 415003 OR 415005 OR 415013 OR 415016) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.destination.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 12, + "width": 6, + "height": 4 + } + }, + { + "id": 7660507887555939, + "definition": { + "title": "Geo distribution of source IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(415001 OR 415002 OR 415003 OR 415005 OR 415013 OR 415016) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.client.geoip.country.iso_code" + ], + "limit": 250, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 4 + } + }, + { + "id": 5554013764855839, + "definition": { + "title": "Geo distribution of destination IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(415001 OR 415002 OR 415003 OR 415005 OR 415013 OR 415016) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.destination.geoip.country.iso_code" + ], + "limit": 250, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 20, + "width": 12, + "height": 4 + } + }, + { + "id": 6453647143786254, + "definition": { + "title": "Distribution by source interface", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(415001 OR 415002 OR 415003 OR 415005 OR 415013 OR 415016) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@source_interface" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 24, + "width": 6, + "height": 4 + } + }, + { + "id": 3503643022072458, + "definition": { + "title": "Distribution by destination interface", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(415001 OR 415002 OR 415003 OR 415005 OR 415013 OR 415016) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@destination_interface" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 24, + "width": 6, + "height": 4 + } + }, + { + "id": 3183711592945136, + "definition": { + "title": "Malformed chunked encoding details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:415013 $client_ip $destination_ip $message_id", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.client.port", + "width": "auto" + }, + { + "field": "source_interface", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "@network.destination.port", + "width": "auto" + }, + { + "field": "destination_interface", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 28, + "width": 12, + "height": 3 + } + }, + { + "id": 6025714950476461, + "definition": { + "title": "Header field count exceeded details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:415001 $client_ip $destination_ip $message_id", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.client.port", + "width": "auto" + }, + { + "field": "source_interface", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "@network.destination.port", + "width": "auto" + }, + { + "field": "destination_interface", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 31, + "width": 12, + "height": 3 + } + }, + { + "id": 5199677103610925, + "definition": { + "title": "Header field length exceeded details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:415002 $client_ip $destination_ip $message_id", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.client.port", + "width": "auto" + }, + { + "field": "source_interface", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "@network.destination.port", + "width": "auto" + }, + { + "field": "destination_interface", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 34, + "width": 12, + "height": 3 + } + }, + { + "id": 8309302988186889, + "definition": { + "title": "Body length exceeded details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:415003 $client_ip $destination_ip $message_id", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.client.port", + "width": "auto" + }, + { + "field": "source_interface", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "@network.destination.port", + "width": "auto" + }, + { + "field": "destination_interface", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 37, + "width": 12, + "height": 3 + } + }, + { + "id": 5888248225189301, + "definition": { + "title": "URI length exceeded details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:415005 $client_ip $destination_ip $message_id", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.client.port", + "width": "auto" + }, + { + "field": "source_interface", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "@network.destination.port", + "width": "auto" + }, + { + "field": "destination_interface", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 40, + "width": 12, + "height": 3 + } + }, + { + "id": 3716264551186818, + "definition": { + "title": "Maximum number of unanswered HTTP requests exceeded details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:415016 $client_ip $destination_ip $message_id", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.client.port", + "width": "auto" + }, + { + "field": "source_interface", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "@network.destination.port", + "width": "auto" + }, + { + "field": "destination_interface", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 43, + "width": 12, + "height": 3 + } + }, + { + "id": 6023506769076130, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:(415001 OR 415002 OR 415003 OR 415005 OR 415013 OR 415016) $client_ip $destination_ip $message_id", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "message_id", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.client.port", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "@network.destination.port", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 46, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 51 + } + }, + { + "id": 4254239224299746, + "definition": { + "title": "Transparent Firewall", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4828975084526986, + "definition": { + "type": "note", + "content": "This group focuses on transport-level routing and forwarding behavior, surfacing issues like next-hop lookup failures and interface resolution problems. It helps quickly identify unstable paths, misconfigurations, or unusual source and destination patterns that may impact traffic flow or indicate underlying network issues.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 7438183154512536, + "definition": { + "title": "Total events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(110002 OR 110003 OR 110004) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#96beeb" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 4, + "height": 3 + } + }, + { + "id": 176780692198350, + "definition": { + "title": "Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "response_format": "timeseries", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(110002 OR 110003 OR 110004) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 3 + } + }, + { + "id": 7231684317880734, + "definition": { + "title": "Routing next-hop failures", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:110003 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 3 + } + }, + { + "id": 3873012866939893, + "definition": { + "title": "Routing failures details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:110003 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@source_interface", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + }, + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.destination.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 1000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "number", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 4, + "y": 4, + "width": 8, + "height": 3 + } + }, + { + "id": 5052098329455248, + "definition": { + "title": "Egress interface lookup failures", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:110002 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 4, + "height": 3 + } + }, + { + "id": 1054763129810697, + "definition": { + "title": "Egress interface lookup failures details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:110002 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@source_interface", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.destination.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 1000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "number", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 4, + "y": 7, + "width": 8, + "height": 3 + } + }, + { + "id": 5826727406974536, + "definition": { + "title": "Event distribution", + "title_size": "16", + "title_align": "left", + "type": "bar_chart", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(110002 OR 110003 OR 110004) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@reason" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked" + } + } + }, + "layout": { + "x": 0, + "y": 10, + "width": 6, + "height": 4 + } + }, + { + "id": 2108314518757514, + "definition": { + "title": "Distribution by status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(110002 OR 110003 OR 110004) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "status" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 10, + "width": 6, + "height": 4 + } + }, + { + "id": 7268927332678109, + "definition": { + "title": "Interface changes details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:110004 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@new_interface", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@old_interface", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "number", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 14, + "width": 12, + "height": 4 + } + }, + { + "id": 6783807890877563, + "definition": { + "title": "Top source IP & port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(110002 OR 110003 OR 110004) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.client.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 18, + "width": 6, + "height": 4 + } + }, + { + "id": 2170089333047114, + "definition": { + "title": "Top destination IP & port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(110002 OR 110003 OR 110004) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.destination.port", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 18, + "width": 6, + "height": 4 + } + }, + { + "id": 1881704184591297, + "definition": { + "title": "Geo distribution of source IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(110002 OR 110003 OR 110004) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.client.geoip.country.iso_code" + ], + "limit": 250, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 22, + "width": 12, + "height": 4 + } + }, + { + "id": 4883864192496295, + "definition": { + "title": "Geo distribution of destination IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(110002 OR 110003 OR 110004) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.destination.geoip.country.iso_code" + ], + "limit": 250, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 26, + "width": 12, + "height": 4 + } + }, + { + "id": 8172120469106509, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:(110002 OR 110003 OR 110004) $client_ip $destination_ip $message_id", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "message_id", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 30, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 35, + "is_column_break": true + } + }, + { + "id": 5476898530234846, + "definition": { + "title": "Identity Firewall", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6310187577257175, + "definition": { + "type": "note", + "content": "This group highlights identity-related operational events, including database download issues, NetBIOS response failures, and DNS lookup problems that can affect user-to-IP mapping accuracy. It helps spot connectivity gaps and troubleshoot AD agent reliability.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 5651826296425982, + "definition": { + "title": "Total events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(746001 OR 746002 OR 746003 OR 746005 OR 746007 OR 746016) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#96beeb" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 4, + "height": 3 + } + }, + { + "id": 7082399489919318, + "definition": { + "title": "Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "response_format": "timeseries", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(746001 OR 746002 OR 746003 OR 746005 OR 746007 OR 746016) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 3 + } + }, + { + "id": 3456021268844621, + "definition": { + "title": "Total completed database downloads", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:746002 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 3 + } + }, + { + "id": 3478185151530571, + "definition": { + "title": "Total failed database downloads", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:746003 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 4, + "y": 4, + "width": 4, + "height": 3 + } + }, + { + "id": 6630902155788261, + "definition": { + "title": "Databases by download status", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:746003 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@database", + "@download_status" + ], + "limit": 100, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "formula": "query1", + "cell_display_mode": "number" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 8, + "y": 4, + "width": 4, + "height": 3 + } + }, + { + "id": 3591446716187158, + "definition": { + "title": "NetBIOS response failures", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:746007 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 4, + "height": 3 + } + }, + { + "id": 871205472494060, + "definition": { + "title": "NetBIOS response failures over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Failures", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:746007 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 7, + "width": 8, + "height": 3 + } + }, + { + "id": 4321897830729980, + "definition": { + "title": "Top IPs by NetBIOS response failure", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:746007 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.client.ip" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 10, + "width": 6, + "height": 4 + } + }, + { + "id": 4836723868800873, + "definition": { + "title": "Top users by NetBIOS response failure", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:746007 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@usr.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 10, + "width": 6, + "height": 4 + } + }, + { + "id": 2470205701876535, + "definition": { + "title": "DNS lookup failure details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:746016 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.client.ip", + "@reason" + ], + "limit": 10000, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "number", + "alias": "COUNT", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 14, + "width": 6, + "height": 4 + } + }, + { + "id": 5446838069139805, + "definition": { + "title": "AD agent disconnectivity reasons", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:746005 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.client.ip", + "@reason" + ], + "limit": 10000, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "number", + "alias": "COUNT", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 6, + "y": 14, + "width": 6, + "height": 4 + } + }, + { + "id": 829666116677134, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:(746001 OR 746002 OR 746003 OR 746005 OR 746007 OR 746016) $client_ip $destination_ip $message_id", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "message_id", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 18, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 35, + "width": 12, + "height": 23 + } + } + ], + "template_variables": [ + { + "name": "client_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "destination_ip", + "prefix": "@network.destination.ip", + "available_values": [], + "default": "*" + }, + { + "name": "message_id", + "prefix": "@message_id", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/cisco_asa/assets/dashboards/cisco_asa_network_activity.json b/cisco_asa/assets/dashboards/cisco_asa_network_activity.json new file mode 100644 index 0000000000000..da39c440d25d0 --- /dev/null +++ b/cisco_asa/assets/dashboards/cisco_asa_network_activity.json @@ -0,0 +1,2169 @@ +{ + "title": "Cisco ASA Network Activity", + "description": "This dashboard provides a consolidated view of key Cisco ASA network events. It helps track overall traffic behavior across the firewall and identify any unusual patterns.", + "widgets": [ + { + "id": 1267739665566534, + "definition": { + "type": "image", + "url": "https://upload.wikimedia.org/wikipedia/commons/0/08/Cisco_logo_blue_2016.svg", + "url_dark_theme": "", + "sizing": "none", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 1278317362870490, + "definition": { + "type": "note", + "content": "This dashboard provides a consolidated view of key Cisco ASA network events. It helps track overall traffic behavior across the firewall and identify any unusual patterns.\n\nFor more information, see the [Cisco ASA Integration Documentation](https://docs.datadoghq.com/integrations/cisco_asa/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "16", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 2908287547931275, + "definition": { + "title": "Dynamic Traffic Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6539311450368352, + "definition": { + "type": "note", + "content": "This group highlights dynamic filter traffic events, including monitored, permitted, denied, and dropped connections across different protocols. It helps identify high-risk sources, malicious destinations, and unusual protocol or interface activity for faster threat detection and investigation.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 8166606612743524, + "definition": { + "title": "Total traffic", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 OR 338202 OR 338203 OR 338204) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#96beeb" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 4, + "height": 3 + } + }, + { + "id": 2906654748990016, + "definition": { + "title": "Traffic over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "response_format": "timeseries", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 OR 338202 OR 338203 OR 338204) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@traffic_type" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 3 + } + }, + { + "id": 3118439462285255, + "definition": { + "title": "Distribution by action", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 OR 338202 OR 338203 OR 338204) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@action" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 5791150033657654, + "definition": { + "title": "Distribution by protocol", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 OR 338202 OR 338203 OR 338204) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@protocol" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 6192157635723912, + "definition": { + "title": "Distribution by source interface", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 OR 338202 OR 338203 OR 338204) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@in_interface" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 7630031165601861, + "definition": { + "title": "Distribution by destination interface", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 OR 338202 OR 338203 OR 338204) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@out_interface" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 7053751599825148, + "definition": { + "title": "Top source IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 OR 338202 OR 338203 OR 338204) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.client.ip" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 6, + "height": 3 + } + }, + { + "id": 6068490697686214, + "definition": { + "title": "Top mapped source addresses", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 OR 338202 OR 338203 OR 338204) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@client_mapped_ip" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 12, + "width": 6, + "height": 3 + } + }, + { + "id": 1796122944574774, + "definition": { + "title": "Top destination IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 OR 338202 OR 338203 OR 338204) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.destination.ip" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 15, + "width": 6, + "height": 3 + } + }, + { + "id": 2180469337069675, + "definition": { + "title": "Top mapped destination addresses", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 OR 338202 OR 338203 OR 338204) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@destination_mapped_ip" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 15, + "width": 6, + "height": 3 + } + }, + { + "id": 753948866031643, + "definition": { + "title": "Geo distribution of source IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 OR 338202 OR 338203 OR 338204) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 18, + "width": 12, + "height": 4 + } + }, + { + "id": 6859826059506461, + "definition": { + "title": "Geo distribution of destination IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 OR 338202 OR 338203 OR 338204) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.destination.geoip.country.iso_code" + ], + "limit": 250, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 22, + "width": 12, + "height": 4 + } + }, + { + "id": 7504772341535287, + "definition": { + "title": "Route details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 OR 338202 OR 338203 OR 338204) $client_ip $destination_ip $message_id", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@action", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.client.port", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "@network.destination.port", + "width": "auto" + }, + { + "field": "in_interface", + "width": "auto" + }, + { + "field": "out_interface", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 26, + "width": 12, + "height": 4 + } + }, + { + "id": 7686110628066677, + "definition": { + "title": "Top malicious source addresses", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(338001 OR 338003 OR 338005 OR 338007 OR 338101 OR 338103 OR 338201 OR 338203) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@malicious_address" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 30, + "width": 6, + "height": 3 + } + }, + { + "id": 6264393978144187, + "definition": { + "title": "Top malicious destination addresses", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(338002 OR 338004 OR 338006 OR 338008 OR 338102 OR 338104 OR 338202 OR 338204) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@malicious_address" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 30, + "width": 6, + "height": 3 + } + }, + { + "id": 5970460726791053, + "definition": { + "title": "Distribution by threat level", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 OR 338202 OR 338203 OR 338204) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@threat_level" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 33, + "width": 6, + "height": 4 + } + }, + { + "id": 4198452588294696, + "definition": { + "title": "Top categories", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 OR 338202 OR 338203 OR 338204) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@category" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 33, + "width": 6, + "height": 4 + } + }, + { + "id": 37585727516162, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 OR 338202 OR 338203 OR 338204) $client_ip $destination_ip $message_id", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "in_interface", + "width": "auto" + }, + { + "field": "out_interface", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "threat_level", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 37, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 42 + } + }, + { + "id": 2101932559744653, + "definition": { + "title": "Connection Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1929422360802854, + "definition": { + "type": "note", + "content": "This group highlights denied connection attempts, including inbound TCP/UDP blocks and outbound ACL rejections. It helps identify unwanted or suspicious access, track top sources and destinations, and troubleshoot connectivity issues.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 8161399002271927, + "definition": { + "title": "Total denied connections", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(106001 OR 106002 OR 106006) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 4, + "height": 3 + } + }, + { + "id": 5001495780455797, + "definition": { + "title": "Denied connections over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "response_format": "timeseries", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(106001 OR 106002 OR 106006) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "alias": "Connections", + "formula": "query1" + } + ], + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 3 + } + }, + { + "id": 2521062216660425, + "definition": { + "title": "Top source IPs denied", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(106001 OR 106002 OR 106006) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.client.ip" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 3 + } + }, + { + "id": 5608983806539181, + "definition": { + "title": "Top destination IPs denied", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(106001 OR 106002 OR 106006) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.destination.ip" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 3 + } + }, + { + "id": 3951894267052161, + "definition": { + "title": "Protocols by connection denied", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(106001 OR 106002 OR 106006) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@protocol" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 4154653212337977, + "definition": { + "title": "Distribution by denied connection interface", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(106001 OR 106002 OR 106006) $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@interface" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 8446550203448497, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:(106001 OR 106002 OR 106006) $client_ip $destination_ip $message_id", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "message_id", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 16, + "is_column_break": true + } + }, + { + "id": 1548736741195400, + "definition": { + "title": "ARP Collision Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6762521485312686, + "definition": { + "type": "note", + "content": "This group highlights ARP collision activity, including interface-specific conflicts and repeated address overlaps. It helps detect abnormal network behavior and identify affected devices for faster diagnosis and troubleshooting.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 5464300968441927, + "definition": { + "title": "Total ARP collisions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:405001 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 4, + "height": 3 + } + }, + { + "id": 5864532442414234, + "definition": { + "title": "ARP collisions over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "response_format": "timeseries", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:405001 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "alias": "Collisions", + "formula": "query1" + } + ], + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 3 + } + }, + { + "id": 576149230445477, + "definition": { + "title": "Distribution by interface", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:405001 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@interface" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + }, + { + "id": 7935287984040282, + "definition": { + "title": "Geo distribution of source IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:405001 $client_ip $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + }, + { + "id": 2355946179843267, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:405001 $client_ip $destination_ip $message_id", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "existing_arp_ip", + "width": "auto" + }, + { + "field": "existing_arp_ip_mac_address", + "width": "auto" + }, + { + "field": "source_mac_address", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 18 + } + } + ], + "template_variables": [ + { + "name": "client_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "destination_ip", + "prefix": "@network.destination.ip", + "available_values": [], + "default": "*" + }, + { + "name": "message_id", + "prefix": "@message_id", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/cisco_asa/assets/dashboards/cisco_asa_overview.json b/cisco_asa/assets/dashboards/cisco_asa_overview.json new file mode 100644 index 0000000000000..e409114eb15e9 --- /dev/null +++ b/cisco_asa/assets/dashboards/cisco_asa_overview.json @@ -0,0 +1,1150 @@ +{ + "title": "Cisco ASA Overview", + "description": "This dashboard provides a high-level view of Cisco ASA events, offering insight into key trends to support monitoring and analysis.", + "widgets": [ + { + "id": 8774943175353638, + "definition": { + "type": "image", + "url": "https://upload.wikimedia.org/wikipedia/commons/0/08/Cisco_logo_blue_2016.svg", + "url_dark_theme": "", + "sizing": "none", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 550540658978336, + "definition": { + "type": "note", + "content": "[Cisco ASA](https://www.cisco.com/c/en_in/products/security/adaptive-security-appliance-asa-software/index.html) is a robust firewall platform that provides enterprise-class protection with high availability and scalable performance. It adapts to evolving security needs and supports dynamic routing for modern networks and data centers.\n\nThis dashboard provides a high-level view of Cisco ASA events, offering insight into key trends to support monitoring and analysis.\n\nFor more information, see the [Cisco ASA Integration Documentation](https://docs.datadoghq.com/integrations/cisco_asa/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "16", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 2699179352562317, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 994672570265013, + "definition": { + "type": "note", + "content": "Datadog Cloud SIEM analyzes and correlates the Cisco ASA logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security).", + "background_color": "blue", + "font_size": "14", + "text_align": "center", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 914203422649581, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:cisco-asa status:critical" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 5056640596465877, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:cisco-asa status:high" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 6002519846519614, + "definition": { + "title": "Critical security signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:cisco-asa status:critical" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 3419786390795862, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:cisco-asa status:medium" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 6312925974312819, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:cisco-asa status:low" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffb52b" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 1526267066184226, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:cisco-asa status:info" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#84c1e0" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 5430025156713922, + "definition": { + "title": "High security signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:cisco-asa status:high" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 5693588033367642, + "definition": { + "title": "Medium security signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:cisco-asa status:medium" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 10 + } + }, + { + "id": 1975929984886789, + "definition": { + "title": "Events Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8355356865965259, + "definition": { + "type": "note", + "content": "This group highlights broad event activity, offering insight into where events originate, where they are directed, and which services are most involved. It helps quickly identify major contributors, geographic trends, and patterns that may warrant deeper investigation.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 28573457361215, + "definition": { + "title": "Total events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa $message_id $client_ip $destination_ip $service" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#96beeb" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 4, + "height": 3 + } + }, + { + "id": 3738613335376193, + "definition": { + "title": "Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa $message_id $client_ip $destination_ip $service" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "service" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 3 + } + }, + { + "id": 1548000829478914, + "definition": { + "title": "Top client IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa $message_id $client_ip $destination_ip $service" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.client.ip" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 3, + "height": 4 + } + }, + { + "id": 8802232140734704, + "definition": { + "title": "Top destination IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa $message_id $client_ip $destination_ip $service" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.destination.ip" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 3, + "y": 4, + "width": 3, + "height": 4 + } + }, + { + "id": 5288712689363933, + "definition": { + "title": "Events by service", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa service:* $message_id $client_ip $destination_ip $service" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "service" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 1416034303523596, + "definition": { + "title": "Geo distribution of source IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa $message_id $client_ip $destination_ip $service" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + }, + { + "id": 3127355725923208, + "definition": { + "title": "Geo distribution of destination IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa $message_id $client_ip $destination_ip $service" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.destination.geoip.country.iso_code", + "limit": 250, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 4 + } + }, + { + "id": 8020103807766124, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa $message_id $client_ip $destination_ip $service", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "message_id", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 21, + "is_column_break": true + } + } + ], + "template_variables": [ + { + "name": "service", + "prefix": "service", + "available_values": [], + "default": "*" + }, + { + "name": "client_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "destination_ip", + "prefix": "@network.destination.ip", + "available_values": [], + "default": "*" + }, + { + "name": "message_id", + "prefix": "@message_id", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/cisco_asa/assets/dashboards/cisco_asa_threat_detection.json b/cisco_asa/assets/dashboards/cisco_asa_threat_detection.json new file mode 100644 index 0000000000000..bacaf88b3bcdd --- /dev/null +++ b/cisco_asa/assets/dashboards/cisco_asa_threat_detection.json @@ -0,0 +1,656 @@ +{ + "title": "Cisco ASA Threat Detection", + "description": "This dashboard gives a focused view of Cisco ASA threat detections, including drop-rate violations, SYN flood alerts, and hosts added to or removed from the shun list.", + "widgets": [ + { + "id": 7398301237431762, + "definition": { + "type": "image", + "url": "https://upload.wikimedia.org/wikipedia/commons/0/08/Cisco_logo_blue_2016.svg", + "url_dark_theme": "", + "sizing": "none", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 8257464041399315, + "definition": { + "type": "note", + "content": "This dashboard gives a focused view of Cisco ASA threat detections, including drop-rate violations, SYN flood alerts, and hosts added to or removed from the shun list.\n\nFor more information, see the [Cisco ASA Integration Documentation](https://docs.datadoghq.com/integrations/cisco_asa/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "16", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 3529813274017184, + "definition": { + "title": "Threat Detection Details", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2047765728965266, + "definition": { + "type": "note", + "content": "This group provides visibility into threat indicators such as abnormal drop rates, SYN flood activity, and shun-list changes. By highlighting affected hosts, attack targets, and event patterns over time, it helps quickly spot emerging threats and prioritize response actions.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 5696333320358701, + "definition": { + "title": "Objects exceeding drop rate", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:733100 $host $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": { + "include_zero": true + }, + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 4, + "height": 3 + } + }, + { + "id": 8453508873901528, + "definition": { + "title": "SYN flood average rate exceeded ", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:733104 $host $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": { + "include_zero": true + }, + "type": "area" + } + }, + "layout": { + "x": 4, + "y": 1, + "width": 4, + "height": 3 + } + }, + { + "id": 4181058890131978, + "definition": { + "title": "SYN flood burst rate exceeded", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:733105 $host $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": { + "include_zero": true + }, + "type": "area" + } + }, + "layout": { + "x": 8, + "y": 1, + "width": 4, + "height": 3 + } + }, + { + "id": 4166694828047473, + "definition": { + "title": "Hosts added to shun list over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "response_format": "timeseries", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:733102 $host $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "alias": "Hosts", + "formula": "query1" + } + ], + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 3 + } + }, + { + "id": 6160108928118192, + "definition": { + "title": "Hosts removed from shun list over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "response_format": "timeseries", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:733103 $host $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "alias": "Hosts", + "formula": "query1" + } + ], + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 3 + } + }, + { + "id": 1725081573374699, + "definition": { + "title": "Top hosts removed from shun list", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:733103 $host $destination_ip $message_id -@host:SOURCE_HOST" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@host" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 4, + "height": 3 + } + }, + { + "id": 6611981644235340, + "definition": { + "title": "Top hosts added to shun list", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:733102 $host $destination_ip $message_id -@host:SOURCE_HOST" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@host" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 7, + "width": 4, + "height": 3 + } + }, + { + "id": 5414029271448486, + "definition": { + "title": "Top target hosts of SYN flood attack", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(733104 OR 733105) $host $destination_ip $message_id" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.destination.ip" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 7, + "width": 4, + "height": 3 + } + }, + { + "id": 4645620092039114, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:(733100 OR 733102 OR 733103 OR 733104 OR 733105) $host $destination_ip $message_id", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "message_id", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 10, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 15, + "is_column_break": true + } + } + ], + "template_variables": [ + { + "name": "host", + "prefix": "@host", + "available_values": [], + "default": "*" + }, + { + "name": "destination_ip", + "prefix": "@network.destination.ip", + "available_values": [], + "default": "*" + }, + { + "name": "message_id", + "prefix": "@message_id", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/cisco_asa/assets/dashboards/cisco_asa_user_activity.json b/cisco_asa/assets/dashboards/cisco_asa_user_activity.json new file mode 100644 index 0000000000000..d0f1ddab9577b --- /dev/null +++ b/cisco_asa/assets/dashboards/cisco_asa_user_activity.json @@ -0,0 +1,2586 @@ +{ + "title": "Cisco ASA User Activity", + "description": "This dashboard provides comprehensive visibility into authentication, authorization, and user-management events.", + "widgets": [ + { + "id": 2233252265997282, + "definition": { + "type": "image", + "url": "https://upload.wikimedia.org/wikipedia/commons/0/08/Cisco_logo_blue_2016.svg", + "url_dark_theme": "", + "sizing": "none", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 2991160309639483, + "definition": { + "type": "note", + "content": "This dashboard provides comprehensive visibility into authentication, authorization, and user-management events.\n\nFor more information, see the [Cisco ASA Integration Documentation](https://docs.datadoghq.com/integrations/cisco_asa/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "16", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 6193200997941575, + "definition": { + "title": "Authentication Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8849663833809067, + "definition": { + "type": "note", + "content": "This group highlights user login activity, including successful and failed attempts, failure rates, and patterns by user, interface, and geography. It helps detect unusual access and monitor authentication reliability.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 7964290065158800, + "definition": { + "title": "Total events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(109005 OR 109006 OR 109010 OR 109023 OR 109033 OR 109034) $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#96beeb" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 4, + "height": 3 + } + }, + { + "id": 1605838860777994, + "definition": { + "title": "Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(109005 OR 109006 OR 109010 OR 109023 OR 109033 OR 109034) $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 3 + } + }, + { + "id": 6239037857385624, + "definition": { + "title": "Successful authentications", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:109005 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 3 + } + }, + { + "id": 213843749390802, + "definition": { + "title": "Failed authentications", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(109006 OR 109010 OR 109033 OR 109034) $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 4, + "y": 4, + "width": 4, + "height": 3 + } + }, + { + "id": 1460090498026115, + "definition": { + "title": "Authentication failure rate", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(109006 OR 109010 OR 109033 OR 109034) $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:109005 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero((query1 / (query1 + query2)) * 100)", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "percent" + } + } + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 8, + "y": 4, + "width": 4, + "height": 3 + } + }, + { + "id": 6580374044041905, + "definition": { + "title": "Authentication failure rate over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "percent" + } + }, + "alias": "Failure Rate", + "formula": "default_zero((query1 / (query1 + query2)) * 100)" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(109006 OR 109010 OR 109033 OR 109034) $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:109005 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 3 + } + }, + { + "id": 1231708131126621, + "definition": { + "title": "Top users by failed authentication", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(109006 OR 109010 OR 109033 OR 109034) $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@usr.name" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 10, + "width": 6, + "height": 3 + } + }, + { + "id": 4104413474566357, + "definition": { + "title": "Top interfaces", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(109005 OR 109006 OR 109010 OR 109023 OR 109033 OR 109034) $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@interface" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 10, + "width": 6, + "height": 3 + } + }, + { + "id": 8384312104780717, + "definition": { + "title": "Top source IPs by authentication failure", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(109006 OR 109010 OR 109033 OR 109034) $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.client.ip" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 13, + "width": 6, + "height": 3 + } + }, + { + "id": 6277464945496917, + "definition": { + "title": "Top destination IPs by authentication failure", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(109006 OR 109010 OR 109033 OR 109034) $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.destination.ip" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 13, + "width": 6, + "height": 3 + } + }, + { + "id": 2540622958168486, + "definition": { + "title": "Failed admin authentications", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:109033 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 4, + "height": 3 + } + }, + { + "id": 3983774254936221, + "definition": { + "title": "Failed admin authentications over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "response_format": "timeseries", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:109033 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "alias": "Failures", + "formula": "query1" + } + ], + "style": { + "palette": "red", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 16, + "width": 8, + "height": 3 + } + }, + { + "id": 130370046492619, + "definition": { + "title": "Failed network user authentications", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:109034 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 19, + "width": 4, + "height": 3 + } + }, + { + "id": 7364137851474114, + "definition": { + "title": "Failed network user authentications over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "response_format": "timeseries", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:109034 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "alias": "Failures", + "formula": "query1" + } + ], + "style": { + "palette": "red", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 19, + "width": 8, + "height": 3 + } + }, + { + "id": 2895558663639689, + "definition": { + "title": "Geo distribution of source IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(109005 OR 109006 OR 109010 OR 109023 OR 109033 OR 109034) $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.client.geoip.country.iso_code" + ], + "limit": 250, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 22, + "width": 12, + "height": 4 + } + }, + { + "id": 3765128338579901, + "definition": { + "title": "Geo distribution of destination IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(109005 OR 109006 OR 109010 OR 109023 OR 109033 OR 109034) $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.destination.geoip.country.iso_code" + ], + "limit": 250, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 26, + "width": 12, + "height": 4 + } + }, + { + "id": 4475495428670526, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:(109005 OR 109006 OR 109010 OR 109023 OR 109033 OR 109034) $client_ip $destination_ip $message_id $user_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "message_id", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 30, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 35 + } + }, + { + "id": 9002284889428575, + "definition": { + "title": "Authorization Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8559591841407062, + "definition": { + "type": "note", + "content": "This group highlights user access outcomes, showing permitted and denied authorizations, failure rates, and trends by user and interface. It helps identify policy violations and monitor access control enforcement.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 2984729219363807, + "definition": { + "title": "Total events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(109007 OR 109008 OR 109025 OR 109024) $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#96beeb" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 4, + "height": 3 + } + }, + { + "id": 2520074188035056, + "definition": { + "title": "Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "response_format": "timeseries", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(109007 OR 109008 OR 109025 OR 109024) $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "alias": "Authorization Events", + "formula": "query1" + } + ], + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 3 + } + }, + { + "id": 4039938034195295, + "definition": { + "title": "Authorization permitted", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:109007 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 3 + } + }, + { + "id": 5223060712578837, + "definition": { + "title": "User authorization permitted", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:109007 $client_ip $destination_ip $message_id $user_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 4, + "y": 4, + "width": 8, + "height": 3 + } + }, + { + "id": 517329238008997, + "definition": { + "title": "Authorization denied", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:109008 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 4, + "height": 3 + } + }, + { + "id": 1993811005855691, + "definition": { + "title": "User authorization denied", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:(109008 OR 109025) $client_ip $destination_ip $message_id $user_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 4, + "y": 7, + "width": 8, + "height": 3 + } + }, + { + "id": 4141961763980942, + "definition": { + "title": "Top source IPs by authorization denied", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(109008 OR 109025 OR 109024) $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.client.ip" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "white_on_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked" + } + } + }, + "layout": { + "x": 0, + "y": 10, + "width": 3, + "height": 3 + } + }, + { + "id": 107607721836656, + "definition": { + "title": "Top destination IPs by authorization denied", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(109008 OR 109025 OR 109024) $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.destination.ip" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked" + } + } + }, + "layout": { + "x": 3, + "y": 10, + "width": 3, + "height": 3 + } + }, + { + "id": 4634582193717323, + "definition": { + "title": "Interfaces with authorization details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(109008 OR 109025 OR 109024) $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@interface", + "limit": 100, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + }, + { + "facet": "@evt.outcome", + "limit": 100, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "number", + "alias": "COUNT", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 6, + "y": 10, + "width": 6, + "height": 3 + } + }, + { + "id": 467250780503361, + "definition": { + "title": "Authorization failure rate", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:109008 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:109007 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero((query1 / (query1 + query2)) * 100)", + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "percent" + } + } + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 13, + "width": 4, + "height": 3 + } + }, + { + "id": 1525976658436557, + "definition": { + "title": "Authorization failure rate over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "number_format": { + "unit": { + "type": "canonical_unit", + "unit_name": "percent" + } + }, + "alias": "Failure Rate", + "formula": "default_zero((query1 / (query1 + query2)) * 100)" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:109008 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:109007 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 13, + "width": 8, + "height": 3 + } + }, + { + "id": 997253459550188, + "definition": { + "title": "Top interfaces by authorization denied", + "title_size": "16", + "title_align": "left", + "type": "bar_chart", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:(109008 OR 109025 OR 109024) $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@interface" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "white_on_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked" + } + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 3 + } + }, + { + "id": 2038482373389247, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:(109007 OR 109008 OR 109025 OR 109024) $client_ip $destination_ip $message_id $user_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "message_id", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.client.port", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "@network.destination.port", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 19, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 24, + "is_column_break": true + } + }, + { + "id": 3829906060068071, + "definition": { + "title": "User Management", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8581646274087666, + "definition": { + "type": "note", + "content": "This group highlights changes to user accounts, including additions, deletions, and privilege modifications. It helps track administrative activity and detect unusual or risky account changes.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 8206562538919940, + "definition": { + "title": "User privilege changes", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:502103 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 4, + "height": 3 + } + }, + { + "id": 5732015710485034, + "definition": { + "title": "User privilege changes over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "response_format": "timeseries", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:502103 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "alias": "Privilege Changes", + "formula": "query1" + } + ], + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 3 + } + }, + { + "id": 4402447895619587, + "definition": { + "title": "New users added", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:502101 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 3 + } + }, + { + "id": 5026106556588436, + "definition": { + "title": "New users added over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "response_format": "timeseries", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:502101 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "alias": "User Added", + "formula": "query1" + } + ], + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 4, + "width": 8, + "height": 3 + } + }, + { + "id": 1323903741998718, + "definition": { + "title": "Users deleted", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:502102 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 4, + "height": 3 + } + }, + { + "id": 8753674074403215, + "definition": { + "title": "Users deleted over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "vertical", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "response_format": "timeseries", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:cisco-asa @message_id:502102 $client_ip $destination_ip $message_id $user_name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "alias": "User deleted", + "formula": "query1" + } + ], + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 7, + "width": 8, + "height": 3 + } + }, + { + "id": 1713433289068961, + "definition": { + "title": "User add/delete details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:(502101 OR 502102) $client_ip $destination_ip $message_id $user_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "privilege_level", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 10, + "width": 6, + "height": 3 + } + }, + { + "id": 1928781107002953, + "definition": { + "title": "User privilege changes details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:502103 $client_ip $destination_ip $message_id $user_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "previous_privilege_level", + "width": "auto" + }, + { + "field": "new_privilege_level", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 6, + "y": 10, + "width": 6, + "height": 3 + } + }, + { + "id": 1005625985956864, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:cisco-asa @message_id:(502103 OR 502101 OR 502102) $client_ip $destination_ip $message_id $user_name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "message_id", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 13, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 24, + "width": 12, + "height": 18 + } + } + ], + "template_variables": [ + { + "name": "user_name", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + }, + { + "name": "client_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "destination_ip", + "prefix": "@network.destination.ip", + "available_values": [], + "default": "*" + }, + { + "name": "message_id", + "prefix": "@message_id", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/cisco_asa/assets/logs/cisco-asa.yaml b/cisco_asa/assets/logs/cisco-asa.yaml new file mode 100644 index 0000000000000..5b48e9ed5826c --- /dev/null +++ b/cisco_asa/assets/logs/cisco-asa.yaml @@ -0,0 +1,546 @@ +id: cisco-asa +metric_id: cisco-asa +backend_only: false +facets: + - groups: + - Event + name: Event Outcome + path: evt.outcome + source: log + - groups: + - Geoip + name: City Name + path: network.client.geoip.city.name + source: log + - groups: + - Geoip + name: Continent Code + path: network.client.geoip.continent.code + source: log + - groups: + - Geoip + name: Continent Name + path: network.client.geoip.continent.name + source: log + - groups: + - Geoip + name: Country ISO Code + path: network.client.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Country Name + path: network.client.geoip.country.name + source: log + - groups: + - Geoip + name: Subdivision ISO Code + path: network.client.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Subdivision Name + path: network.client.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - Web Access + name: Client Port + path: network.client.port + source: log + - groups: + - Geoip + name: Destination City Name + path: network.destination.geoip.city.name + source: log + - groups: + - Geoip + name: Destination Continent Code + path: network.destination.geoip.continent.code + source: log + - groups: + - Geoip + name: Destination Continent Name + path: network.destination.geoip.continent.name + source: log + - groups: + - Geoip + name: Destination Country ISO Code + path: network.destination.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Destination Country Name + path: network.destination.geoip.country.name + source: log + - groups: + - Geoip + name: Destination Subdivision ISO Code + path: network.destination.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Destination Subdivision Name + path: network.destination.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Destination IP + path: network.destination.ip + source: log + - groups: + - Web Access + name: Destination Port + path: network.destination.port + source: log + - groups: + - User + name: User Name + path: usr.name + source: log + +pipeline: + type: pipeline + name: Cisco ASA + enabled: true + filter: + query: source:cisco-asa + processors: + - type: grok-parser + name: Parse Cisco ASA logs + enabled: true + source: message + samples: + - "<190>2025-11-20T07:37:58Z: %ASA-6-302014: Teardown TCP connection + 134712 for inside:10.10.10.10/5014 to identity:10.10.10.10/45544 + duration 0:00:21 bytes 0 No valid adjacency" + grok: + supportRules: "" + matchRules: parse_header + (\<%{integer}\>)?%{date("yyyy-MM-dd'T'HH:mm:ssZ"):timestamp}:\s*%{notSpace}-%{integer:severity}-%{word:message_id}:\s*%{data:message} + - type: message-remapper + name: Define `message` as official message of the log + enabled: true + sources: + - message + - type: date-remapper + name: Define `timestamp` as the official date of the log + enabled: true + sources: + - timestamp + - type: status-remapper + name: Define `severity` as the official status of the log + enabled: true + sources: + - severity + - type: category-processor + name: Define `service` based on message ID + enabled: true + categories: + - filter: + query: "@message_id:(109005 OR 109006 OR 109010 OR 109023 OR 109033 OR 109034 OR + 109007 OR 109008 OR 109024 OR 109025 OR 502101 OR 502102 OR + 502103)" + name: user-activity + - filter: + query: "@message_id:(415001 OR 415002 OR 415003 OR 415005 OR 415013 OR 415016 OR + 110002 OR 110003 OR 110004 OR 746001 OR 746002 OR 746003 OR 746005 + OR 746007 OR 746016)" + name: firewall + - name: threat-detection + filter: + query: "@message_id:(733100 OR 733101 OR 733102 OR 733103 OR 733104 OR 733105)" + - name: network-activity + filter: + query: "@message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR + 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 + OR 338202 OR 338203 OR 338204 OR 106001 OR 106002 OR 106006 OR + 106022 OR 405001 OR 322002 OR 322003 OR 106016)" + - filter: + query: "@message_id:*" + name: other + target: service + - type: service-remapper + name: Define `service` as the official service of the log + enabled: true + sources: + - service + - type: pipeline + name: Threat Detection + enabled: true + filter: + query: "@message_id:(733100 OR 733101 OR 733102 OR 733103 OR 733104 OR 733105)" + processors: + - type: grok-parser + name: Parse Threat Detection Logs + enabled: true + source: message + samples: + - "[ Scanning] drop rate-1 exceeded. Current burst rate is 19 per + second, max configured rate is 33; Current average rate is 50 per + second, max configured rate is 33; Cumulative total count is 44" + - Threat-detection adds host www.example.com to shun list + - TCP Intercept SYN flood attack detected to 192.0.2.3/1194 + (192.0.2.14/443). Average rate of 47 SYNs/sec exceeded the + threshold of 48. + - TCP Intercept SYN flood attack detected to 11.11.11.11/80 + (10.10.10.10/52340). Average rate of 120 SYNs/sec exceeded the + threshold of 100. + - Subnet 100.0.0.0 is targeted. Current burst rate is 19 per second, + max configured rate is 33; Current average rate is 50 per second, + max configured rate is 33; Cumulative total count is 44. + grok: + supportRules: "" + matchRules: >- + rule_733100_733101 (\[\s*%{regex("[^\\]]*"):object}\] drop rate(-| + )%{number:rate_id} exceeded|Subnet %{ip:object_ip} is + targeted|Host %{ip:object_ip} is attacking|%{regex(".*(?=. Current + burst rate)"):object}). Current burst rate is + %{number:current_burst_rate} per (second, max|second_max) + configured rate is %{number:max_configured_burst_rate}; Current + average rate is %{number:current_average_rate} per (second, + max|second_max) configured rate is + %{number:max_configured_average_rate}; Cumulative total count is + %{number:cumulative_total}( \(%{number:received_instances} + instances received\))? + + rule_733102_733103 Threat-detection %{word:action} host %{ipOrHost:host} (to|from) shun list + + rule_733104_733105 %{word:protocol} Intercept SYN flood attack detected to %{ip:network.destination.ip}/%{integer:network.destination.port}\s*\(%{ip:real_ip}/%{integer:real_port}\). %{word:rate_type} rate of %{number:rate} %{notSpace:rate_unit} exceeded the threshold of %{number:rate_threshold} + - type: pipeline + name: User Authentication + enabled: true + filter: + query: "@message_id:(109005 OR 109006 OR 109010 OR 109023 OR 109033 OR 109034)" + processors: + - type: grok-parser + name: Parse User Authentication Logs + enabled: true + source: message + samples: + - Authentication succeeded for user 'james.anderson' from + 192.0.2.2/1194 to 192.0.2.1/1194 on interface tap0 + - Auth from 192.0.2.5/1195 to 192.0.2.4/1195 failed (too many + pending auths) on interface tun0 + - User from 192.0.2.1/443 to 192.0.2.3/443 on interface eth0 using + test service must authenticate before using this service + - Authentication failed for admin user mason.young from + 10.10.10.10. Interactive challenge processing is not supported + for protocol + - Authentication failed for admin user admin1 from 10.10.10.10. + Interactive challenge processing is not supported for ssh + grok: + supportRules: "" + matchRules: >- + rule_109005_109006 Authentication %{notSpace:evt.outcome} for user + '%{regex("[^']*"):usr.name}' from + %{ip:network.client.ip}/%{integer:network.client.port} to + %{ip:network.destination.ip}/%{integer:network.destination.port} + on interface %{data:interface} + + rule_109010 Auth from %{ip:network.client.ip}/%{integer:network.client.port} to %{ip:network.destination.ip}/%{integer:network.destination.port} %{notSpace:evt.outcome} \(%{regex("[^\\)]*"):reason}\) on interface %{data:interface} + + rule_109023 User from %{ip:network.client.ip}/%{integer:network.client.port} to %{ip:network.destination.ip}/%{integer:network.destination.port} on interface %{regex(".*(?= using )"):interface} using %{regex(".*(?= must authenticate)"):service_name} must authenticate before using this service + + rule_109033_109034 Authentication %{notSpace:evt.outcome} for %{notSpace:user_type} user %{regex(".*(?= from )"):usr.name} from (%{ip:network.client.ip}|%{ip:network.client.ip}/%{integer:network.client.port} to %{ip:network.destination.ip}/%{integer:network.destination.port}). Interactive challenge processing is not supported for %{notSpace:protocol}( connections)? + - type: pipeline + name: User Authorization + enabled: true + filter: + query: "@message_id:(109007 OR 109008 OR 109024 OR 109025)" + processors: + - type: grok-parser + name: Parse User Authorization Logs + enabled: true + source: message + samples: + - Authorization permitted for user 'liam.wilson' from 192.0.2.5/443 + to 10.10.10.10/443 on interface ens160 + - Authorization denied from 10.10.10.10/10 to 11.11.11.11/11 (not + authenticated) on interface ens170 using protocol to + - Authorization denied from 10.10.10.10/50412 to 11.11.11.11/443 + (not authenticated) on interface test PM using tcp + - Authorization denied (acl=OUTBOUND-FILTER) for user 'alice' from + 10.10.10.10/50322 to 11.11.11.11/443 on interface outside using + tcp + - Authorization denied from 10.10.10.10/10 to 11.11.11.11/11 (not + authenticated) on interface test using protocol to + grok: + supportRules: "" + matchRules: >- + rule_109007_109008 Authorization %{word:evt.outcome} for user + '%{regex("[^']*"):usr.name}' from + %{ip:network.client.ip}/%{integer:network.client.port} to + %{ip:network.destination.ip}/%{integer:network.destination.port} + on interface %{data:interface} + + rule_109024_109025 Authorization %{word:evt.outcome} (\(acl=%{regex("[^\\)]*"):acl_id}\))?( for user '%{regex("[^']*"):usr.name}' )?from %{ip:network.client.ip}/%{integer:network.client.port} to %{ip:network.destination.ip}/%{integer:network.destination.port} (\(not authenticated\) )?on interface %{regex(".*(?= using )"):interface} using %{notSpace:protocol}( to)? + - type: pipeline + name: User Management + enabled: true + filter: + query: "@message_id:(502101 OR 502102 OR 502103)" + processors: + - type: grok-parser + name: Parse User Management Logs + enabled: true + source: message + samples: + - "New user added to local dbase: Uname: test Priv: 1 Encpass: + *****" + - "User deleted from local dbase: Uname: user Priv: privilege_level + Encpass: *****" + - "User priv level changed: Uname: user From: privilege_level To: + privilege_level" + grok: + supportRules: "" + matchRules: 'rule_502101_502102_502103 %{regex(".*(?=: Uname)"):action}: Uname: + %{regex(".*(?= (Priv:|From:))"):usr.name} (Priv: + %{notSpace:privilege_level}%{data}|From: + %{notSpace:previous_privilege_level} To: + %{notSpace:new_privilege_level})' + - type: pipeline + name: Application Firewall + enabled: true + filter: + query: "@message_id:(415001 OR 415002 OR 415003 OR 415005 OR 415013 OR 415016)" + processors: + - type: grok-parser + name: Parse Application Firewall Logs + enabled: true + source: message + samples: + - HTTP - matched matched_string in policy-map + pm_access_control_core, header field count exceeded + connection_action OpenVPN-TAP-Windows6:192.0.2.6/443 to + OpenVPN-TAP-Windows6:10.10.10.10/80 + - HTTP - matched matched_string in policy-map map_name, header field + length exceeded connection_action inside:10.10.10.10/10 to + outside:11.11.11.11/11 + - HTTP - matched matched_string in policy-map map_name, body length + exceeded connection_action inside:10.10.10.10/10 to + outside:11.11.11.11/11 + - HTTP - policy-map map-name:Malformed chunked encoding + connection_action ens160:192.0.2.4/1194 to + Ethernet0:192.0.2.6/1196 + - "policy-map WebMaxRequests: Maximum number of unanswered HTTP + requests exceeded drop inside test:10.10.10.10/51822 to + outside:10.10.10.10/443" + grok: + supportRules: "" + matchRules: >- + rule_415001_415002_415003_415005 HTTP - matched ("%{regex(".*(?=\" + in policy-map)"):matched_string}"|%{regex(".*(?= in + policy-map)"):matched_string}) in policy-map + %{regex("[^,]*"):policy_map},\s+%{regex("header field count + exceeded|header field length exceeded|body length exceeded|URI + length exceeded"):reason} + %{notSpace:connection_action}\s+%{regex("[^:]*"):source_interface}\s*:\s*%{ip:network.client.ip}\s*/\s*%{integer:network.client.port} + to + %{regex("[^:]*"):destination_interface}\s*:\s*%{ip:network.destination.ip}\s*/\s*%{integer:network.destination.port} + + rule_415013_415016 (HTTP - )?policy-map %{regex("[^:]*"):policy_map}\s*:\s*%{regex("Maximum number of unanswered HTTP requests exceeded|Malformed chunked encoding"):reason} %{notSpace:connection_action}\s+%{regex("(.+?)(?=\\s*\\:)"):source_interface}\s*:\s*%{ip:network.client.ip}\s*/\s*%{integer:network.client.port} to %{regex("(.+?)(?=\\s*\\:)"):destination_interface}\s*:\s*%{ip:network.destination.ip}\s*/\s*%{integer:network.destination.port} + - type: pipeline + name: Transparent Firewall + enabled: true + filter: + query: "@message_id:(110002 OR 110003 OR 110004)" + processors: + - type: grok-parser + name: Parse Transparent Firewall Logs + enabled: true + source: message + samples: + - Failed to locate egress interface for protocol from + tap0:10.10.10.10/1194 to 192.0.2.1/1194 + - Routing failed to locate next-hop for protocol from src_interface + :10.10.10.10/514 to 11.11.11.11/516 + - Egress interface changed from eth0 to br0 on ip_protocol + connection 108098402 for + zone-new/eth0:192.0.2.5/443(192.0.2.2/1199 ) to + zone-dest/br0:192.0.2.2/1194(192.0.2.7/443 ) + grok: + supportRules: "" + matchRules: >- + rule_110002_110003 %{regex("Failed to locate egress + interface|Routing failed to locate (next-hop|next hop)"):reason} + for %{notSpace:protocol} from + %{regex("(.+?)(?=\\s*\\:)"):source_interface}\s*:\s*%{ip:network.client.ip}\s*/\s*%{integer:network.client.port} + to + (%{regex("(.+?)(?=\\s*\\:)"):destination_interface}\s*:\s*)?%{ip:network.destination.ip}\s*/\s*%{integer:network.destination.port} + + rule_110004 %{regex("Egress interface changed"):reason} from %{regex(".*(?= to )"):old_interface} to %{regex(".*(?= on )"):new_interface} on %{notSpace:protocol} connection %{number:connection_id} for %{notSpace:outside_interface_zone}\s*/\s*%{regex("[^:]*"):outside_interface}\s*:\s*%{ip:outside_ip}\s*/\s*%{integer:outside_port}\s*\(%{ip:outside_mapped_ip}\s*/\s*%{integer:outside_mapped_port}\s*\) to %{notSpace:inside_interface_zone}\s*/\s*%{regex("[^:]*"):inside_interface}\s*:\s*%{ip:inside_ip}\s*/\s*%{integer:inside_port}\s*\(%{ip:inside_mapped_ip}\s*/\s*%{integer:inside_mapped_port}\s*\) + - type: pipeline + name: Identity Firewall + enabled: true + filter: + query: "@message_id:(746001 OR 746002 OR 746003 OR 746005 OR 746007 OR 746016)" + processors: + - type: grok-parser + name: Parse Identity Firewall Logs + enabled: true + source: message + samples: + - "user-identity: The AD Agent 10.10.10.10 cannot be reached - + reasonaction" + - "user-identity: NetBIOS response failed from User david.murphy at + 10.10.10.10" + - "user-identity: 10.10.10.10 download failed - bad request" + - "user-identity: DNS lookup for 10.10.10.10 failed, reason: no + memory" + - "user-identity: identity_lookup_store started" + grok: + supportRules: "" + matchRules: >- + rule_746005 user-identity: The AD Agent %{ip:network.client.ip} + cannot be reached - + (%{regex("[^\\[]*"):reason}(\[\s*%{regex("[^\\]]*"):action}\s*\])?|%{data:reason}) + + rule_746007 user-identity: NetBIOS response failed from User %{regex(".*(?= at )"):usr.name} at %{ip:network.client.ip} + + rule_746016 user-identity: DNS lookup for %{ip:network.client.ip} failed, reason:\s*%{data:reason} + + rule_746001_746002_746003 user-identity: %{data:database} %{notSpace:download_status}(\s+-\s+%{data:reason})? + - type: pipeline + name: ARP Collision/IP Spoof Insights + enabled: true + filter: + query: "@message_id:(405001 OR 322002 OR 322003 OR 106016)" + processors: + - type: grok-parser + name: Parse ARP collision/IP spoof Logs + enabled: true + source: message + samples: + - Received ARP request collision from 10.10.10.10/00:25:96:AA:3F:11 + on interface inside with existing ARP entry + 10.10.10.10/00:50:56:C0:12:9A + - Received ARP response collision from 10.10.10.10/3A:4F:B9:27:88:10 + on interface tap1 with existing ARP entry + 192.0.2.4/02:1A:6C:3F:92:11 + - ARP inspection check failed for arp request received from host + 00:25:96:AA:3F:11 on interface wan1. This host is advertising MAC + Address 00:25:96:AA:3F:11 for IP Address 10.10.10.10, which is + statically bound to MAC Address 00:25:96:AA:3F:14 + - ARP inspection check failed for arp request received from host + 00:25:96:AA:3F:11 on interface wan1. This host is advertising MAC + Address 00:25:96:AA:3F:11 for IP Address 10.10.10.10, which is not + bound to any MAC Address + - Deny IP spoof from (10.10.10.10) to 11.11.11.11 on interface wan1 + grok: + supportRules: "" + matchRules: >- + rule_405001 Received ARP (request|response) collision from + %{ip:network.client.ip}\s*/\s*%{mac:source_mac_address} on + interface %{regex(".*(?= with existing ARP)"):interface} with + existing ARP entry + %{ip:existing_arp_ip}\s*/\s*%{mac:existing_arp_ip_mac_address} + + rule_322002_322003 ARP inspection check failed for arp (request|response) received from host %{mac:host_mac_address} on interface %{regex(".*(?=. This)")}. This host is advertising MAC Address %{mac:client_mac_address} for IP Address %{ip:network.client.ip}, (which is (statically|dynamically) bound to MAC Address %{mac:bound_mac_address}|which is not bound to any MAC Address) + + rule_106016 Deny IP spoof from (\()?%{ip:network.client.ip}(\))? to %{ip:network.destination.ip} on interface %{data:interface} + - type: pipeline + name: Connection insights + enabled: true + filter: + query: "@message_id:(106001 OR 106002 OR 106006 OR 106022)" + processors: + - type: grok-parser + name: Parse connection Logs + enabled: true + source: message + samples: + - Inbound TCP connection denied from 192.0.2.3/443 to 192.0.2.3/1194 + flags tcp_flags on interface br1 + - TCP Connection denied by outbound list OUTBOUND-ACL src + 10.10.10.10 dest 10.10.10.10 + - Deny inbound UDP from 10.10.10.10/137 to 10.10.10.10/137 on + interface inside + - protocol Connection denied by outbound list acl_ID src 192.0.2.3 + dest 192.0.2.4 + - Deny TCP connection spoof from 10.10.10.10 to 11.11.11.11 on + interface wan1 + grok: + supportRules: "" + matchRules: >- + rule_106001 Inbound %{regex("TCP"):protocol} connection denied + from %{ip:network.client.ip}/%{integer:network.client.port} to + %{ip:network.destination.ip}/%{integer:network.destination.port} + flags %{notSpace:tcp_flag}\s+on\s+interface %{data:interface} + + rule_106002 %{notSpace:protocol} Connection denied by outbound list %{notSpace:outbound_list} src %{ip:network.client.ip} dest %{ip:network.destination.ip} + + rule_106006 Deny inbound %{regex("UDP"):protocol} from %{ip:network.client.ip}/%{integer:network.client.port} to %{ip:network.destination.ip}/%{integer:network.destination.port} on interface %{data:interface} + + rule_106022 Deny %{notSpace:protocol} connection spoof from %{ip:network.client.ip} to %{ip:network.destination.ip} on interface %{data:interface} + - type: pipeline + name: Dynamic traffic insights + enabled: true + filter: + query: "@message_id:(338001 OR 338002 OR 338003 OR 338004 OR 338005 OR 338006 OR + 338007 OR 338008 OR 338101 OR 338102 OR 338103 OR 338104 OR 338201 OR + 338202 OR 338203 OR 338204)" + processors: + - type: grok-parser + name: Parse dynamic traffic Logs + enabled: true + source: message + samples: + - "Dynamic Filter monitored blacklisted protocol traffic from + inside:10.10.10.10/10 (11.11.11.11/11) to outside:11.11.11.11/22 + (13.13.13.13/13), destination malicious_address resolved from + local_or_dynamic list: domain_name, threat-level: level_value, + category: category_name" + - "Dynamic Filter permitted black listed TCP traffic from + inside:10.10.10.10/6798 (11.11.11.11/7890) to + outside:12.12.12.12/80 (13.13.13.13/80), destination + 13.13.13.13 resolved from dynamic list: bad.example.com" + - "Dynamic Filter monitored blacklisted UDP traffic from + inside:10.10.10.10/49211 (11.11.11.11/49211) to + outside:12.12.12.12/443 (13.13.13.13/443) source + 13.13.13.13/24 resolved from dynamic list: 13.13.13.13/24, + threat-level: medium, category: phishing" + - "Dynamic filter dropped greylisted TCP traffic from + eth0:10.10.10.1/1234 (source.example.net/11234) to + wan:13.13.13.13/80 (www.example.org/80), destination + malicious_address resolved from dynamic list: example.org, + threat-level: high, category: malware" + - "Dynamic Filter monitored blacklisted protocol traffic from + br0:10.10.10.10/443 (11.11.11.11/443) to ens33:12.12.12.12/1194 + (13.13.13.13/80) source malware-test-example1.badsite resolved from + local list: mycoolapp-preview.mock, threat-level: 0, category: + malware" + grok: + supportRules: "" + matchRules: 'rule Dynamic (Filter|filter) + %{regex("monitored|permitted|dropped|denied|action"):action} + %{regex("blacklisted|black listed|whitelisted|white + listed|greylisted|grey listed"):traffic_type} %{notSpace:protocol} + traffic from + %{regex("(.+?)(?=\\s*\\:)"):in_interface}\s*:\s*%{ip:network.client.ip}\s*/\s*%{integer:network.client.port}\s*\(%{ipOrHost:client_mapped_ip}\s*/\s*%{integer:client_mapped_port}\)(\))? + to + %{regex("(.+?)(?=\\s*\\:)"):out_interface}\s*:\s*%{ip:network.destination.ip}\s*/\s*%{integer:network.destination.port}\s*\(%{ipOrHost:destination_mapped_ip}\s*/\s*%{integer:destination_mapped_port}\)(\),|,\),|,)? + (source|destination) + (%{ip:malicious_address}\s*/\s*%{notSpace:malicious_address_netmask}|%{notSpace:malicious_address}) + resolved from %{notSpace:list_type} list: + (%{ip:dynamic_list_ip_address}\s*/\s*%{notSpace:dynamic_list_netmask}|%{notSpace:domain_name})(, + threat-level: %{notSpace:threat_level}, category: + %{data:category})?' + - type: geo-ip-parser + name: Extract geolocation information from the Client IP + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing + - type: geo-ip-parser + name: Extract geolocation information from the Destination IP + enabled: true + sources: + - network.destination.ip + target: network.destination.geoip + ip_processing_behavior: do-nothing diff --git a/cisco_asa/assets/logs/cisco-asa_tests.yaml b/cisco_asa/assets/logs/cisco-asa_tests.yaml new file mode 100644 index 0000000000000..d8d62de1096ea --- /dev/null +++ b/cisco_asa/assets/logs/cisco-asa_tests.yaml @@ -0,0 +1,623 @@ +id: "cisco-asa" +tests: + - sample: "<190>2025-11-25T07:19:40Z: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 19 per second, max configured rate is 33; Current average rate is 50 per second, max configured rate is 33; Cumulative total count is 44" + result: + custom: + cumulative_total: 44.0 + current_average_rate: 50.0 + current_burst_rate: 19.0 + max_configured_average_rate: 33.0 + max_configured_burst_rate: 33.0 + message_id: "733100" + object: "Scanning" + rate_id: 1.0 + service: "threat-detection" + severity: 4 + timestamp: 1764055180000 + message: "[ Scanning] drop rate-1 exceeded. Current burst rate is 19 per second, max configured rate is 33; Current average rate is 50 per second, max configured rate is 33; Cumulative total count is 44" + service: "threat-detection" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055180000 + - sample: "<190>2025-11-25T07:17:18Z: %ASA-4-733102: Threat-detection adds host 192.0.2.3 to shun list" + result: + custom: + action: "adds" + host: "192.0.2.3" + message_id: "733102" + service: "threat-detection" + severity: 4 + timestamp: 1764055038000 + message: "Threat-detection adds host 192.0.2.3 to shun list" + service: "threat-detection" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055038000 + - sample: "<190>2025-11-25T07:16:55Z: %ASA-4-733104: TCP Intercept SYN flood attack detected to 192.0.2.3/1194 (192.0.2.14/443). Average rate of 47 SYNs/sec exceeded the threshold of 48" + result: + custom: + message_id: "733104" + network: + destination: + geoip: {} + ip: "192.0.2.3" + port: 1194 + protocol: "TCP" + rate: 47.0 + rate_threshold: 48.0 + rate_type: "Average" + rate_unit: "SYNs/sec" + real_ip: "192.0.2.14" + real_port: 443 + service: "threat-detection" + severity: 4 + timestamp: 1764055015000 + message: "TCP Intercept SYN flood attack detected to 192.0.2.3/1194 (192.0.2.14/443). Average rate of 47 SYNs/sec exceeded the threshold of 48" + service: "threat-detection" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055015000 + - sample: "<190>2025-11-25T07:19:27Z: %ASA-6-109005: Authentication succeeded for user 'james.anderson' from 192.0.2.2/1194 to 192.0.2.1/1194 on interface tap0" + result: + custom: + evt: + outcome: "succeeded" + interface: "tap0" + message_id: "109005" + network: + client: + geoip: {} + ip: "192.0.2.2" + port: 1194 + destination: + geoip: {} + ip: "192.0.2.1" + port: 1194 + service: "user-activity" + severity: 6 + timestamp: 1764055167000 + usr: + name: "james.anderson" + message: "Authentication succeeded for user 'james.anderson' from 192.0.2.2/1194 to 192.0.2.1/1194 on interface tap0" + service: "user-activity" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055167000 + - sample: "<190>2025-11-25T07:17:53Z: %ASA-3-109010: Auth from 192.0.2.5/1195 to 192.0.2.4/1195 failed (too many pending auths) on interface tun0" + result: + custom: + evt: + outcome: "failed" + interface: "tun0" + message_id: "109010" + network: + client: + geoip: {} + ip: "192.0.2.5" + port: 1195 + destination: + geoip: {} + ip: "192.0.2.4" + port: 1195 + reason: "too many pending auths" + service: "user-activity" + severity: 3 + timestamp: 1764055073000 + message: "Auth from 192.0.2.5/1195 to 192.0.2.4/1195 failed (too many pending auths) on interface tun0" + service: "user-activity" + status: "error" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055073000 + - sample: "<190>2025-11-25T07:16:22Z: %ASA-3-109023: User from 192.0.2.1/443 to 192.0.2.3/443 on interface eth0 using test service must authenticate before using this service" + result: + custom: + interface: "eth0" + message_id: "109023" + network: + client: + geoip: {} + ip: "192.0.2.1" + port: 443 + destination: + geoip: {} + ip: "192.0.2.3" + port: 443 + service: "user-activity" + service_name: "test service" + severity: 3 + timestamp: 1764054982000 + message: "User from 192.0.2.1/443 to 192.0.2.3/443 on interface eth0 using test service must authenticate before using this service" + service: "user-activity" + status: "error" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764054982000 + - sample: "<190>2025-11-25T07:19:14Z: %ASA-4-109033: Authentication failed for admin user mason.young from 198.51.100.11. Interactive challenge processing is not supported for protocol" + result: + custom: + evt: + outcome: "failed" + message_id: "109033" + network: + client: + geoip: {} + ip: "198.51.100.11" + protocol: "protocol" + service: "user-activity" + severity: 4 + timestamp: 1764055154000 + user_type: "admin" + usr: + name: "mason.young" + message: "Authentication failed for admin user mason.young from 198.51.100.11. Interactive challenge processing is not supported for protocol" + service: "user-activity" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055154000 + - sample: "<190>2025-11-25T07:19:29Z: %ASA-6-109007: Authorization permitted for user 'liam.wilson' from 192.0.2.5/443 to 198.51.100.8/443 on interface ens160" + result: + custom: + evt: + outcome: "permitted" + interface: "ens160" + message_id: "109007" + network: + client: + geoip: {} + ip: "192.0.2.5" + port: 443 + destination: + geoip: {} + ip: "198.51.100.8" + port: 443 + service: "user-activity" + severity: 6 + timestamp: 1764055169000 + usr: + name: "liam.wilson" + message: "Authorization permitted for user 'liam.wilson' from 192.0.2.5/443 to 198.51.100.8/443 on interface ens160" + service: "user-activity" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055169000 + - sample: "<190>2025-11-25T07:15:47Z: %ASA-6-109024: Authorization denied from 10.10.10.10/10 to 11.11.11.11/11 (not authenticated) on interface ens140 using protocol to" + result: + custom: + evt: + outcome: "denied" + interface: "ens140" + message_id: "109024" + network: + client: + geoip: {} + ip: "10.10.10.10" + port: 10 + destination: + geoip: {} + ip: "11.11.11.11" + port: 11 + protocol: "protocol" + service: "user-activity" + severity: 6 + timestamp: 1764054947000 + message: "Authorization denied from 10.10.10.10/10 to 11.11.11.11/11 (not authenticated) on interface ens140 using protocol to" + service: "user-activity" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764054947000 + - sample: "<190>2025-11-25T07:17:10Z: %ASA-5-502101: New user added to local dbase: Uname: sophia.lee Priv: 4 Encpass: *****" + result: + custom: + action: "New user added to local dbase" + message_id: "502101" + privilege_level: "4" + service: "user-activity" + severity: 5 + timestamp: 1764055030000 + usr: + name: "sophia.lee" + message: "New user added to local dbase: Uname: sophia.lee Priv: 4 Encpass: *****" + service: "user-activity" + status: "notice" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055030000 + - sample: "<190>2025-11-25T07:17:38Z: %ASA-6-415001: HTTP - matched matched_string in policy-map pm_access_control_core, header field count exceeded connection_action OpenVPN-TAP-Windows6:192.0.2.6/443 to OpenVPN-TAP-Windows6:198.51.100.8/80" + result: + custom: + connection_action: "connection_action" + destination_interface: "OpenVPN-TAP-Windows6" + matched_string: "matched_string" + message_id: "415001" + network: + client: + geoip: {} + ip: "192.0.2.6" + port: 443 + destination: + geoip: {} + ip: "198.51.100.8" + port: 80 + policy_map: "pm_access_control_core" + reason: "header field count exceeded" + service: "firewall" + severity: 6 + source_interface: "OpenVPN-TAP-Windows6" + timestamp: 1764055058000 + message: "HTTP - matched matched_string in policy-map pm_access_control_core, header field count exceeded connection_action OpenVPN-TAP-Windows6:192.0.2.6/443 to OpenVPN-TAP-Windows6:198.51.100.8/80" + service: "firewall" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055058000 + - sample: "<190>2025-11-25T07:17:52Z: %ASA-5-415013: HTTP - policy-map map-name:Malformed chunked encoding connection_action ens160:192.0.2.4/1194 to Ethernet0:192.0.2.6/1196" + result: + custom: + connection_action: "connection_action" + destination_interface: "Ethernet0" + message_id: "415013" + network: + client: + geoip: {} + ip: "192.0.2.4" + port: 1194 + destination: + geoip: {} + ip: "192.0.2.6" + port: 1196 + policy_map: "map-name" + reason: "Malformed chunked encoding" + service: "firewall" + severity: 5 + source_interface: "ens160" + timestamp: 1764055072000 + message: "HTTP - policy-map map-name:Malformed chunked encoding connection_action ens160:192.0.2.4/1194 to Ethernet0:192.0.2.6/1196" + service: "firewall" + status: "notice" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055072000 + - sample: "<190>2025-11-25T07:19:48Z: %ASA-6-110002: Failed to locate egress interface for protocol from tap0:198.51.100.8/1194 to 192.0.2.1/1194" + result: + custom: + message_id: "110002" + network: + client: + geoip: {} + ip: "198.51.100.8" + port: 1194 + destination: + geoip: {} + ip: "192.0.2.1" + port: 1194 + protocol: "protocol" + reason: "Failed to locate egress interface" + service: "firewall" + severity: 6 + source_interface: "tap0" + timestamp: 1764055188000 + message: "Failed to locate egress interface for protocol from tap0:198.51.100.8/1194 to 192.0.2.1/1194" + service: "firewall" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055188000 + - sample: "<190>2025-11-25T07:18:29Z: %ASA-6-110004: Egress interface changed from eth0 to br0 on ip_protocol connection 108098402 for zone-new/eth0:192.0.2.5/443(192.0.2.2/1199 ) to zone-dest/br0:192.0.2.2/1194(192.0.2.7/443 )" + result: + custom: + connection_id: 1.08098402E8 + inside_interface: "br0" + inside_interface_zone: "zone-dest" + inside_ip: "192.0.2.2" + inside_mapped_ip: "192.0.2.7" + inside_mapped_port: 443 + inside_port: 1194 + message_id: "110004" + new_interface: "br0" + old_interface: "eth0" + outside_interface: "eth0" + outside_interface_zone: "zone-new" + outside_ip: "192.0.2.5" + outside_mapped_ip: "192.0.2.2" + outside_mapped_port: 1199 + outside_port: 443 + protocol: "ip_protocol" + reason: "Egress interface changed" + service: "firewall" + severity: 6 + timestamp: 1764055109000 + message: "Egress interface changed from eth0 to br0 on ip_protocol connection 108098402 for zone-new/eth0:192.0.2.5/443(192.0.2.2/1199 ) to zone-dest/br0:192.0.2.2/1194(192.0.2.7/443 )" + service: "firewall" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055109000 + - sample: "<190>2025-11-25T07:17:02Z: %ASA-5-746007: user-identity: NetBIOS response failed from User david.murphy at 203.0.113.7" + result: + custom: + message_id: "746007" + network: + client: + geoip: {} + ip: "203.0.113.7" + service: "firewall" + severity: 5 + timestamp: 1764055022000 + usr: + name: "david.murphy" + message: "user-identity: NetBIOS response failed from User david.murphy at 203.0.113.7" + service: "firewall" + status: "notice" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055022000 + - sample: "<190>2025-11-25T07:19:21Z: %ASA-3-746016: user-identity: DNS lookup for 192.0.2.13 failed, reason:reason" + result: + custom: + message_id: "746016" + network: + client: + geoip: {} + ip: "192.0.2.13" + reason: "reason" + service: "firewall" + severity: 3 + timestamp: 1764055161000 + message: "user-identity: DNS lookup for 192.0.2.13 failed, reason:reason" + service: "firewall" + status: "error" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055161000 + - sample: "<190>2025-11-25T07:16:11Z: %ASA-6-746001: user-identity: identity_lookup_store started" + result: + custom: + database: "identity_lookup_store" + download_status: "started" + message_id: "746001" + service: "firewall" + severity: 6 + timestamp: 1764054971000 + message: "user-identity: identity_lookup_store started" + service: "firewall" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764054971000 + - sample: "<190>2025-11-25T07:19:30Z: %ASA-4-405001: Received ARP response collision from 203.0.113.1/3A:4F:B9:27:88:10 on interface tap1 with existing ARP entry 192.0.2.4/02:1A:6C:3F:92:11" + result: + custom: + existing_arp_ip: "192.0.2.4" + existing_arp_ip_mac_address: "02:1A:6C:3F:92:11" + interface: "tap1" + message_id: "405001" + network: + client: + geoip: {} + ip: "203.0.113.1" + service: "network-activity" + severity: 4 + source_mac_address: "3A:4F:B9:27:88:10" + timestamp: 1764055170000 + message: "Received ARP response collision from 203.0.113.1/3A:4F:B9:27:88:10 on interface tap1 with existing ARP entry 192.0.2.4/02:1A:6C:3F:92:11" + service: "network-activity" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055170000 + - sample: "<190>2025-11-25T07:16:58Z: %ASA-2-106001: Inbound TCP connection denied from 192.0.2.3/443 to 192.0.2.3/1194 flags tcp_flags on interface br1" + result: + custom: + interface: "br1" + message_id: "106001" + network: + client: + geoip: {} + ip: "192.0.2.3" + port: 443 + destination: + geoip: {} + ip: "192.0.2.3" + port: 1194 + protocol: "TCP" + service: "network-activity" + severity: 2 + tcp_flag: "tcp_flags" + timestamp: 1764055018000 + message: "Inbound TCP connection denied from 192.0.2.3/443 to 192.0.2.3/1194 flags tcp_flags on interface br1" + service: "network-activity" + status: "critical" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055018000 + - sample: "<190>2025-11-25T07:17:02Z: %ASA-2-106002: protocol Connection denied by outbound list acl_ID src 192.0.2.3 dest 192.0.2.4" + result: + custom: + message_id: "106002" + network: + client: + geoip: {} + ip: "192.0.2.3" + destination: + geoip: {} + ip: "192.0.2.4" + outbound_list: "acl_ID" + protocol: "protocol" + service: "network-activity" + severity: 2 + timestamp: 1764055022000 + message: "protocol Connection denied by outbound list acl_ID src 192.0.2.3 dest 192.0.2.4" + service: "network-activity" + status: "critical" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055022000 + - sample: "<190>2025-11-25T07:19:23Z: %ASA-2-106006: Deny inbound UDP from 192.0.2.10/1194 to 192.0.2.12/1195 on interface Ethernet0" + result: + custom: + interface: "Ethernet0" + message_id: "106006" + network: + client: + geoip: {} + ip: "192.0.2.10" + port: 1194 + destination: + geoip: {} + ip: "192.0.2.12" + port: 1195 + protocol: "UDP" + service: "network-activity" + severity: 2 + timestamp: 1764055163000 + message: "Deny inbound UDP from 192.0.2.10/1194 to 192.0.2.12/1195 on interface Ethernet0" + service: "network-activity" + status: "critical" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055163000 + - sample: "<190>2025-11-25T07:17:09Z: %ASA-4-338001: Dynamic Filter monitored blacklisted protocol traffic from br0:192.0.2.4/443 (192.0.2.1/443) to ens33:192.0.2.1/1194 (192.0.2.1/80) source malware-test-example1.badsite resolved from local list: mycoolapp-preview.mock, threat-level: 0, category: category_name" + result: + custom: + action: "monitored" + category: "category_name" + client_mapped_ip: "192.0.2.1" + client_mapped_port: 443 + destination_mapped_ip: "192.0.2.1" + destination_mapped_port: 80 + domain_name: "mycoolapp-preview.mock" + in_interface: "br0" + list_type: "local" + malicious_address: "malware-test-example1.badsite" + message_id: "338001" + network: + client: + geoip: {} + ip: "192.0.2.4" + port: 443 + destination: + geoip: {} + ip: "192.0.2.1" + port: 1194 + out_interface: "ens33" + protocol: "protocol" + service: "network-activity" + severity: 4 + threat_level: "0" + timestamp: 1764055029000 + traffic_type: "blacklisted" + message: "Dynamic Filter monitored blacklisted protocol traffic from br0:192.0.2.4/443 (192.0.2.1/443) to ens33:192.0.2.1/1194 (192.0.2.1/80) source malware-test-example1.badsite resolved from local list: mycoolapp-preview.mock, threat-level: 0, category: category_name" + service: "network-activity" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764055029000 + - sample: "<190>2025-12-05T10:53:28Z: %ASA-3-322002: ARP inspection check failed for arp request received from host 0E:7D:FA:13:B9:09 on interface br1. This host is advertising MAC Address 0E:7D:FA:13:B9:09 for IP Address 1.0.0.1, which is statically bound to MAC Address 22:9B:4E:57:03:D1" + result: + custom: + bound_mac_address: "22:9B:4E:57:03:D1" + client_mac_address: "0E:7D:FA:13:B9:09" + host_mac_address: "0E:7D:FA:13:B9:09" + message_id: "322002" + network: + client: + geoip: {} + ip: "1.0.0.1" + service: "network-activity" + severity: 3 + timestamp: 1764932008000 + message: "ARP inspection check failed for arp request received from host 0E:7D:FA:13:B9:09 on interface br1. This host is advertising MAC Address 0E:7D:FA:13:B9:09 for IP Address 1.0.0.1, which is statically bound to MAC Address 22:9B:4E:57:03:D1" + service: "network-activity" + status: "error" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764932008000 + - sample: "<190>2025-12-05T10:53:36Z: %ASA-3-322003: ARP inspection check failed for arp request received from host EA:7B:BE:11:56:8D on interface wlan1. This host is advertising MAC Address EA:7B:BE:11:56:8D for IP Address 8.8.4.4, which is not bound to any MAC Address" + result: + custom: + client_mac_address: "EA:7B:BE:11:56:8D" + host_mac_address: "EA:7B:BE:11:56:8D" + message_id: "322003" + network: + client: + geoip: {} + ip: "8.8.4.4" + service: "network-activity" + severity: 3 + timestamp: 1764932016000 + message: "ARP inspection check failed for arp request received from host EA:7B:BE:11:56:8D on interface wlan1. This host is advertising MAC Address EA:7B:BE:11:56:8D for IP Address 8.8.4.4, which is not bound to any MAC Address" + service: "network-activity" + status: "error" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764932016000 + - sample: "<190>2025-12-05T10:51:16Z: %ASA-2-106016: Deny IP spoof from 1.1.1.1 to 1.1.1.1 on interface wlan1" + result: + custom: + interface: "wlan1" + message_id: "106016" + network: + client: + geoip: {} + ip: "1.1.1.1" + destination: + geoip: {} + ip: "1.1.1.1" + service: "network-activity" + severity: 2 + timestamp: 1764931876000 + message: "Deny IP spoof from 1.1.1.1 to 1.1.1.1 on interface wlan1" + service: "network-activity" + status: "critical" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764931876000 + - sample: "<190>2025-12-05T10:52:52Z: %ASA-4-733100: Host 8.8.4.4 is attacking. Current burst rate is 15 per second, max configured rate is 42; Current average rate is 46 per second, max configured rate is 50; Cumulative total count is 34" + result: + custom: + cumulative_total: 34.0 + current_average_rate: 46.0 + current_burst_rate: 15.0 + max_configured_average_rate: 50.0 + max_configured_burst_rate: 42.0 + message_id: "733100" + object_ip: "8.8.4.4" + service: "threat-detection" + severity: 4 + timestamp: 1764931972000 + message: "Host 8.8.4.4 is attacking. Current burst rate is 15 per second, max configured rate is 42; Current average rate is 46 per second, max configured rate is 50; Cumulative total count is 34" + service: "threat-detection" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764931972000 + - sample: "<190>2025-12-05T10:51:25Z: %ASA-1-106022: Deny SCP connection spoof from 8.8.8.8 to 1.0.0.1 on interface tun0" + result: + custom: + interface: "tun0" + message_id: "106022" + network: + client: + geoip: {} + ip: "8.8.8.8" + destination: + geoip: {} + ip: "1.0.0.1" + protocol: "SCP" + service: "network-activity" + severity: 1 + timestamp: 1764931885000 + message: "Deny SCP connection spoof from 8.8.8.8 to 1.0.0.1 on interface tun0" + service: "network-activity" + status: "alert" + tags: + - "source:LOGS_SOURCE" + timestamp: 1764931885000 diff --git a/cisco_asa/changelog.d/21972.added b/cisco_asa/changelog.d/21972.added new file mode 100644 index 0000000000000..aa949b47b7b41 --- /dev/null +++ b/cisco_asa/changelog.d/21972.added @@ -0,0 +1 @@ +Initial Release \ No newline at end of file diff --git a/cisco_asa/datadog_checks/cisco_asa/__about__.py b/cisco_asa/datadog_checks/cisco_asa/__about__.py new file mode 100644 index 0000000000000..1bde5986a04b2 --- /dev/null +++ b/cisco_asa/datadog_checks/cisco_asa/__about__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__version__ = '0.0.1' diff --git a/cisco_asa/datadog_checks/cisco_asa/__init__.py b/cisco_asa/datadog_checks/cisco_asa/__init__.py new file mode 100644 index 0000000000000..b408666583b85 --- /dev/null +++ b/cisco_asa/datadog_checks/cisco_asa/__init__.py @@ -0,0 +1,6 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +from .__about__ import __version__ + +__all__ = ['__version__'] diff --git a/cisco_asa/datadog_checks/cisco_asa/data/conf.yaml.example b/cisco_asa/datadog_checks/cisco_asa/data/conf.yaml.example new file mode 100644 index 0000000000000..40ee720bf7193 --- /dev/null +++ b/cisco_asa/datadog_checks/cisco_asa/data/conf.yaml.example @@ -0,0 +1,20 @@ +## Log Section +## +## type - required - Type of log input source (tcp / udp / file / windows_event). +## port / path / channel_path - required - Set port if type is tcp or udp. +## Set path if type is file. +## Set channel_path if type is windows_event. +## source - required - Attribute that defines which integration sent the logs. +## encoding - optional - For file specifies the file encoding. Default is utf-8. Other +## possible values are utf-16-le and utf-16-be. +## service - optional - The name of the service that generates the log. +## Overrides any `service` defined in the `init_config` section. +## tags - optional - Add tags to the collected logs. +## +## Discover Datadog log collection: https://docs.datadoghq.com/logs/log_collection/ +# +# logs: +# - type: tcp/udp +# port: +# source: cisco-asa +# service: cisco-asa diff --git a/cisco_asa/images/cisco_asa_firewall_details_dark.png b/cisco_asa/images/cisco_asa_firewall_details_dark.png new file mode 100644 index 0000000000000..3d5374b05b98d Binary files /dev/null and b/cisco_asa/images/cisco_asa_firewall_details_dark.png differ diff --git a/cisco_asa/images/cisco_asa_firewall_details_light.png b/cisco_asa/images/cisco_asa_firewall_details_light.png new file mode 100644 index 0000000000000..a5f00f9b316dd Binary files /dev/null and b/cisco_asa/images/cisco_asa_firewall_details_light.png differ diff --git a/cisco_asa/images/cisco_asa_network_activity_light.png b/cisco_asa/images/cisco_asa_network_activity_light.png new file mode 100644 index 0000000000000..8d7edabe34d1b Binary files /dev/null and b/cisco_asa/images/cisco_asa_network_activity_light.png differ diff --git a/cisco_asa/images/cisco_asa_overview_dark.png b/cisco_asa/images/cisco_asa_overview_dark.png new file mode 100644 index 0000000000000..c7345c1d33f97 Binary files /dev/null and b/cisco_asa/images/cisco_asa_overview_dark.png differ diff --git a/cisco_asa/images/cisco_asa_overview_light.png b/cisco_asa/images/cisco_asa_overview_light.png new file mode 100644 index 0000000000000..c690ce14c8591 Binary files /dev/null and b/cisco_asa/images/cisco_asa_overview_light.png differ diff --git a/cisco_asa/images/cisco_asa_threat_detection_light.png b/cisco_asa/images/cisco_asa_threat_detection_light.png new file mode 100644 index 0000000000000..6783141587e3c Binary files /dev/null and b/cisco_asa/images/cisco_asa_threat_detection_light.png differ diff --git a/cisco_asa/images/cisco_asa_user_activity_dark.png b/cisco_asa/images/cisco_asa_user_activity_dark.png new file mode 100644 index 0000000000000..f282583ed3fb3 Binary files /dev/null and b/cisco_asa/images/cisco_asa_user_activity_dark.png differ diff --git a/cisco_asa/images/cisco_asa_user_activity_light.png b/cisco_asa/images/cisco_asa_user_activity_light.png new file mode 100644 index 0000000000000..9ff9011ac08bb Binary files /dev/null and b/cisco_asa/images/cisco_asa_user_activity_light.png differ diff --git a/cisco_asa/manifest.json b/cisco_asa/manifest.json new file mode 100644 index 0000000000000..b3782276afcf5 --- /dev/null +++ b/cisco_asa/manifest.json @@ -0,0 +1,92 @@ +{ + "manifest_version": "2.0.0", + "app_uuid": "da5f5eb9-8c7d-4c21-9d88-8dbf174a3933", + "app_id": "cisco-asa", + "display_on_public_website": false, + "tile": { + "overview": "README.md#Overview", + "configuration": "README.md#Setup", + "support": "README.md#Support", + "changelog": "CHANGELOG.md", + "description": "Gain insights into Cisco ASA logs", + "title": "Cisco ASA", + "media": [ + { + "caption": "Cisco ASA Overview", + "image_url": "images/cisco_asa_overview_light.png", + "media_type": "image" + }, + { + "caption": "Cisco ASA Overview", + "image_url": "images/cisco_asa_overview_dark.png", + "media_type": "image" + }, + { + "caption": "Cisco ASA User Activity", + "image_url": "images/cisco_asa_user_activity_light.png", + "media_type": "image" + }, + { + "caption": "Cisco ASA User Activity", + "image_url": "images/cisco_asa_user_activity_dark.png", + "media_type": "image" + }, + { + "caption": "Cisco ASA Firewall Details", + "image_url": "images/cisco_asa_firewall_details_light.png", + "media_type": "image" + }, + { + "caption": "Cisco ASA Firewall Details", + "image_url": "images/cisco_asa_firewall_details_dark.png", + "media_type": "image" + }, + { + "caption": "Cisco ASA Network Activity", + "image_url": "images/cisco_asa_network_activity_light.png", + "media_type": "image" + }, + { + "caption": "Cisco ASA Threat Detection", + "image_url": "images/cisco_asa_threat_detection_light.png", + "media_type": "image" + } + ], + "classifier_tags": [ + "Supported OS::Linux", + "Supported OS::Windows", + "Supported OS::macOS", + "Category::Security", + "Category::Network", + "Category::Log Collection", + "Offering::Integration", + "Submitted Data Type::Logs" + ] + }, + "assets": { + "integration": { + "auto_install": true, + "source_type_id": 64141705, + "source_type_name": "Cisco ASA", + "configuration": { + "spec": "assets/configuration/spec.yaml" + } + }, + "dashboards": { + "Cisco ASA Firewall Details": "assets/dashboards/cisco_asa_firewall_details.json", + "Cisco ASA Network Activity": "assets/dashboards/cisco_asa_network_activity.json", + "Cisco ASA Overview": "assets/dashboards/cisco_asa_overview.json", + "Cisco ASA Threat Detection": "assets/dashboards/cisco_asa_threat_detection.json", + "Cisco ASA User Activity": "assets/dashboards/cisco_asa_user_activity.json" + }, + "logs": { + "source": "cisco-asa" + } + }, + "author": { + "support_email": "help@datadoghq.com", + "name": "Datadog", + "homepage": "https://www.datadoghq.com", + "sales_email": "info@datadoghq.com" + } +} \ No newline at end of file diff --git a/cisco_asa/pyproject.toml b/cisco_asa/pyproject.toml new file mode 100644 index 0000000000000..08dac0cff9b18 --- /dev/null +++ b/cisco_asa/pyproject.toml @@ -0,0 +1,59 @@ +[build-system] +requires = [ + "hatchling>=0.13.0", +] +build-backend = "hatchling.build" + +[project] +name = "datadog-cisco-asa" +description = "The Cisco ASA check" +readme = "README.md" +license = "BSD-3-Clause" +keywords = [ + "datadog", + "datadog agent", + "datadog check", + "cisco_asa", +] +authors = [ + { name = "Datadog", email = "packages@datadoghq.com" }, +] +classifiers = [ + "Development Status :: 5 - Production/Stable", + "Intended Audience :: Developers", + "Intended Audience :: System Administrators", + "License :: OSI Approved :: BSD License", + "Private :: Do Not Upload", + "Programming Language :: Python :: 3.13", + "Topic :: System :: Monitoring", +] +dependencies = [ + "datadog-checks-base>=37.21.0", +] +dynamic = [ + "version", +] + +[project.optional-dependencies] +deps = [] + +[project.urls] +Source = "https://github.com/DataDog/integrations-core" + +[tool.hatch.version] +path = "datadog_checks/cisco_asa/__about__.py" + +[tool.hatch.build.targets.sdist] +include = [ + "/datadog_checks", + "/tests", + "/manifest.json", +] + +[tool.hatch.build.targets.wheel] +include = [ + "/datadog_checks/cisco_asa", +] +dev-mode-dirs = [ + ".", +]