Forum Discussion
Cisco ASA Events - TCP Build Messages (302013) Not Parsing Correctly
Is this from the parsing in the Solution/Rules e.g. Azure-Sentinel/Solutions/CiscoASA/Analytic Rules/CiscoASA-AvgAttackDetectRateIncrease.yaml at bdeb8adf97c39a6ec87267410a91bb72976748a7 · Azure/Azure-Sentinel (github.com)
or from rules that use the the ASIM parser? Azure-Sentinel/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml at fe60fd336ce4e8c847e2167cbec952b529faf783 · Azure/Azure-Sentinel (github.com)
Good questions, we're currently using the V1 Cisco ASA Data Connector, 2+ years old now. It may well be that a newer V3 connector fixes this. It's difficult to understand how even a V1 makes it out the door with source and destination IPs reversed, but makes sense to give it a try.
Doesn't seem to be an upgrade button and appears that the Data Connector content has been re-worked, we don't even see all of our connectors under "Data Connectors", it's telling us we have to Centralize our content. We'll have support walk us through that. Thanks, J-
You need to look in [Content Hub] not [Data Connectors], it all moved there a while a go