Apr 09 2020
06:28 AM
- last edited on
Dec 23 2021
04:46 AM
by
TechCommunityAP
Apr 09 2020
06:28 AM
- last edited on
Dec 23 2021
04:46 AM
by
TechCommunityAP
Hello
Have managed to get logs into Sentinel, and can see them in Analytics and in the events list and graph, but none of the other metric return anything other than 'the query returned no results'
Any ideas?
Thanks
Apr 09 2020 01:07 PM
@saint_stevo One thing we noted on our setup was event IDs were missing.
Apr 13 2020 08:51 AM
Apr 25 2020 09:16 PM
The Cisco ASA dashboard is indeed unusable but the main problem lies in the parsing of the Cisco ASA logs. Cisco managed to make these logs very complicated and difficult to process. For example, to get the full data on a simple TCP connection one needs to correlate two different types of log entries based on the session id and reshuffle the source IP/port and destination IP/port depending on the direction of the traffic. So, to actually get useful data from the raw Cisco ASA logs in the CommonSecurityLog first you need to build a parser to put the data in order and the build a workbook/dashboard for it. To make things more complicated, only some log entries are sent to the CommonSecurityLog (those related to allowed traffic). The rest are sent to the Syslog table where again, one needs to build a parser from scratch. Microsoft if doing actually a little bit of work in the background to convert some of the ASA log entries to CEF (as you probably know, the ASA don't know CEF).
For example, a correct parser would provide this type of data:
Once you have the good data, it is much easier to build a workbook for it:
I have just little bit of data as we only have a test Cisco ASA 5505 that is not actively used but if you have the data you can build any kind of visualization. What type of data you would want to see on an ASA dashboard?
Adrian Grigorof
Apr 27 2020 04:09 AM
Thanks for the reply! Not sure i would know where to start with regard the parser.....but your example screenshot is a lot more useful than 'The query returned no results' so maybe use Lockdown to learn!
I guess a number of 'red flag' type bits on a dashboard, Rule changes, failed SSH etc. And some trends of top denied/allowed based on IP/Protocol/Port would be a start