cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cisco ASA | SIEM Log filtering Best Practice

AngeloDC
Copper Contributor

‎Nov 28 2023 03:57 AM

‎Nov 28 2023 03:57 AM

Cisco ASA | SIEM Log filtering Best Practice

Hey all you SIEM and SecDevOPs Engineers.

Currently having major ingestion issues with Events logged from CISCO ASA.The problem: Even with filtering limited to Notification L5 events we accidently ingested 600M+ logs into Azure Sentinel via the CEF via AMA data-connector with the stream set to Microsoft-Ciscoasa

We need to drastically reduce the amount of logs coming in, however we're struggling to find resources/guides on best practice for event logging.

If there is a Cisco expert out there, can someone please point me in the right direction for getting relevant logs events which analysts can use to investigate incidents.

What is the standard out there wrt high fidelity alerting and investigation capabilities.

479 Views
0 Likes
1 Reply
Reply
1 Reply
AngeloDC

‎Nov 29 2023 06:09 AM

‎Nov 29 2023 06:09 AM

Re: Cisco ASA | SIEM Log filtering Best Practice

Well I've come up with this so far.
If you have any input please feel free to share.

Here are some of the events we chose to filter.
| Filter Rule |
| ------------------------------ |
| :msg, contains, "ASA-4-733100" |
| :msg, contains, "ASA-4-733101" |
| :msg, contains, "ASA-4-733102" |
| :msg, contains, "ASA-4-733103" |
| :msg, contains, "ASA-4-733104" |
| :msg, contains, "ASA-4-733105" |
| :msg, contains, "ASA-6-106100" |
| :msg, contains, "ASA-4-106023" |
| :msg, contains, "ASA-5-713041" |
| :msg, contains, "ASA-6-109001" |
0 Likes
Reply