Change log for CISCO_ASA_FIREWALL
| Date | Changes |
|---|---|
| 2025-11-14 | - metadata.event_type: Removed mapping of `NETWORK_UNCATEGORIZED` from `metadata.event_type` UDM field and mapped `USER_LOGIN` instead, for event id `113015` as it better reflects the nature of the event.
|
| 2025-11-11 | - Enhanced GROK pattern to accommodate the updated log format for event `716002`.
|
| 2025-10-30 | - Enhanced GROK pattern to accommodate the updated log format for event `113039`.
- Revised event type to `USER_LOGIN` for event `716038`, as it better reflects the nature of the event. - target.ip: Removed mapping of `IP` from `target.ip` UDM field for event "716038". - principal.ip: Mapped `IP` raw log field with `principal.ip` UDM field for event "716038". |
| 2025-10-29 | - Enhanced GROK pattern to accommodate the updated log format for event `605005` & `722041`.
|
| 2025-10-03 | - `324303`: Added support for the event `324303` and relevant corresponding raw log fields.
|
| 2025-09-19 | - For cisco asa firewall events 722022, 722023, 722028, 722012, 113039, 606001, 611101, 611102, 611103, 611310, 611311, 716002, 716039, 772003, and 772004, the following mappings were changed in order to introduce more accurate mappings:
- principal.hostname: Removed mapping of `Cisco syslog host` from `principal.hostname` UDM field. - target.hostname: Mapped `Cisco syslog host` raw log field with `target.hostname` UDM field. - target.ip: Removed mapping of `Message Ip` from `target.ip` UDM field. - principal.ip: Mapped `Message Ip` raw log field with `principal.ip` UDM field. - For cisco asa firewall events 722022, 722023, 722028, and 722012 (message ID: 14), the following mappings were changed in order to introduce more accurate mappings: - target.user.userid: Removed mapping of `Message User Id` from `target.user.userid` UDM field. - principal.user.userid: Mapped `Message User Id` raw log field with `principal.user.userid` UDM field. - target.user.group_identifiers: Removed mapping of `Message Group Name` from `target.user.group_identifiers` UDM field. - principal.user.group_identifiers: Mapped `Message Group Name` raw log field with `principal.user.group_identifiers` UDM field. - metadata.event_type : Removed mapping of `USER_LOGIN/USER_LOGOUT` from metadata.event_type UDM field and mapped `NETWORK_CONNECTION` instead. - extensions.auth.type : Removed the static value mapping of `MACHINE` for extensions.auth.type UDM field. |
| 2025-09-17 | - Improved error handling to cover various edge cases across multiple scenarios.
|
| 2025-08-26 | - security_result.severity: Removed the value `INFORMATIONAL` from `security_result.severity` UDM field and mapped the value `HIGH` instead when the `cisco_severity` is equal to 1.
- security_result.severity: Removed the value `INFORMATIONAL` from `security_result.severity` UDM field and mapped the value `LOW` instead when the `cisco_severity` is equal to 4. - security_result.severity: Removed the value `INFORMATIONAL` from `security_result.severity` UDM field and mapped the value `LOW` instead when the `cisco_severity` is equal to 5. |
| 2025-06-10 | Updated the GROK pattern to correctly parse the `principal.user.userid` UDM field for events 746012 and 746013. |
| 2025-06-05 | Updated a GROK pattern to handle unparsed logs for "cisco_message_number" 721016. |
| 2025-05-30 | Added a GROK pattern to support multiple format logs for event 113011. |
| 2025-05-13 | Added a GROK pattern to support multiple format logs for event 109100, 113009. |
| 2025-03-28 | Updated a GROK pattern to handle unparsed logs issue for "cisco_message_number" 113022. |
| 2025-01-09 | - Event 317077,317078
- Modified the Grok pattern to parse logs with trailing spaces in protocol field. |
| 2024-12-16 | - Modified the Grok pattern to parse the fields "src_interface_name" and "dst_interface_name", which contains a colon inside their values.
|
| 2024-10-09 | - Added support for message number 313005 and 710003 for action field to security_result.action = "BLOCK".
|
| 2024-08-16 | - Added support for "cisco_message_number" 302014 for "security_result.action_details" as "Teardown TCP connection".
|
| 2024-06-13 | - Updated Grok pattern for "cisco_message_number" 721018.
- Added support for "cisco_message_number" 317078. |
| 2024-04-24 | Updated Grok pattern for "cisco_message_number" 713016, 212005. |
| 2023-12-15 | Updated Grok pattern for "cisco_message_number" 302014, 302015, and 302016. |
| 2023-12-13 | Updated the Grok pattern to handle unparsed logs issue. |
| 2023-11-29 | Aligned "principal/target.hostname" and "principal/target.asset.hostname" mapping. |
| 2023-09-06 | - Updated Grok pattern for "cisco_message_number" 302013.
|
| 2023-08-09 | - Updated Grok pattern for "cisco_message_number" 302014, 302015, and 302016.
|
| 2023-06-14 | Updated the parser to include "parse_network_http_user_agent" to use "Parsed User Agent" and "User Agent". |
| 2023-05-17 | - Added support for logs with '<' and '>' characters where 'cisco_message_number=722051'.
|
| 2023-05-02 | - Updated mapping for the "ori_src_ip" and "ori_dst_ip" fields.
|
| 2023-03-29 | Changed validation for NETWORK_CONNECTION event. - Extracted "asa_device_ip" from syslog header and mapped it to "observer.ip". - Changed mapping of user IP address from "target.ip" to "principal.ip" for cisco_message_number=113015. - Updated Grok pattern for cisco_message_number=402116, 402119, 419003, 713025,713034,104002. - Added Grok pattern for cisco_message_number=713024, 210007. |
| 2022-12-20 | Enhancement - Updated the Grok pattern for cisco_message_number=113005, 737026. - Added new Grok pattern for cisco_message_number=109201. - Mapped metadata.event_type as USER_UNCATEGORIZED when principal.user.userid is not null. - Mapped metadata.event_type as STATUS_UNCATEGORIZED when principal.ip is not null. |
| 2022-10-12 | Bugfix - Added new Grok pattern for cisco_message_number=302015 for outbound connection. |
| 2022-09-28 | Promoted CISCO_ASA_FIREWALL parser to default. As part of promotion
customer's symlink are also being removed. For the field mapping differences, see field mapping changes |