Cisco Asa ASim Authentication parsing fix #10853
Assignees
Labels
Comments
|
@cgiamp %ASA-6-716038: Group User [email protected] IP <xxx.xxx.xxx.xxx> Authentication: successful, Session Type: WebVPN. and suggested following change: | parse Message with * 'User <' TargetUsername '> IP <' SrcIpAddr '> Authentication'* I see angle bracket only around IP Address and not around user. I think we just need to add angle bracket for IP Address. Can you confirm? |
|
Hi @vakohl, Based on the events that I am seeing on our ASA firewall both information (User and IP) are included into angle brackets. Sorry but I cannot share the events here. Regards, |
|
ASIM - @vakohl |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
The event id 716038 of Cisco ASA has the following format:
So I suggest to change the parsing of this line:
Azure-Sentinel/Parsers/ASimAuthentication/Parsers/ASimAuthenticationCiscoASA.yaml
Line 176 in 34b6334
to:
in order to trim the angle brackets from the relevant fields.
Regards,
Christos
The text was updated successfully, but these errors were encountered: