Built-in Cisco ASA parser fails with hyphens in access-list names

[TotalGriffLock]

Following a long running support ticket TrackingID#2105170050002602 as to why Azure Sentinel's Cisco ASA connector does not parse the access-list permit log event properly (log ID 106100) we have found from Microsoft's support agents that the regular expression used to parse these messages uses:

\w

To delimit the access-list name. This regex is unsuitable for the task at hand, as access-list names in IOS/ASA can have hyphens in them. In fact, they can have any character in them other than a space or a double quote. Microsoft's support agents supplied this part of the regex:

access-list (?:\\w+) (?<action>permitted|denied|est-allowed)

This should probably be more like:

access-list (?:.+)\\s(?<action>permitted|denied|est-allowed)

In order to cope with perfectly acceptable non-word characters being present in an access-list name.

In fact, a suitable regex for parsing the entire message could be:

^%ASA-[0-7]-106100:\s+access-list\s(?<cs1>.+)\s(?<act>permitted|denied|est-allowed)\s(?<proto>tcp|udp|icmp|[0-9]{1,3})\s(?<deviceInboundInterface>.+)\/(?<src>(?:[0-9]{1,3}\.){3}[0-9]{1,3})\((?<spt>[0-9]{1,5})\)(?:\((?<cs2>.+)\))?\s->\s(?<deviceOutboundInterface>.+)\/(?<dst>(?:[0-9]{1,3}\.){3}[0-9]{1,3})\((?<dpt>[0-9]{1,5})\)(?:\((?<cs3>.+)\))?\shit-cnt\s(?<cnt>[0-9]{1,5}).+\[(?<cs4>0x[0-9a-f]{8}),\s(?<cs5>0x[0-9a-f]{8})\]$

Please update the regex in your parser so it can parse Cisco's defined format for access-list names.

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[kochavis]

Thank you for you detailed description and suggested solution. Currently, the above original regex is the suggested expression for column extraction. Users are invited to run designated queries to either extract or change fields as needed. The issue will be attended to be resolved when we release our upcoming new Cisco ASA over AMA connector.

[TotalGriffLock]

Thanks for your response. Do you have an ETA for this new connector?

[kochavis]

Unfortunately we can't disclose ETA in a public forum. You are invited to join our private-preview community at www.aka.ms/PrSecCom to learn more.

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[v-rucdu]

Hey.. we are looking into this issue and would get back to you asap... Thanks!!!

[v-jayakal]

@kochavis - Can you please check other issue raised on Cisco ASA Parser https://github.com/Azure/Azure-Sentinel/issues/3789?

[guarismo]

@TotalGriffLock Out of curiosity, where is this regex? what configuration file or code has it?

[TotalGriffLock]

@TotalGriffLock Out of curiosity, where is this regex? what configuration file or code has it?

Buried somewhere in the inner workings of Log Analytics/Sentinel and not user-accessible. The logs are processed cloud-side, there is a regex specifically for them in omsagent but it is only to check the format is vaguely correct.

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[v-marimanda]

Currently didn't found any parsers that will match the Cisco ASA. Please provide more details if the issue still persist. thanks!!!

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[kochavis]

Thanks, the connector is still being worked on and will be released soon

[v-laanjana]

@kochavis is your connector ready or released ?

[v-rucdu]

@kochavis : do we have any update on the connector release? Thanks!!

[v-amolpatil]

Hi @TotalGriffLock , thank you for flagging this. Apologies for the delayed response. If you still need assistance, please reply here within 5 business days.

[v-amolpatil]

Gentle Reminder: We are awaiting for your response on this issue. If you still need to keep this issue active please respond within next 2 days. If we don't receive response by 16 Feb 2023, we will close this issue.

[v-amolpatil]

Since we have not received a response in the last 5 days, we are closing your issue #3465 as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.