ocsf-schema
ocsf-schema copied to clipboard
Published
20 hours ago •
ocsf
ocsf
Create a Network Tunneling Class (VPN Session Start/Stop Events)
I have about 30 or so Cisco VPN Events to map to OCSF. Today, we do not have any class associated specifically with VPN sessions.
After some discussion, one idea was to create a Tunneling class - tunneling can be VPN but not just vpn. And there are all kinds of tunnels - ipsec, p2p, pptp, etc. Tunnel logs usually have very distinct actions, which is what leads me to think that an event class is most appropriate.
NOTE: session start and session end activities should be removed from the authorization class as they were added into 1.1-dev to compensate.
Here is the full shebang list of VPN events i need to map:
| Event code | Cisco Logging Class | Vendor Description |
|---|---|---|
| 113039 | User Authentication (auth) | The AnyConnect session has started for the user in this group at the specified IP address. When the user logs in via the AnyConnect login page, the AnyConnect session starts. |
| 611101 | VPN Client (vpnc) | User authentication succeeded when accessing the Secure Firewall Threat Defense device. The username is hidden when invalid or unknown, but appears when valid or the no logging hide username command has been configured. |
| 716001 | WebVPN and AnyConnect Client (webvpn) | The WebVPN session has started for the user in this group at the specified IP address. Whenthe user logs in via the WebVPN login page, the WebVPN session starts. |
| 716038 | WebVPN and AnyConnect Client (webvpn) | Before a WebVPN session can start, the user must be authenticated successfully by a local or remote server (for example, RADIUS or TACACS+). |
| 722033 | SSL VPN Client (svc) | The first SVC connection was established for the SVC session. |
| 722051 | SSL VPN Client (svc) | The specified address has been assigned to the given user. |
| 723001 | Citrix Client (citrix) | The Citrix connection is up. |
| 722022 | SSL VPN Client (svc) | |
| 602303 | IKE and IPsec (vpn) | A new SA was created. |
| 722034 | SSL VPN Client (svc) | A reconnection attempt has occurred. An SVC connection is replacing a previously closed connection. There is no existing connection for this session because the connection was already dropped by the SVC or the Secure Firewall Threat Defense device. You may be having trouble connecting. |
| 113019 | User Authentication (auth) | An indication of when and why the longest idle user is disconnected. |
| 611103 | VPN Client (vpnc) | The specified user logged out. |
| 716002 | WebVPN and AnyConnect Client (webvpn) | The WebVPN session has been terminated by a user request. |
| 716006 | WebVPN and AnyConnect Client (webvpn) | The WebVPN session was not created for the user in the specified group because the VPN tunnelprotocol is not set to WebVPN. |
| 722029 | SSL VPN Client (svc) | The number of connections, reconnections, and resets that have occurred are reported. |
| 722031 | SSL VPN Client (svc) | End-of-session statistics are being recorded. |
| 723002 | Citrix Client (citrix) | The Citrix connection is down. |
| 722023 | SSL VPN Client (svc) | |
| 602304 | IKE and IPsec (vpn) | An SA was deleted |
| 109031 | User Authentication (auth) | |
| 109033 | User Authentication (auth) | AAA challenge processing was triggered during authentication of an administrative connection, but the Secure Firewall Threat Defense device cannot initiate interactive challenge processing with the client application. When this occurs, the authentication attempt will be rejected and the connection denied. |
| 109034 | User Authentication (auth) | AAA challenge processing was triggered during authentication of a network connection, but the Secure Firewall Threat Defense device cannot initiate interactive challenge processing with the client application. When this occurs, the authentication attempt will be rejected and the connection denied. |
| 611102 | VPN Client (vpnc) | User authentication failed when attempting to access the Secure Firewall Threat Defense device. The username is hidden when invalid or unknown, but appears when valid or the no logging hide username command has been configured. |
| 716005 | WebVPN and AnyConnect Client (webvpn) | The ACL for the WebVPN user in the specified group failed to parse correctly. |
| 716039 | WebVPN and AnyConnect Client (webvpn) | Before a WebVPN session starts, the user must be authenticated successfully by a local or remote server (for example, RADIUS or TACACS+). In this case, the user credentials (username and password) either did not match, or the user does not have permission to start a WebVPN session. The username is hidden when invalid or unknown, but appears when valid or the no logging hide username command has been configured. |
| 719017 | E-mail Proxy (email) | The WebVPN session is aborted because the ACL has failed to parse for this user. The ACL determines what the user restrictions are on e-mail account access. The ACL is downloaded from the AAA server. Because of this error, it is unsafe to proceed with login. |
| 719018 | E-mail Proxy (email) | The ACL cannot be found at the local maintained ACL list. The ACL determines what the user restrictions are on e-mail account access. The ACL is configured locally. Because of this error, you cannot be authorized to proceed. |
| 719021 | E-mail Proxy (email) | The ACL determines what the user restrictions are on e-mail account access. The authorizationchecking using the ACL is not enabled. |
| 719024 | E-mail Proxy (email) | The Piggyback authentication is using an established WebVPN session to verify the username and IP address matching in the WebVPN session database. This is based on the assumption that the WebVPN session and e-mail proxy session are initiated by the same user, and a WebVPN session is already established. Because the authentication has failed, the session will be aborted. The user is not allowed to access the e-mail account. |
| 113036 | User Authentication (auth) | The given parameter has a bad value. The value is not shown because it might be very long. |
| 719019 | E-mail Proxy (email) | The ACL determines what the user restrictions are on e-mail account access. The user cannotaccess the e-mail account because the authorization check fails. |
| 719023 | E-mail Proxy (email) | The username is denied by the AAA server. The session will be aborted. The user is not allowed to access the e-mail account. |
| 722036 | SSL VPN Client (svc) |
