topic Cisco ASA 4.0.0 action lookup issue with CIM and ES compatibility in All Apps and Add-ons

Cisco ASA 4.0.0 action lookup issue with CIM and ES compatibility

vince135 — Wed, 30 Sep 2020 05:17:39 GMT

Hello,

Following the recent update of the cisco asa TA to new major version 4.0.0, we have tested this on a test server with some cisco asa logs copied from our production.

Log extraction is good (even if the props and transforms files have drastically changed) and is more granular than before.

However, we encountered an issue concerning the "action" field that is very important with datamodels and enterprise security because it needs to be formatted like action=allowed OR action=teardown or action=blocked.

In fact, with regex extraction, from the raw logs, cisco asa TA is extracting values like "Deny", "Built" or "Teardown" and then there is a lookup called "cisco_asa_action_lookup" that match those actions and rewrite with the CIM compatibility (allowed, teardown or blocked).

But since 4.0.0 is not the case anymore, I mean the lookup has drastically changed too. Before 4.0.0 , if you take a "Deny" firewall event we had in the lookup the following translation :

vendor_action,action
deny,blocked

and effectively the action field was changed from "deny" to "blocked"

but now we have a lookup with (still with deny for example) :

 vendor_action,message_id,action
 deny,,deny

The workaround for us is to change the values in this lookup in order to be back to normal but I am not sure, is this a missing from the TA developper or is me ? Because the TA is "CIM compliant" but it's seems to not be the case here...

What are your thoughts ?

thanks in advance for the help

Vince

Re: Cisco ASA 4.0.0 action lookup issue with CIM and ES compatibility

chris_barrett — Wed, 30 Sep 2020 05:12:40 GMT

I'm not sure if it's related to your issue but I've just backed out from 4.0.0 back to 3.4.0 because we were getting errors related to one of the LOOKUPs associated with the action field.
"Could not load lookup=LOOKUP-cisco_asa_action_lookup_2"

I can see the LOOKUP defined in the TA's default/props.conf and nothing looks obviously wrong to me.

I wonder if it's supposed to be a two stage process (there's a LOOKUP-cisco_asa_action_lookup_1 as well) and the fact that this second lookup is broken(?) is what is causing the issue that you're having.

Re: Cisco ASA 4.0.0 action lookup issue with CIM and ES compatibility

vince135 — Wed, 30 Sep 2020 05:18:23 GMT

Hi @chris_barrett,

For me the lookup definition is good. In fact, they have completly change the definition and action of this lookup, now all the work is in props.conf file

LOOKUP-cisco_asa_action_lookup_1 = cisco_asa_action_lookup vendor_action as action OUTPUT action, action AS Cisco_ASA_action
LOOKUP-cisco_asa_action_lookup_2 = cisco_asa_action_lookup message_id OUTPUTNEW action, action AS Cisco_ASA_action

The definition is working great and as intended, meaning that the action lookup is re writting the action field already extrated by regex in the transforms.conf. The only issue for me is that the content of "cisco_asa_action_lookup" is wrong and have changed badly.

Maybe you didn't copy the lookup "cisco_asa_action_lookup" when you update your TA ? or maybe it's a right issue (happens very often with lookup and splunk...)

Vince

Re: Cisco ASA 4.0.0 action lookup issue with CIM and ES compatibility

DATEVeG — Tue, 05 May 2020 07:58:39 GMT

I think this is a bug in the TA.
I changed the mapping in the lookup for deny and permitted back to allowed and blocked.

Re: Cisco ASA 4.0.0 action lookup issue with CIM and ES compatibility

vince135 — Tue, 05 May 2020 08:02:32 GMT

Hi @DATEVeG,

I have done the same this morning, working great.

I have changed the mapping for deny, denied, built and permitted.

Thank you for your answer 🙂

Re: Cisco ASA 4.0.0 action lookup issue with CIM and ES compatibility

deepakcompany85 — Tue, 05 May 2020 09:23:10 GMT

Looks like you have to do the mapping yourself - https://docs.splunk.com/Documentation/AddOns/released/CiscoASA/Configurelookups

Re: Cisco ASA 4.0.0 action lookup issue with CIM and ES compatibility

peachcake — Thu, 09 Jul 2020 22:56:05 GMT

I am having my indexers throw this same error when I do a search on the search head cluster. It was working fine with 3.2.1 props/lookups but since going to 4.0.2 I am getting this exact same message on all my indexers for any searches. I have made sure the TA exists on both IDX tier and SHC tier.