All Apps and Add-ons

Cisco ASA 4.0.0 action lookup issue with CIM and ES compatibility

Explorer

Hello,

Following the recent update of the cisco asa TA to new major version 4.0.0, we have tested this on a test server with some cisco asa logs copied from our production.

Log extraction is good (even if the props and transforms files have drastically changed) and is more granular than before.

However, we encountered an issue concerning the "action" field that is very important with datamodels and enterprise security because it needs to be formatted like action=allowed OR action=teardown or action=blocked.

In fact, with regex extraction, from the raw logs, cisco asa TA is extracting values like "Deny", "Built" or "Teardown" and then there is a lookup called "cisco_asa_action_lookup" that match those actions and rewrite with the CIM compatibility (allowed, teardown or blocked).

But since 4.0.0 is not the case anymore, I mean the lookup has drastically changed too. Before 4.0.0 , if you take a "Deny" firewall event we had in the lookup the following translation :

vendor_action,action
deny,blocked

and effectively the action field was changed from "deny" to "blocked"

but now we have a lookup with (still with deny for example) :

 vendor_action,message_id,action
 deny,,deny

The workaround for us is to change the values in this lookup in order to be back to normal but I am not sure, is this a missing from the TA developper or is me ? Because the TA is "CIM compliant" but it's seems to not be the case here...

What are your thoughts ?

thanks in advance for the help

Vince

0 Karma

Path Finder

I think this is a bug in the TA.
I changed the mapping in the lookup for deny and permitted back to allowed and blocked.

Explorer

Hi @DATEVeG,

I have done the same this morning, working great.

I have changed the mapping for deny, denied, built and permitted.

Thank you for your answer 🙂

0 Karma

New Member
0 Karma

Path Finder

I'm not sure if it's related to your issue but I've just backed out from 4.0.0 back to 3.4.0 because we were getting errors related to one of the LOOKUPs associated with the action field.
"Could not load lookup=LOOKUP-cisco_asa_action_lookup_2"

I can see the LOOKUP defined in the TA's default/props.conf and nothing looks obviously wrong to me.

I wonder if it's supposed to be a two stage process (there's a LOOKUP-cisco_asa_action_lookup_1 as well) and the fact that this second lookup is broken(?) is what is causing the issue that you're having.

0 Karma

Explorer

Hi @chris_barrett,

For me the lookup definition is good. In fact, they have completly change the definition and action of this lookup, now all the work is in props.conf file

LOOKUP-cisco_asa_action_lookup_1 = cisco_asa_action_lookup vendor_action as action OUTPUT action, action AS Cisco_ASA_action
LOOKUP-cisco_asa_action_lookup_2 = cisco_asa_action_lookup message_id OUTPUTNEW action, action AS Cisco_ASA_action

The definition is working great and as intended, meaning that the action lookup is re writting the action field already extrated by regex in the transforms.conf. The only issue for me is that the content of "cisco_asa_action_lookup" is wrong and have changed badly.

Maybe you didn't copy the lookup "cisco_asa_action_lookup" when you update your TA ? or maybe it's a right issue (happens very often with lookup and splunk...)

Vince

Engager

I am having my indexers throw this same error when I do a search on the search head cluster. It was working fine with 3.2.1 props/lookups but since going to 4.0.2 I am getting this exact same message on all my indexers for any searches. I have made sure the TA exists on both IDX tier and SHC tier.

0 Karma