Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Cisco WSA - the WSA TA add on App(verison 3.3) is ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco WSA - the WSA TA add on App(verison 3.3) is not extracting fields
I am using souretype cisco:wsa:squid, however I tried all the cisco:wsa:w3c as well, no luck so far? No sure where am I doing wrong?
as a result of this the Cisco Enterprise Suite --> web security dashboard are not working.
Sample Logs :
Nov 14 16:04:48 WSA_HOSTNAME Splunk_AccLogs: Info: 1542200692.909 119540 172.31.40.103 TCP_MISS/200 6542 CONNECT tunnel://nexus.officeapps.live.com:443/ - DIRECT/nexus.officeapps.live.com - PASSTHRU_WEBCAT_7-DefaultGroup-
IDN_NON_AUTHENTICATED-NONE-NONE-NONE-DefaultGroup-NONE -
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sample Event from Cisco WSA add-on
1542205718.000 379 10.0.0.3 TCP_MISS/301 4241 POST http://test_web.com/page4/d.jpg Zerimski DIRECT/www.xxxxxxx12.com image/gif BLOCK_AMW_RESP_379-Allow_All_iDevices-WebxOnly-NONE-DefaultGroup-DefaultGroup-RoutingPolicy <IW_infr,4.5,-,"-",-,-,-,14,"880F4.dll",379,379,379,"F27634FC0",-,-,"-","-",-,-,IW_infr,"13","-","threat1","Avc_app","Avc_app_category","dbca","err",347.8634,1,[Remote],"-","-",14,"abcd",379,1,"880F4.pdf","72C9206BDE076785C3CEBEF7D8FF1FF3C35B0178BB01A299AFFC7BF35D593B37",-> "Anonymous_Suspect_Vendor" "Mozilla/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko/20071130 Minimo/0.025" - -
Regex (Field Extraction) from Cisco WSA add-on
REGEX = (?<timestamp>[0-9.]+)\s+(?<x_elapsed_time>[0-9]+)\s+(?<src_ip>[a-zA-Z0-9:.]*)\s+(?<txn_result_code>[A-Z_]*)\/(?<status>[0-9]*)\s+(?<bytes_in>[0-9]*)\s+(?<http_method>\w*)\s+(?<url>\S*)\s+["|']?(?<user>[^\s"']+)["|']?\s+(?<server_contact_mode>[^\/]+)\/(?<dest>\S*)\s+(?<http_content_type>\S*)\s+(?<acltag>\S*)\s+(?:<|<)(?<x_webcat_code_abbr>[^,]+),(?<wbrs_score>[^,]+),["|']?(?<x_webroot_scanverdict>[0-9]{0,2}|\-|\w+)["|']?,["|']?(?<webroot_threat_name>[^,"']+)["|']?,(?<x_webroot_trr>[^,]+),(?<x_webroot_spyid>[^,]+),(?<x_webroot_trace_id>[^,]+),(?<x_mcafee_scanverdict>[^,]+),["|']?(?<x_mcafee_filename>[^,]+?)["|']?,(?<x_mcafee_scan_error>[^,]+),(?<x_mcafee_detecttype>[^,]+),(?<x_mcafee_av_virustype>[^,]+),["|']?(?<x_mcafee_virus_name>[^,]+?)["|']?,(?<x_sophos_scanverdict>[^,]+),(?<x_sophos_scancode>[^,]+),["|']?(?<x_sophos_file_name>[^,]+?)["|']?,["|']?(?<x_sophos_virus_name>[^,]+?)["|']?,(?<x_ids_verdict>[^,]+),(?<x_icap_verdict>[^,]+),(?<x_webcat_req_code_abbr>[^,]+),["|']?(?<x_webcat_resp_code_abbr>[^,]+?)["|']?,["|']?(?<x_resp_dvs_threat_name>[^,]+?)["|']?,["|']?(?<x_wbrs_threat_type>[^,"']+)["|']?,["|']?(?<x_avc_app>[^,"']+)["|']?,["|']?(?<x_avc_type>[^,"']+)["|']?,["|']?(?<x_avc_behavior>[^,"']+)["|']?,["|']?(?<x_request_rewrite>[^"',]+)["|']?,(?<x_avg_bw>[^,]+),(?<x_bw_throttled>[^,]+),(?<x_user_type>[^,]+),["|']?(?<x_resp_dvs_verdictname>[^,"']+)["|']?,["|']?(?<x_req_dvs_threat_name>[^,"']+)["|']?(,["|']?(?<x_amp_verdict>[^,"']+)["|']?,["|']?(?<x_amp_malware_name>[^"']+)["|']?,(?<x_amp_score>[^,]+),(?<x_amp_upload>[^,]+),["|']?(?<x_amp_filename>[^,]+?)["|']?,["|']?(?<x_amp_sha>[^"',]+)["|']?)?(,["|']?(?<x_file_verdict>[^"',]+)["|']?)?(,(?<x_archive_scan_verdict>[^,]+),["|']?(?<x_archive_scan_verdict_reason>[^"']+)["|']?)?(?:>|>)\s*(?<vendor_suspect_user_agent>-|["|']?[^"']+["|']?)?\s*(?<bytes_out>[0-9]*)?[^\r\n]*$
FE's Works only for Events in Sample Log Format. You can tweak the Regex to match your Events.
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
Accelerating Observability as Code with the Splunk AI Assistant
