Use case: Create a report that uses Event Data that is not Normalized
You can use a custom property to extract data that is not normalized from a payload, and use that data to build a report. For example, you can build a report that is based on the interface information that is in Cisco ASA firewall deny messages.
In this example, we'll use the following sample Cisco ASA firewall events to demonstrate how to extract the interface value from the event payload, and then build a report that uses that data.
<162>Sep 02 2014 11:49:41: %ASA-2-106001: Inbound TCP connection denied from 10.10.10.128/58826 to 10.11.11.11/9100 flags SYN on interface External <162>Sep 02 2014 11:49:40: %ASA-2-106001: Inbound TCP connection denied from 10.10.10.128/58826 to 10.11.11.11/9100 flags SYN on interface Loopback <162>Sep 02 2014 11:49:17: %ASA-2-106001: Inbound TCP connection denied from 10.10.10.128/58821 to 10.11.11.11/9100 flags SYN on interface Internal
- Creating a Custom Property.
In the sample events above, you can see that the event payload includes the word interface followed by the value that you want to extract. To capture the interface information from the events above, create an extraction-based custom property and configure it to use the regex expression interface\s(.*)\b.
To ensure that the new custom property is available to use in a search, select the Parse in advance for rules, reports, and searches check box, and enable the custom property.
- Event and Flow Searches, and in the Group By field, select the new custom event
To ensure that the search results include only Cisco ASA events, add the log source as a quick filter option in the search parameters. Save the search criteria so that you can use it in a report. Assign the saved search to a group to make it easier to find later.
- Creating Custom Reports, and configure the graph content to use the new saved search.
If the report was not configured to run after saving, you can run the report immediately by selecting ActionsRun Report.