Cisco IOS: New ASIM Authentication Parser for Network Device Login Monitoring

What Changed

Added a new ASIM authentication parser for Cisco IOS devices that normalizes authentication events from syslog messages into the ASIM Authentication schema.

Parser Logic

The parser processes three distinct syslog patterns from the standard Syslog table:

• Login Success: %SEC_LOGIN-5-LOGIN_SUCCESS events with username, source IP, and local port extraction
• Login Failure: %SEC_LOGIN-4-LOGIN_FAILED events including failure reason parsing
• Logout: %SYS-6-LOGOUT events tracking user session termination

Field mappings include username normalization, source IP/port extraction, severity level translation via _ASIM_LookupSyslogSeverityLevel, and standard ASIM schema compliance with event categorization (Logon/Logoff) and result status (Success/Failure).

Security Impact

Network administrators can now query Cisco IOS authentication events through the unified ASIM interface, enabling correlation of router/switch access attempts with other authentication sources. This addresses a visibility gap for network infrastructure authentication monitoring — particularly valuable for detecting lateral movement targeting network device management interfaces.

Affected Files

.script/tests/KqlvalidationsTests/CustomFunctions/_ASIM_LookupSyslogSeverityLevel.json
ASIM/dev/ASimTester/ASimTester.csv
Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoIOS/ASimAuthenticationCiscoIOS.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoIOS/README.md
Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json
Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoIOS/README.md
Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoIOS/vimAuthenticationCiscoIOS.json
Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationCiscoIOS.md
Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationCiscoIOS.md
Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml
Parsers/ASimAuthentication/Parsers/ASimAuthenticationCiscoIOS.yaml
Parsers/ASimAuthentication/Parsers/imAuthentication.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationCiscoIOS.yaml