What Changed
Two new ASIM parsers are introduced for Cisco Firepower Threat Defense (FTD) logs:
- ASimNetworkSessionCiscoFTD – the workspace-deployed union parser (used directly in queries)
- vimNetworkSessionCiscoFTD – the filtering parser (called by the schema-level umbrella)
Both are registered into the ASIM NetworkSession umbrella parsers (ASimNetworkSession v0.7.3 and imNetworkSession), and ARM deployment templates plus 101 rows of sample data are included.
Parser Impact
Schema: ASIM NetworkSession (NetworkSession schema v0.2.7) Source table: CommonSecurityLog (filtered to DeviceVendor == “Cisco” and DeviceProduct == “FTD”)
The parser handles five Cisco FTD syslog message classes from the DeviceEventClassID field:
| EventOriginalType | Description |
|---|---|
| 430001 | Intrusion event (IDS) |
| 430002 | Connection start event |
| 430003 | Connection end event |
| 430005 | File/malware event |
| 430007 | Elephant flow event |
Key normalised fields:
- SrcIpAddr, DstIpAddr, SrcPortNumber, DstPortNumber, NetworkProtocol – standard five-tuple
- DvcAction (Allow / Deny / Reset), EventResult (Success / Failure), EventResultDetails
- EventType differentiates IDS (intrusion) from NetworkSession (connection) events
- EventSubType marks connection Start vs End
- NAT fields: SrcNatIpAddr, SrcNatPortNumber, DstNatIpAddr, DstNatPortNumber
- Traffic counters: SrcBytes, DstBytes, NetworkBytes, SrcPackets, DstPackets, NetworkDuration
- Intrusion-specific: ThreatName, ThreatId (GID:SID:Revision), ThreatCategory, NetworkRuleNumber, ThreatConfidence
- EVE (Encrypted Visibility Engine) fields captured in AdditionalFields when pack=true
Prior state: FTD logs ingested via the Cisco ASA/FTD AMA connector were not normalised – any ASIM-based Analytic Rules or hunting queries using imNetworkSession or ASim_NetworkSession* returned no rows for FTD data. This is a detection coverage gap now closed.
The existing vimNetworkSessionCiscoFirepower parser (Firepower NGFW via CEF) remains separate; this new parser targets the AMA-based FTD ingestion path specifically.
Affected Files
ASIM/dev/ASimTester/ASimTester.csv
Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json
Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFTD/ASimNetworkSessionCiscoFTD.json
Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFTD/README.md
Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json
Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json
Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFTD/README.md
Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFTD/vimNetworkSessionCiscoFTD.json
Parsers/ASimNetworkSession/CHANGELOG/ASimNetworkSession.md
Parsers/ASimNetworkSession/CHANGELOG/ASimNetworkSessionCiscoFTD.md
Parsers/ASimNetworkSession/CHANGELOG/imNetworkSession.md
Parsers/ASimNetworkSession/CHANGELOG/vimNetworkSessionCiscoFTD.md
Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml
Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoFTD.yaml
Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml
Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoFTD.yaml
Sample Data/ASIM/Cisco_FTD_NetworkSession_IngestedLogs.csv