What Changed

Two new ASIM parsers are introduced for Cisco Firepower Threat Defense (FTD) logs:

  • ASimNetworkSessionCiscoFTD – the workspace-deployed union parser (used directly in queries)
  • vimNetworkSessionCiscoFTD – the filtering parser (called by the schema-level umbrella)

Both are registered into the ASIM NetworkSession umbrella parsers (ASimNetworkSession v0.7.3 and imNetworkSession), and ARM deployment templates plus 101 rows of sample data are included.

Parser Impact

Schema: ASIM NetworkSession (NetworkSession schema v0.2.7) Source table: CommonSecurityLog (filtered to DeviceVendor == “Cisco” and DeviceProduct == “FTD”)

The parser handles five Cisco FTD syslog message classes from the DeviceEventClassID field:

EventOriginalTypeDescription
430001Intrusion event (IDS)
430002Connection start event
430003Connection end event
430005File/malware event
430007Elephant flow event

Key normalised fields:

  • SrcIpAddr, DstIpAddr, SrcPortNumber, DstPortNumber, NetworkProtocol – standard five-tuple
  • DvcAction (Allow / Deny / Reset), EventResult (Success / Failure), EventResultDetails
  • EventType differentiates IDS (intrusion) from NetworkSession (connection) events
  • EventSubType marks connection Start vs End
  • NAT fields: SrcNatIpAddr, SrcNatPortNumber, DstNatIpAddr, DstNatPortNumber
  • Traffic counters: SrcBytes, DstBytes, NetworkBytes, SrcPackets, DstPackets, NetworkDuration
  • Intrusion-specific: ThreatName, ThreatId (GID:SID:Revision), ThreatCategory, NetworkRuleNumber, ThreatConfidence
  • EVE (Encrypted Visibility Engine) fields captured in AdditionalFields when pack=true

Prior state: FTD logs ingested via the Cisco ASA/FTD AMA connector were not normalised – any ASIM-based Analytic Rules or hunting queries using imNetworkSession or ASim_NetworkSession* returned no rows for FTD data. This is a detection coverage gap now closed.

The existing vimNetworkSessionCiscoFirepower parser (Firepower NGFW via CEF) remains separate; this new parser targets the AMA-based FTD ingestion path specifically.

Affected Files

ASIM/dev/ASimTester/ASimTester.csv
Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json
Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFTD/ASimNetworkSessionCiscoFTD.json
Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFTD/README.md
Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json
Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json
Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFTD/README.md
Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFTD/vimNetworkSessionCiscoFTD.json
Parsers/ASimNetworkSession/CHANGELOG/ASimNetworkSession.md
Parsers/ASimNetworkSession/CHANGELOG/ASimNetworkSessionCiscoFTD.md
Parsers/ASimNetworkSession/CHANGELOG/imNetworkSession.md
Parsers/ASimNetworkSession/CHANGELOG/vimNetworkSessionCiscoFTD.md
Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml
Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoFTD.yaml
Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml
Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoFTD.yaml
Sample Data/ASIM/Cisco_FTD_NetworkSession_IngestedLogs.csv