New ASIM Authentication Parser for Cisco Firepower Threat Defense Closes Syslog Auth Visibility Gap

What Changed

Two new KQL parser functions have been added to the ASIM Authentication schema family:

• ASimAuthenticationCiscoFTD (unfiltered, version 0.1.0)
• vimAuthenticationCiscoFTD (filtering, version 0.1.0)

Both parsers have been registered in the umbrella ASimAuthentication (v0.2.17) and imAuthentication (v0.3.14) union parsers, so they are immediately included in source-agnostic detections without additional configuration.

ARM deployment templates and changelogs have been generated alongside the KQL YAMLs.

Parser Impact

Schema: ASIM Authentication v0.1.4 Source table: Syslog Filter: SyslogMessage startswith “%FTD-5-199017”

Core logic: Filters Syslog for Cisco FTD syslog message ID %FTD-5-199017, then splits into two branches:

• “Accepted password for …” – mapped to EventResult = Success
• “Failed password for invalid user …” – mapped to EventResult = Failure, EventResultDetails = Incorrect password

Both branches parse TargetUsername, SrcIpAddr, and SrcPortNumber from the syslog message body.

Entities mapped: TargetUsername, SrcIpAddr, SrcPortNumber, DvcHostname (coalesced from Computer or HostName), TargetIpAddr (from HostIP).

Aliases: User = TargetUsername, IpAddr = SrcIpAddr, Dvc = TargetIpAddr.

The filtering variant (vimAuthenticationCiscoFTD) supports the full imAuthentication parameter set: time range, username_has_any, srcipaddr_has_any_prefix, srchostname_has_any, eventtype_in, eventresultdetails_in, and eventresult.

Coverage gap note: This initial implementation targets only syslog ID %FTD-5-199017. FTD emits authentication events under multiple syslog IDs (e.g., 113004, 113005, 113006 for AAA); those are not covered in this version. Detections using imAuthentication will now surface Cisco FTD SSH authentication events – verify existing brute-force and credential-stuffing detections do not generate noise spikes from newly visible FTD auth traffic.

Affected Files

Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoFTD/ASimAuthenticationCiscoFTD.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoFTD/README.md
Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json
Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoFTD/README.md
Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoFTD/vimAuthenticationCiscoFTD.json
Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationCiscoFTD.md
Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationCiscoFTD.md
Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml
Parsers/ASimAuthentication/Parsers/ASimAuthenticationCiscoFTD.yaml
Parsers/ASimAuthentication/Parsers/imAuthentication.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationCiscoFTD.yaml