Skip to content

[ASIM] Cisco FTD NetworkSession Parser#14569

Merged
yummyblabla merged 5 commits into
Azure:masterfrom
Steve1145:bluevoyant/asimnetworksession/ciscoftd
Jun 30, 2026
Merged

[ASIM] Cisco FTD NetworkSession Parser#14569
yummyblabla merged 5 commits into
Azure:masterfrom
Steve1145:bluevoyant/asimnetworksession/ciscoftd

Conversation

@Steve1145

Copy link
Copy Markdown
Contributor

Change(s):

Added NetworkSession ASIM parser for Cisco FTD logs ingested via the 'Cisco ASA/FTD via AMA' Data Connector

Reason for Change(s):

Introduce ASIM NetworkSession support for Cisco FTD to complement existing Cisco Firepower logs support.

Version Updated:

Yes

Testing Completed:

Yes

Checked that the validations are passing and have addressed any issues that are present:

Yes

@Steve1145 Steve1145 requested review from a team as code owners June 26, 2026 10:46
@v-maheshbh v-maheshbh requested a review from Copilot June 26, 2026 14:02

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds Cisco FTD support to ASIM NetworkSession by introducing both the parameterized (vim*) and schema (ASim*) parsers, then wiring them into the generic NetworkSession aggregators and deployment assets.

Changes:

  • Added new Cisco FTD NetworkSession parsers (vimNetworkSessionCiscoFTD + ASimNetworkSessionCiscoFTD).
  • Registered the new parsers in the generic NetworkSession aggregator parsers (imNetworkSession / ASimNetworkSession).
  • Added ARM templates + changelogs and updated ASIM tester enumeration to include IDS.

Reviewed changes

Copilot reviewed 16 out of 17 changed files in this pull request and generated 13 comments.

Show a summary per file
File Description
Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoFTD.yaml New parameterized Cisco FTD NetworkSession parser (filtering + normalization).
Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoFTD.yaml New schema-level Cisco FTD NetworkSession parser (normalization).
Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml Registers the new vim Cisco FTD parser and bumps version/date.
Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml Registers the new ASim Cisco FTD parser and bumps version/date.
Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFTD/vimNetworkSessionCiscoFTD.json Deployable ARM for the new vim Cisco FTD parser.
Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFTD/ASimNetworkSessionCiscoFTD.json Deployable ARM for the new ASim Cisco FTD parser.
Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json Wires Cisco FTD into the deployed generic vim parser function.
Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json Wires Cisco FTD into the deployed generic ASim parser function.
Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json Adds linked deployments for Cisco FTD parsers.
Parsers/ASimNetworkSession/ARM/*/README.md Adds ARM deployment readmes for the new parsers.
Parsers/ASimNetworkSession/CHANGELOG/*.md Changelog entries for new parsers and aggregator bumps.
ASIM/dev/ASimTester/ASimTester.csv Extends NetworkSession EventType enumeration to include IDS.

Comment thread Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoFTD.yaml
Comment thread Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoFTD.yaml
Comment thread Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoFTD.yaml Outdated
Comment thread Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoFTD.yaml Outdated
Comment thread Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoFTD.yaml
Comment thread Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoFTD.yaml Outdated
Comment thread Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoFTD.yaml Outdated
Comment thread Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoFTD.yaml
Comment thread Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoFTD.yaml
Comment thread Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoFTD.yaml Outdated
@v-atulyadav v-atulyadav added ASIM SafeToRun This is used only for ASim parsers Fork PR Pipeline run. labels Jun 29, 2026
@v-atulyadav

Copy link
Copy Markdown
Collaborator

Hi @Steve1145,
Please check the KQL failure and take the necessary action. Thanks
image

@yummyblabla yummyblabla added SafeToRun This is used only for ASim parsers Fork PR Pipeline run. and removed SafeToRun This is used only for ASim parsers Fork PR Pipeline run. labels Jun 29, 2026
Comment thread Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoFTD.yaml Outdated
Comment thread Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoFTD.yaml
Comment thread Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoFTD.yaml Outdated
AdditionalFields,
Hostname,
//Columns not available in all branches
NetworkRuleName = column_ifexists('NetworkRuleName', ''),

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need these columns that use column_ifexists? These columns don't exist in CommonSecurityLog

@Steve1145 Steve1145 Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I propose that these fields are required as they are available in at least one of the branches (Intrusion, Connection or File) and map to a NetworkSession field, but not available in all branches and I wanted to avoid isfuzzy=true.

I could extend these fields in all branches as null values where the column does not exist in that branch i.e. DstBytes = long(null) in Intrusion etc - if that would be the preference instead of using column_ifexists for those fields in the union project?

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see what you what you mean.
I think you don't need to apply the function column_ifexists. When you are unioning the 3 scenarios, the union combines the schemas from those 3 tables, and the output should contain all columns from those 3 tables regardless if they have rows or not. You can simply project the columns as is without calling the ifexists function.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is from me trying it out. If your testing shows otherwise, let me know.

You are right that we don't need isfuzzy=true

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Derrick, successfully tested and updated.

This worked for all columns other than ThreatConfidence - which I had to declare null values in the two scenarios the column wasn't present. ThreatConfidence = int(null) was added to the Intrusion and File branches in order to project in the union.

@yummyblabla yummyblabla left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One unresolved issue, but otherwise, LGTM

@yummyblabla yummyblabla added SafeToRun This is used only for ASim parsers Fork PR Pipeline run. and removed SafeToRun This is used only for ASim parsers Fork PR Pipeline run. labels Jun 30, 2026
@yummyblabla yummyblabla merged commit ac9365d into Azure:master Jun 30, 2026
32 of 35 checks passed
@v-atulyadav v-atulyadav removed the SafeToRun This is used only for ASim parsers Fork PR Pipeline run. label Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants