[ASIM] Cisco FTD NetworkSession Parser#14569
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds Cisco FTD support to ASIM NetworkSession by introducing both the parameterized (vim*) and schema (ASim*) parsers, then wiring them into the generic NetworkSession aggregators and deployment assets.
Changes:
- Added new Cisco FTD NetworkSession parsers (vimNetworkSessionCiscoFTD + ASimNetworkSessionCiscoFTD).
- Registered the new parsers in the generic NetworkSession aggregator parsers (imNetworkSession / ASimNetworkSession).
- Added ARM templates + changelogs and updated ASIM tester enumeration to include
IDS.
Reviewed changes
Copilot reviewed 16 out of 17 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoFTD.yaml | New parameterized Cisco FTD NetworkSession parser (filtering + normalization). |
| Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoFTD.yaml | New schema-level Cisco FTD NetworkSession parser (normalization). |
| Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml | Registers the new vim Cisco FTD parser and bumps version/date. |
| Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml | Registers the new ASim Cisco FTD parser and bumps version/date. |
| Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFTD/vimNetworkSessionCiscoFTD.json | Deployable ARM for the new vim Cisco FTD parser. |
| Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFTD/ASimNetworkSessionCiscoFTD.json | Deployable ARM for the new ASim Cisco FTD parser. |
| Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json | Wires Cisco FTD into the deployed generic vim parser function. |
| Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json | Wires Cisco FTD into the deployed generic ASim parser function. |
| Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json | Adds linked deployments for Cisco FTD parsers. |
| Parsers/ASimNetworkSession/ARM/*/README.md | Adds ARM deployment readmes for the new parsers. |
| Parsers/ASimNetworkSession/CHANGELOG/*.md | Changelog entries for new parsers and aggregator bumps. |
| ASIM/dev/ASimTester/ASimTester.csv | Extends NetworkSession EventType enumeration to include IDS. |
|
Hi @Steve1145, |
| AdditionalFields, | ||
| Hostname, | ||
| //Columns not available in all branches | ||
| NetworkRuleName = column_ifexists('NetworkRuleName', ''), |
There was a problem hiding this comment.
Do we need these columns that use column_ifexists? These columns don't exist in CommonSecurityLog
There was a problem hiding this comment.
I propose that these fields are required as they are available in at least one of the branches (Intrusion, Connection or File) and map to a NetworkSession field, but not available in all branches and I wanted to avoid isfuzzy=true.
I could extend these fields in all branches as null values where the column does not exist in that branch i.e. DstBytes = long(null) in Intrusion etc - if that would be the preference instead of using column_ifexists for those fields in the union project?
There was a problem hiding this comment.
I see what you what you mean.
I think you don't need to apply the function column_ifexists. When you are unioning the 3 scenarios, the union combines the schemas from those 3 tables, and the output should contain all columns from those 3 tables regardless if they have rows or not. You can simply project the columns as is without calling the ifexists function.
There was a problem hiding this comment.
This is from me trying it out. If your testing shows otherwise, let me know.
You are right that we don't need isfuzzy=true
There was a problem hiding this comment.
Thanks Derrick, successfully tested and updated.
This worked for all columns other than ThreatConfidence - which I had to declare null values in the two scenarios the column wasn't present. ThreatConfidence = int(null) was added to the Intrusion and File branches in order to project in the union.
yummyblabla
left a comment
There was a problem hiding this comment.
One unresolved issue, but otherwise, LGTM

Change(s):
Added NetworkSession ASIM parser for Cisco FTD logs ingested via the 'Cisco ASA/FTD via AMA' Data Connector
Reason for Change(s):
Introduce ASIM NetworkSession support for Cisco FTD to complement existing Cisco Firepower logs support.
Version Updated:
Yes
Testing Completed:
Yes
Checked that the validations are passing and have addressed any issues that are present:
Yes