Skip to main content
Sumo Logic

Suggested Searches for the Cisco ASA Parser

These suggested searches cover some of the most common scenarios for monitoring Security, Audit, and Performance issues on a Linux server. You can enter these queries into the Search box as a starting baseline, and then customize the queries for your system.

Be sure to save your search queries if you plan to run them often.

These are a few valuable search queries you can enter in the Search field when you want to discover details about your Cisco ASA traffic.

The _sourceCategory fields shown in these sample queries are based on Sumo Logic's recommendations for adding metadata to Sources. To re-use these queries, type the Category you entered for the relevant Source after "_sourceCategory= "or use an asterisk wildcard (*) instead.

Top Denied Sources

Returns the top sources that were denied.

  • Suggested Time Range: -1h

_sourceCategory=*cisco*asa* AND ("denied" OR "Deny")
| parse using public/cisco/asa
| where access_decision="denied" OR action matches "Deny *"
| count_frequent src_host
| limit 10

Top Denied Destinations

Returns the top destinations that were denied.

  • Suggested Time Range: -1d

_sourceCategory=*cisco*asa* AND ("denied" OR "Deny")
| parse using public/cisco/asa
| where access_decision="denied" OR action matches "Deny *"
| count_frequent dest_host
| limit 10

Top Sources with Outbound Connections

Returns the top sources with outbound connections by the number of connections.

  • Suggested Time Range: -1h

_sourceCategory=*cisco*asa* AND "built outbound"
| parse using public/cisco/asa
| where src_host !=""
| count_frequent src_host
| limit 10

Top Internal Destinations

Returns the top internal destinations by number of connections.

  • Suggested Time Range: -1h

_sourceCategory=*cisco*asa* AND "built inbound"
| parse using public/cisco/asa
| where dest_host !=""
| dest_host as internal_destination
| count_frequent internal_destination
| limit 10

Detected Attacks

Returns all attacks detected by the IPS.

  • Suggested Time Range: -15m; run as a scheduled search to return results only if number of messages is > 0

_sourceCategory=*cisco*asa* ": ips:" AND ("attack" OR "Proxied RPC Request" OR "buffer overflow" OR "IP Impossible Packet" OR "IP Fragments Overlap" OR "Fragmented ICMP Traffic" OR "Large ICMP Traffic" OR "TCP NULL flags" OR "TCP SYN+FIN flags" OR "TCP FIN only flags")
| parse using public/cisco/
asa