Azure Sentinel – A Guide for Data Classification for Cisco Device Syslog Message with Azure Sentinel Workbook

This post will guide you how to use Kusto query to classify the log data based on some log is just contain a string, and you want to separate the string into different column for easy view.

For clearer, if you receive the syslog message like:

%ASA-3-710003: TCP access denied by ACL from 109.248.6.239/46449 to outside:172.16.1.211/80

You need to separate the above example syslog message with column “DeviceName”, “DeviceIP”, “SyslogID” and “SeverityLevel”.

However, you do not want to use the original data such as “SeverityLevel”, this example message show is “NOTI”, you do not want to use “NOTI” as the target “SeverityLevel”, you want to use like “notice” as final “SeverityLevel”, this post also will guide you how to make it.

The steps for the whole configuration will be:

  1. Create a new Workbook
  2. Develop a customized Workbook for Cisco Device
  3. Log Data Classification

Step 1 – Create a new Workbook

Visit to “Sentinel” and select “Workbook”, then click “Add workbook” to create a blank workbook.

Step 2 – Develop a customized Workbook for Cisco Device

For the Sentinel Workbook, you can make the dashboard like our example.

For Workbook Design detail information, please visit our post:

Azure Sentinel – A Guide for Customizing Sentinel Workbook (Kusto Query) for Sentinel Incidents

Step 3 – Log Data Classification

This is the primary KQL for the log data classification for Cisco Device Syslog Message:

For the above example, you need to extend the custom column and use some string operation for doing the log data classification.

You can visit our SOS GitHub for downloading the source code as a template:

https://github.com/SOSHKMVP/AzureSentinel-Workbook/blob/main/Cisco_Dashboard.txt

Eric Chan
| + posts

Microsoft MVP
SOS Group Limited

Leave a comment

SOS Group Limited © 2024. All Rights Reserved.