dataset = cisco_asa_raw
| alter alert_level = arrayindex(regextract(_raw_log, "\s%.*?(ASA\-[\d])\-[\d]{1,}\:"), 0)
| alter alert_level_friendly = ""
| alter alert_level_friendly = if((alert_level contains "ASA-1"), "Alert Message", alert_level_friendly)
| alter alert_level_friendly = if((alert_level contains "ASA-2"), "Critical Message", alert_level_friendly)
| alter alert_level_friendly = if((alert_level contains "ASA-3"), "Error Message", alert_level_friendly)
| alter alert_level_friendly = if((alert_level contains "ASA-4"), "Warning Message", alert_level_friendly)
| alter alert_level_friendly = if((alert_level contains "ASA-5"), "Notification Message", alert_level_friendly)
| alter alert_level_friendly = if((alert_level contains "ASA-6"), "Informational Message", alert_level_friendly)
| alter alert_level_friendly = if((alert_level contains "ASA-7"), "Debug Message", alert_level_friendly)
| alter debug_count = if(alert_level = "ASA-7", 1, 0)
| alter info_count = if(alert_level = "ASA-6", 1, 0)
| alter notification_count = if(alert_level = "ASA-5", 1, 0)
| alter warning_count = if(alert_level = "ASA-4", 1, 0)
| alter error_count = if(alert_level = "ASA-3", 1, 0)
| alter critical_count = if(alert_level = "ASA-2", 1, 0)
| alter alert_count = if(alert_level = "ASA-1", 1, 0)
| alter Date = format_timestamp("%Y/%m/%d", _time)
// Check for all messages
| comp sum(info_count) as info_log_count, sum(debug_count) as debug_log_count, sum(notification_count) as notification_log_count, sum(warning_count) as warning_log_count, sum(error_count) as error_log_count, sum(critical_count) as critical_log_count, sum(alert_count) as alert_log_count by Date
| sort asc Date
| view graph type = line xaxis = Date yaxis = info_log_count, debug_log_count, notification_log_count, warning_count, error_log_count,critical_log_count,alert_log_count header = "All Logs"
from Unit 42 https://unit42.paloaltonetworks.com/zero-day-vulnerabilities-affect-cisco-software/
via IFTTT
No comments:
Post a Comment