Cisco_SMA¶
About¶
The Security Management Appliance (SMA) is used to centralize services from Email Security Appliances (ESAs) and Web Security Appliances (WSAs).
Product Details¶
Vendor URL: Cisco Content Security Managment Applicance
Product Type: Management Appliance
Product Tier: TIER III
Integration Method: SYSLOG
Integration URL: Reviewing the audit log for your organzation
Requirements¶
Parser Details¶
Log Format: SYSLOG
Expected Normalization Rate: 90%
Data Label: CISCO_SMA
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| action | metadata.product_event_type |
| aggregator_message | metadata.description |
| observer | observer.hostname |
| process_name | metadata.description |
| reporting_service | principal.application |
| severity | security_result.severity |
| source_filepath | src.file.full_path |
| source_host | src.hostname |
| target_file | target.file.full_path |
Product Event Types¶
| Product Event | Description | UDM Event |
|---|---|---|
| All | All events | GENERIC_EVENT |
Log Sample¶
{<14>Sep 23 00:00:59 Hostname: Info: TRANSFER: Plugin TRACKINGPLUGIN downloading from Hostname1 - /file/path/example.gz}
Sample Parsing¶
metadata.event_timestamp = "2022-09-23T00:00:59Z"
metadata.event_type = "GENERIC_EVENT"
metadata.product_event_type = "TRANSFER"
metadata.product_name = "Cisco SMA"
metadata.vendor_name = "Cisco"
observer.hostname = "Hostname"
principal.application = "TRACKINGPLUGIN"
security_result[0].severity = "INFORMATIONAL"
security_result[0].severity_details = "Info"
src.file.full_path = "/file/path/example.gz"
src.hostname = "Hostname1"
Parser Alerting¶
This product currently does not have any Parser-based Alerting