cisco_facility="ASA"
| host=?asaHost
| cisco_severity=?severity
| cisco_className=?classname
| sankey(source="host", target="src_addr")

host=?asaHost
| cisco_facility="ASA"
| cisco_mnemonic=710003
| dst_port=?DestPort
| top(dst_port)

cisco_facility="ASA"
| sankey(source="host", target="cisco_mnemonic")

src_location="outside"
| match(file="cisco/asa/asa_message_class.csv", field="cisco_classDefinition")
| timechart(span=1h)

top(destination_ip, limit=10)

cisco_facility="ASA"
| count(field=host, distinct=true)

cisco_facility="ASA"
| host=?asaHost
| cisco_severity=?severity
| cisco_className=?classname
| rename(host,as=Firewall)
| rename(cisco_severity,as=Severity)
| rename(cisco_className,as="Class name")
| rename(cisco_mnemonic,as=Mnemonic)
| rename(cisco_message,as=Message)
| select(["@timestamp",Firewall,Severity,"Class name",Mnemonic,Message])

src_location="inside"
| match(file="cisco/asa/asa_message_class.csv", field="cisco_classDefinition")
| timechart(span=1h)

groupBy(["cisco_severity","cisco_className"], function=(count(as="Count")))
| rename(field="cisco_severity", as="Severity")
| rename(field="cisco_className", as="ClassName")
| select([Severity, ClassName, Count])

cisco_severity=?severity
| timechart("source_port")

cisco_action = "Built"
| timechart(span=1h)

top("source_ip", limit=10)

cisco_message="*ICMP*"
| groupBy(type, function=[])
| rename(field="type", as="Type")

cisco_facility="ASA"
| cisco_severity=?severity
| cisco_className=?classname
| groupby(host)
| rename(host,as=Firewall)
| rename("_count",as="Number of events")

groupBy(cisco_severity)

cisco_message="*failed*"
| timechart(span=1h)

cisco_facility="ASA"
| host=?asaHost
| cisco_severity=?severity
| cisco_className=?classname
| rename("cisco_classDefinition",as="ASA message classes")
| timechart("ASA message classes", limit=10)

groupBy([source_port, cisco_action, outside, inside], function = [])
| rename(field="source_port", as="Source Port")
| rename(field="cisco_action", as="Cisco Action")
| select(["Source Port", "Cisco Action"])

cisco_mnemonic = 302013
| top("src_addr", limit=10, rest=Other)

cisco_mnemonic = 710003
| top("src_addr", limit=10, rest=Other, percent=true)
| ipLocation("src_addr")
| match(file="cisco/asa/country_codes.csv", column=Alpha2Code, field=src_addr.country)
| rename("_count",as="Event count")
| rename(src_addr.country,as=Country1)
| rename(CountryName,as=Country2)
| rename(src_addr.state,as="State/region")
| rename(src_addr.city,as=City)
| rename(src_addr,as="Source IP address")
| format("%,.1f", field=percent, as=Percent)
| select(["Source IP address", Country1, Country2, "State/region", City, "Event count", Percent])

cisco_facility="ASA"
| cisco_severity=?severity
| cisco_className=?classname
| top("cisco_classDefinition", rest=Other, percent=true)
| rename("cisco_classDefinition",as="ASA message classes")
| rename("_count",as="Number of events")
| format("%,.2f", field=percent, as=Percent)
| table(["ASA message classes", "Number of events", Percent])

cisco_action="denied"
| top(field=[src_addr, src_port, dest_addr, service], as = "Count")
| ipLocation(field=src_addr)
| ioc:lookup("src_addr", type="ip_address")
| rename(src_addr, as = "Source Address")
| rename(src_port, as = "Source Port")
| select(["Source Address", "Source Port", "Count"])

cisco_facility="ASA"
| cisco_mnemonic=710003
| top(dst_port, as="Count")
| rename(dst_port, as = "Destination port")
| select(["Destination port", "Count"])

cisco_facility="ASA"
| cisco_severity=?severity
| cisco_className=?classname
| sankey(source="host", target="cisco_mnemonic")

groupBy(cisco_mnemonic, function=(count(as="Count")))
| rename(cisco_mnemonic, as = "Cisco mnemonic")
| select(["Cisco mnemonic", "Count"])

cisco_facility="ASA"
| cisco_severity=?severity
| cisco_className=?classname
| rename("cisco_severity_message",as="Severity levels")
| top("Severity levels")

cisco_mnemonic=710003
| worldMap(ip="src_addr")

cisco_message="*ICMP*"
| groupBy(type, function=[])
| rename(type, as = "Type")