gravwell · kyle-mallett-gravwell · Mar 18, 2026 · Mar 19, 2026 · Mar 20, 2026 · Mar 20, 2026
diff --git a/cisco_asa/BUILD b/cisco_asa/BUILD
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+#
+#
+# To build the kit you will need the Gravwell kitctl command
+# If you have a functioning Go build environment execute the following command:
+#	go install github.com/gravwell/gravwell/v3/kitctl
+#
+#
+# Then "pack" the kit into a kit file by executing the "pack" kitctl command
+#
+#
+# You can also just execute this file using bash
+#
+#
+OUT = "cisco_asa.kit"
+
+cmd=$(which kitctl)
+if [ "$?" != "0" ]; then
+	echo "Missing the kitctl command"
+	exit -1
+fi
+
+
+set -e
+$cmd pack $OUT
diff --git a/cisco_asa/MANIFEST b/cisco_asa/MANIFEST
diff --git a/cisco_asa/README.md b/cisco_asa/README.md
@@ -0,0 +1,27 @@
+# Cisco ASA Kit
+
+The Cisco ASA Kit provides a baseline set of tags, macros, saved queries, lookup resources, playbooks, actionables, dashboard searches, alert queries, and dashboards for your Cisco ASA data.
+
+The Cisco ASA Kit is licensed under the Apache 2.0 license and the contents are available on [Cisco ASA](https://github.com/gravwell/kits/tree/main/cisco_asa).
+
+## Dependencies
+- N/A
+
+## Changelog
+- 1.0: Initial Release
+	- actionables 				01
+	- alert 					00
+	- autoextractor 			07
+	- dashboard 				02
+	- file 						00
+	- license 					01
+	- macro 					10
+	- playbook 					01
+	- resource 					11
+	- scheduled 				00
+		- scheduled searches 	00
+		- flows 				00
+	- searchlibrary 			12
+		- alert queries 		00
+		- dashboard searches 	12
+	- template 					24 
diff --git a/cisco_asa/autoextractor/cisco-asa-auth.args b/cisco_asa/autoextractor/cisco-asa-auth.args
@@ -0,0 +1 @@
+-p -e DATA
diff --git a/cisco_asa/autoextractor/cisco-asa-auth.meta b/cisco_asa/autoextractor/cisco-asa-auth.meta
@@ -0,0 +1,18 @@
+{
+	"Name": "cisco-asa-auth",
+	"Desc": "Gravwell generated fields extraction for tag cisco-asa-auth, args '-p -e DATA'",
+	"Module": "regex",
+	"Tag": "",
+	"Tags": [
+		"cisco-asa-auth"
+	],
+	"Labels": [
+		"cisco",
+		"cisco asa"
+	],
+	"UID": 1,
+	"GIDs": null,
+	"Global": true,
+	"UUID": "e1ba69ef-c08b-4591-b024-21e27bd2f8cc",
+	"LastUpdated": "2026-03-17T13:51:48.99666817Z"
+}
diff --git a/cisco_asa/autoextractor/cisco-asa-auth.params b/cisco_asa/autoextractor/cisco-asa-auth.params
@@ -0,0 +1 @@
+^(?:<(?P<priority>\d+)>)?:?\s*(?:(?P<version>\d+)\s+)?(?P<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:\d{2})|\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s+(?P<hostname>\S+)(?:\s+(?P<deviceId>\S+))?\s+%(?P<appliance>\w+)-(?P<severity>\d+)-(?P<msgid>\d+):\s+(?P<msg>.+)
diff --git a/cisco_asa/autoextractor/cisco-asa-config.args b/cisco_asa/autoextractor/cisco-asa-config.args
@@ -0,0 +1 @@
+-p -e DATA
diff --git a/cisco_asa/autoextractor/cisco-asa-config.meta b/cisco_asa/autoextractor/cisco-asa-config.meta
@@ -0,0 +1,18 @@
+{
+	"Name": "cisco-asa-config",
+	"Desc": "Gravwell generated fields extraction for tag cisco-asa-config, args '-p -e DATA'",
+	"Module": "regex",
+	"Tag": "",
+	"Tags": [
+		"cisco-asa-config"
+	],
+	"Labels": [
+		"cisco",
+		"cisco asa"
+	],
+	"UID": 1,
+	"GIDs": null,
+	"Global": true,
+	"UUID": "33654421-16bf-4fcf-92b8-d463f2d0c9a8",
+	"LastUpdated": "2026-03-17T13:51:48.988224336Z"
+}
diff --git a/cisco_asa/autoextractor/cisco-asa-config.params b/cisco_asa/autoextractor/cisco-asa-config.params
@@ -0,0 +1 @@
+^(?:<(?P<priority>\d+)>)?:?\s*(?:(?P<version>\d+)\s+)?(?P<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:\d{2})|\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s+(?P<hostname>\S+)(?:\s+(?P<deviceId>\S+))?\s+%(?P<appliance>\w+)-(?P<severity>\d+)-(?P<msgid>\d+):\s+(?P<msg>.+)
diff --git a/cisco_asa/autoextractor/cisco-asa-events.args b/cisco_asa/autoextractor/cisco-asa-events.args
@@ -0,0 +1 @@
+-p -e DATA
diff --git a/cisco_asa/autoextractor/cisco-asa-events.meta b/cisco_asa/autoextractor/cisco-asa-events.meta
@@ -0,0 +1,18 @@
+{
+	"Name": "cisco-asa-events",
+	"Desc": "Gravwell generated fields extraction for tag cisco-asa-events, args '-p -e DATA'",
+	"Module": "regex",
+	"Tag": "",
+	"Tags": [
+		"cisco-asa-events"
+	],
+	"Labels": [
+		"cisco",
+		"cisco asa"
+	],
+	"UID": 1,
+	"GIDs": null,
+	"Global": true,
+	"UUID": "4ed9ad96-c7b2-4858-b8cd-7073aeb8037a",
+	"LastUpdated": "2026-03-17T13:51:48.989149461Z"
+}
diff --git a/cisco_asa/autoextractor/cisco-asa-events.params b/cisco_asa/autoextractor/cisco-asa-events.params
@@ -0,0 +1 @@
+^(?:<(?P<priority>\d+)>)?:?\s*(?:(?P<version>\d+)\s+)?(?P<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:\d{2})|\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s+(?P<hostname>\S+)(?:\s+(?P<deviceId>\S+))?\s+%(?P<appliance>\w+)-(?P<severity>\d+)-(?P<msgid>\d+):\s+(?P<msg>.+)
diff --git a/cisco_asa/autoextractor/cisco-asa-system.args b/cisco_asa/autoextractor/cisco-asa-system.args
@@ -0,0 +1 @@
+-p -e DATA
diff --git a/cisco_asa/autoextractor/cisco-asa-system.meta b/cisco_asa/autoextractor/cisco-asa-system.meta
@@ -0,0 +1,18 @@
+{
+	"Name": "cisco-asa-system",
+	"Desc": "Gravwell generated fields extraction for tag cisco-asa-system, args '-p -e DATA'",
+	"Module": "regex",
+	"Tag": "",
+	"Tags": [
+		"cisco-asa-system"
+	],
+	"Labels": [
+		"cisco",
+		"cisco asa"
+	],
+	"UID": 1,
+	"GIDs": null,
+	"Global": true,
+	"UUID": "a54dd070-a8eb-4ca2-81bf-d015387cb415",
+	"LastUpdated": "2026-03-17T13:51:48.993286378Z"
+}
diff --git a/cisco_asa/autoextractor/cisco-asa-system.params b/cisco_asa/autoextractor/cisco-asa-system.params
@@ -0,0 +1 @@
+^(?:<(?P<priority>\d+)>)?:?\s*(?:(?P<version>\d+)\s+)?(?P<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:\d{2})|\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s+(?P<hostname>\S+)(?:\s+(?P<deviceId>\S+))?\s+%(?P<appliance>\w+)-(?P<severity>\d+)-(?P<msgid>\d+):\s+(?P<msg>.+)
diff --git a/cisco_asa/autoextractor/cisco-asa-threat.args b/cisco_asa/autoextractor/cisco-asa-threat.args
@@ -0,0 +1 @@
+-p -e DATA
diff --git a/cisco_asa/autoextractor/cisco-asa-threat.meta b/cisco_asa/autoextractor/cisco-asa-threat.meta
@@ -0,0 +1,18 @@
+{
+	"Name": "cisco-asa-threat",
+	"Desc": "Gravwell generated fields extraction for tag cisco-asa-threat, args '-p -e DATA'",
+	"Module": "regex",
+	"Tag": "",
+	"Tags": [
+		"cisco-asa-threat"
+	],
+	"Labels": [
+		"cisco",
+		"cisco asa"
+	],
+	"UID": 1,
+	"GIDs": null,
+	"Global": true,
+	"UUID": "1403b87f-e4ef-43bf-a150-05cff69218ff",
+	"LastUpdated": "2026-03-17T13:51:48.986857753Z"
+}
diff --git a/cisco_asa/autoextractor/cisco-asa-threat.params b/cisco_asa/autoextractor/cisco-asa-threat.params
@@ -0,0 +1 @@
+^(?:<(?P<priority>\d+)>)?:?\s*(?:(?P<version>\d+)\s+)?(?P<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:\d{2})|\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s+(?P<hostname>\S+)(?:\s+(?P<deviceId>\S+))?\s+%(?P<appliance>\w+)-(?P<severity>\d+)-(?P<msgid>\d+):\s+(?P<msg>.+)
diff --git a/cisco_asa/autoextractor/cisco-asa-traffic.args b/cisco_asa/autoextractor/cisco-asa-traffic.args
@@ -0,0 +1 @@
+-p -e DATA
diff --git a/cisco_asa/autoextractor/cisco-asa-traffic.meta b/cisco_asa/autoextractor/cisco-asa-traffic.meta
@@ -0,0 +1,18 @@
+{
+	"Name": "cisco-asa-traffic",
+	"Desc": "Gravwell generated fields extraction for tag cisco-asa-traffic, args '-p -e DATA'",
+	"Module": "regex",
+	"Tag": "",
+	"Tags": [
+		"cisco-asa-traffic"
+	],
+	"Labels": [
+		"cisco",
+		"cisco asa"
+	],
+	"UID": 1,
+	"GIDs": null,
+	"Global": true,
+	"UUID": "006017c9-8035-4e9d-8d0e-5b80625d5fe9",
+	"LastUpdated": "2026-03-17T13:51:48.984908295Z"
+}
diff --git a/cisco_asa/autoextractor/cisco-asa-traffic.params b/cisco_asa/autoextractor/cisco-asa-traffic.params
@@ -0,0 +1 @@
+^(?:<(?P<priority>\d+)>)?:?\s*(?:(?P<version>\d+)\s+)?(?P<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:\d{2})|\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s+(?P<hostname>\S+)(?:\s+(?P<deviceId>\S+))?\s+%(?P<appliance>\w+)-(?P<severity>\d+)-(?P<msgid>\d+):\s+(?P<msg>.+)
diff --git a/cisco_asa/autoextractor/cisco-asa-vpn.args b/cisco_asa/autoextractor/cisco-asa-vpn.args
@@ -0,0 +1 @@
+-p -e DATA
diff --git a/cisco_asa/autoextractor/cisco-asa-vpn.meta b/cisco_asa/autoextractor/cisco-asa-vpn.meta
@@ -0,0 +1,18 @@
+{
+	"Name": "cisco-asa-vpn",
+	"Desc": "Gravwell generated fields extraction for tag cisco-asa-vpn, args '-p -e DATA'",
+	"Module": "regex",
+	"Tag": "",
+	"Tags": [
+		"cisco-asa-vpn"
+	],
+	"Labels": [
+		"cisco",
+		"cisco asa"
+	],
+	"UID": 1,
+	"GIDs": null,
+	"Global": true,
+	"UUID": "37d12b56-12b9-4b9d-ad18-e8758709178c",
+	"LastUpdated": "2026-03-17T13:51:48.988705586Z"
+}
diff --git a/cisco_asa/autoextractor/cisco-asa-vpn.params b/cisco_asa/autoextractor/cisco-asa-vpn.params
@@ -0,0 +1 @@
+^(?:<(?P<priority>\d+)>)?:?\s*(?:(?P<version>\d+)\s+)?(?P<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:\d{2})|\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s+(?P<hostname>\S+)(?:\s+(?P<deviceId>\S+))?\s+%(?P<appliance>\w+)-(?P<severity>\d+)-(?P<msgid>\d+):\s+(?P<msg>.+)
diff --git a/cisco_asa/cisco-banner.png b/cisco_asa/cisco-banner.png
diff --git a/cisco_asa/cisco-cover.png b/cisco_asa/cisco-cover.png
diff --git a/cisco_asa/cisco-icon.png b/cisco_asa/cisco-icon.png
diff --git a/cisco_asa/cisco_asa.metadata b/cisco_asa/cisco_asa.metadata
@@ -0,0 +1,44 @@
+{
+  "Tags": [
+    "cisco-asa-auth",
+    "cisco-asa-config",
+    "cisco-asa-events",
+    "cisco-asa-system",
+    "cisco-asa-threat",
+    "cisco-asa-traffic",
+    "cisco-asa-vpn"
+  ],
+  "Assets": [
+    {
+      "Type": "image",
+      "Source": "cisco-cover.png",
+      "Legend": "Cisco ASA Cover",
+      "Featured": true
+    },
+    {
+      "Type": "image",
+      "Source": "cisco-banner.png",
+      "Legend": "Cisco ASA Banner",
+      "Featured": true,
+      "Banner": true
+    },
+    {
+      "Type": "readme",
+      "Source": "README.md"
+    }
+  ],
+  "dashboards": [],
+  "attachments": [
+    {
+      "context": "cover",
+      "type": "image",
+      "file": "cisco-cover.png"
+    },
+    {
+      "context": "banner",
+      "type": "image",
+      "file": "cisco-banner.png"
+    }
+  ],
+  "readme": "README.md"
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		^(?:<(?P<priority>\d+)>)?:?\s*(?:(?P<version>\d+)\s+)?(?P<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z\|[+-]\d{2}:\d{2})\|\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s+(?P<hostname>\S+)(?:\s+(?P<deviceId>\S+))?\s+%(?P<appliance>\w+)-(?P<severity>\d+)-(?P<msgid>\d+):\s+(?P<msg>.+)