Use case: Create a report that uses event data that is not normalized

You can use a custom property to extract data that is not normalized from a payload, and use that data to build a report. For example, you can build a report that is based on the interface information that is in Cisco ASA firewall deny messages.

In this example, we'll use the following sample Cisco ASA firewall events to demonstrate how to extract the interface value from the event payload, and then build a report that uses that data.

<162>Sep 02 2014 11:49:41: %ASA-2-106001: Inbound TCP connection denied 
from 10.10.10.128/58826 to 10.11.11.11/9100 flags SYN on interface External
<162>Sep 02 2014 11:49:40: %ASA-2-106001: Inbound TCP connection denied 
from 10.10.10.128/58826 to 10.11.11.11/9100 flags SYN on interface Loopback
<162>Sep 02 2014 11:49:17: %ASA-2-106001: Inbound TCP connection 
denied from 10.10.10.128/58821 to 10.11.11.11/9100 flags SYN on interface Internal

Create the custom property.
In the sample events above, you can see that the event payload includes the word interface followed by the value that you want to extract. To capture the interface information from the events above, create an extraction-based custom property and configure it to use the regex expression interface\s(.*)\b.

To ensure that the new custom property is available to use in a search, select the Enable for use in Rules, Forwarding Profiles and Search Indexing check box, and enable the custom property.
Create a search, and in the Group By field, select the new custom event property.
To ensure that the search results include only Cisco ASA events, add the log source as a quick filter option in the search parameters. Save the search criteria so that you can use it in a report. Assign the saved search to a group to make it easier to find later.
Create a report, and configure the graph content to use the new saved search.
If the report was not configured to run after saving, you can run the report immediately by selecting ActionsRun Report.