index=ips sourcetype=corelight_http method=GET status=20*
| rex field=uri max_match=0 "(?<payload>\/\+CSCOE\+\/portal\.css\?\w+=(?<token>.*)\&.*=(?<lua_script>.*))"
| where isnotnull(payload)
| table _time src_ip dest_ip method status uri payload token lua_script
index=ips sourcetype=corelight_http method=POST status=20* uri="/CSCOSSLC/config-auth"
| table _time src_ip dest_ip method status uri
index=syslog sourcetype=cisco:asa
| rex field=_raw "\:\s\%(?<code>ASA\-\d\-\d+)\:"
| search code IN ("ASA-4-106103", "ASA-4-109027", "ASA-4-113019", "ASA-4-315009", "ASA-4-717037", "ASA-4-722041", "ASA-4-768003", "ASA-5-111001", "ASA-5-111003", "ASA-5-111008", "ASA-5-212009", "ASA-5-718072", "ASA-5-734002", "ASA-5-8300006", "ASA-6-113015", "ASA-7-734003")
| table _time code message src_ip user dest_ip