From 478ce422b8ba9ea5b6790ff9fb4708e22417c5b5 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Tue, 20 Apr 2021 12:02:09 -0400 Subject: [PATCH] [Filebeat][Cisco ASA] log enhancement and performance (backport #24744) (#25158) * [Filebeat][Cisco ASA] log enhancement and performance (#24744) * ecs fix - more message pattern - Fixed some ECS issues - added anchors on grok patterns for performance - added messages: ------------------------- 434004 434002 713905 750002 750003 110002 419002 602304 602303 713120 713202 713901 713904 713906 713905 ------------------------- - with the messages pattern added also this commit add four new event action types in the script that mapped event actions to the event.kind/category/type - added set processor for adding outcome, action and protocol if necessary for the new messages * Update asa-ftd-pipeline.yml * Update asa-ftd-pipeline.yml fix parsing error and add enhancements * Update asa-ftd-pipeline.yml fix 602303 * testing for PR and some minor fixes * commit for requested changes * newline * test * make test commit commit after running tests. * Fix parsing on 106014 with an additional ${SPACE} in grok pattern, so space in between is optional in log message * fixed 106014 finally This fixing finally 106014. We have, afaik, two options. Use IPORHOST to not match '(type' or using '(?[^ (]*)' so we only dispense on space or '(' for the case destination.address is weird. NOTSPACE is not work in this case. * after test commit * Test after merge * Update generated * Add changelog * Undo meraki generated file changes * Update generated Co-authored-by: pcosic Co-authored-by: pcosic <69909732+pcosic@users.noreply.github.com> (cherry picked from commit 226485bd22e13a027acc8e644cc1f43280d8b851) * geoip updates Co-authored-by: Andrew Kroh --- CHANGELOG.next.asciidoc | 3 + .../cisco/asa/test/additional_messages.log | 15 + .../additional_messages.log-expected.json | 723 +++++++++++++++++- .../cisco/asa/test/asa-fix.log-expected.json | 20 +- .../cisco/asa/test/asa.log-expected.json | 26 +- .../cisco/asa/test/filtered.log-expected.json | 2 +- .../cisco/asa/test/not-ip.log-expected.json | 4 +- .../cisco/asa/test/sample.log-expected.json | 110 +-- .../cisco/ftd/test/asa-fix.log-expected.json | 8 +- .../cisco/ftd/test/asa.log-expected.json | 26 +- .../cisco/ftd/test/dns.log-expected.json | 42 +- .../cisco/ftd/test/not-ip.log-expected.json | 4 +- .../cisco/ftd/test/sample.log-expected.json | 110 +-- .../security-connection.log-expected.json | 20 +- .../security-malware-site.log-expected.json | 2 +- .../cisco/shared/ingest/asa-ftd-pipeline.yml | 199 +++-- 16 files changed, 1048 insertions(+), 266 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 5ad46b29c08..cb466002f0c 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -244,6 +244,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix date parsing in GSuite/login and Google Workspace/login filesets. {issue}24694[24694] - Fix date parsing in GSuite/login fileset. {issue}24694[24694] - Improve Cisco ASA/FTD parsing of messages - better support for identity FW messages. Change network.bytes, source.bytes, and destination.bytes to long from integer since value can exceed integer capacity. Add descriptions for various processors for easier pipeline editing in Kibana UI. {pull}23766[23766] +- Fix usage of unallowed ECS event.outcome values in Cisco ASA/FTD pipeline. {pull}24744[24744]. +- Updating Oauth2 flow for m365_defender fileset. {pull}24829[24829] - Improve PanOS parsing and ingest pipeline. {issue}22413[22413] {issue}22748[22748] {pull}24799[24799] - Fix S3 input validation for non amazonaws.com domains. {issue}24420[24420] {pull}24861[24861] - Fix google_workspace and okta modules pagination when next page template is empty. {pull}24967[24967] @@ -537,6 +539,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Support X-Forwarder-For in IIS logs. {pull}19142[192142] - Add support for logs generated by servers configured with `log_statement` and `log_duration` in PostgreSQL module. {pull}24607[24607] - Updating field mappings for Cisco AMP module, fixing certain fields. {pull}24661[24661] +- Added fifteen new message IDs to Cisco ASA/FTD pipeline. {pull}24744[24744] - Added NTP fileset to Zeek module {pull}24224[24224] - Add `proxy_url` config for httpjson v2 input. {issue}24615[24615] {pull}24662[24662] - Add `fail_on_template_error` option for httpjson input. {pull}24784[24784] diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log index e80287d4093..0c3aef67223 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log @@ -68,3 +68,18 @@ Apr 27 02:03:03 dev01: %ASA-4-722051: Group User IP <192.168 Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested. Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout. Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23 +Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:91.240.17.178/8888 to destinationInterfaceName:192.168.2.2/123123 locally +Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:91.240.17.138/8888 to destinationInterfaceName:192.168.2.2/514514 +Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:91.240.17.178/7777 to 192.168.2.2/123412 +Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:91.240.17.178/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number +Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been created. +Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been deleted. +Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request +Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database +Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.128.1.1, PHASE 2 COMPLETED (msgid=bbe383e88) +Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.64.157.61, Duplicate first packet detected. Ignoring packet. +Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable! diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 7c3e3b868b1..35c5882513c 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -434,10 +434,12 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67", + "event.outcome": "failure", "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -1010,7 +1012,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1109,7 +1111,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1348,7 +1350,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1398,7 +1400,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1447,7 +1449,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1498,18 +1500,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", "input.type": "log", "log.level": "informational", "log.offset": 4053, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "out111", "observer.hostname": "dev01", "observer.product": "asa", @@ -1546,18 +1550,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", "input.type": "log", "log.level": "informational", "log.offset": 4197, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "out111", "observer.hostname": "dev01", "observer.product": "asa", @@ -1594,18 +1600,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", "input.type": "log", "log.level": "informational", "log.offset": 4337, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "fw111", "observer.hostname": "dev01", "observer.product": "asa", @@ -1982,7 +1990,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -> fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -2035,7 +2043,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -> fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -2154,10 +2162,12 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985", + "event.outcome": "failure", "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2259,7 +2269,7 @@ "cisco.asa.destination_interface": "fw111", "cisco.asa.message_id": "106014", "cisco.asa.source_interface": "fw111", - "destination.address": "10.10.10.10(type", + "destination.address": "10.10.10.10", "destination.ip": "10.10.10.10", "event.action": "firewall-rule", "event.category": [ @@ -2270,7 +2280,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -2362,7 +2372,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -2460,7 +2470,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2504,7 +2514,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2548,7 +2558,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2592,7 +2602,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2715,7 +2725,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2778,7 +2788,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -> OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2829,7 +2839,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "allowed" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2950,7 +2961,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user \"*****\"", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -3046,7 +3057,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user \"admin\"", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -3402,10 +3413,12 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -3444,5 +3457,653 @@ "cisco-asa", "forwarded" ] + }, + { + "cisco.asa.destination_interface": "destinationInterfaceName", + "cisco.asa.message_id": "434004", + "cisco.asa.source_interface": "sourceInterfaceName", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 123123, + "event.action": "bypass", + "event.category": [ + "network" + ], + "event.code": 434004, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:91.240.17.178/8888 to destinationInterfaceName:192.168.2.2/123123 locally", + "event.outcome": "unknown", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 10048, + "network.protocol": "tcp", + "observer.egress.interface.name": "sourceInterfaceName", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "destinationInterfaceName", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "91.240.17.178", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "source.port": 8888, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "destinationInterfaceName", + "cisco.asa.message_id": "434002", + "cisco.asa.source_interface": "sourceInterfaceName", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 514514, + "event.action": "drop", + "event.code": 434002, + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.original": "%ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:91.240.17.138/8888 to destinationInterfaceName:192.168.2.2/514514", + "event.outcome": "unknown", + "event.severity": 4, + "event.timezone": "-02:00", + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 10266, + "network.protocol": "tcp", + "observer.egress.interface.name": "sourceInterfaceName", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "destinationInterfaceName", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "91.240.17.138", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "91.240.17.138", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.138", + "source.port": 8888, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "110002", + "cisco.asa.source_interface": "sourceInterfaceName", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 123412, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 110002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:91.240.17.178/7777 to 192.168.2.2/123412", + "event.outcome": "failure", + "event.reason": "Failed to locate egress interface", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 10433, + "network.protocol": "tcp", + "observer.egress.interface.name": "sourceInterfaceName", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "91.240.17.178", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "source.port": 7777, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "destinationInterfaceName", + "cisco.asa.message_id": "419002", + "cisco.asa.source_interface": "sourceInterfaceName", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 514514, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 419002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:91.240.17.178/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number", + "event.reason": "Duplicate TCP SYN with different initial sequence number", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 10584, + "network.protocol": "tcp", + "observer.egress.interface.name": "sourceInterfaceName", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "destinationInterfaceName", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "91.240.17.178", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "source.port": 7777, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "750002", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 7777, + "event.action": "connection-started", + "event.category": [ + "network" + ], + "event.code": 750002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-750002: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request", + "event.reason": "Received a IKE_INIT_SA request", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "start" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 11099, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "91.240.17.178", + "192.168.2.2" + ], + "related.user": [ + "admin" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "source.port": 7777, + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "admin" + }, + { + "cisco.asa.message_id": "750003", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 7777, + "event.action": "error", + "event.category": [ + "network" + ], + "event.code": 750003, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-750003: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database", + "event.reason": "Negotiation aborted due to Failed to locate an item in the database", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 11237, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "91.240.17.178", + "192.168.2.2" + ], + "related.user": [ + "admin" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "source.port": 7777, + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "admin" + }, + { + "cisco.asa.message_id": "713120", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 713120, + "event.dataset": "cisco.asa", + "event.id": "bbe383e88", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-713120: Group = 100.60.140.10, IP = 192.128.1.1, PHASE 2 COMPLETED (msgid=bbe383e88)", + "event.outcome": "success", + "event.reason": "PHASE 2 COMPLETED", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 11419, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.128.1.1" + ], + "service.type": "cisco", + "source.address": "192.128.1.1", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "192.128.1.1", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713202", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 713202, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-713202: IP = 192.64.157.61, Duplicate first packet detected. Ignoring packet.", + "event.reason": "Duplicate first packet detected", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 11539, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.64.157.61" + ], + "service.type": "cisco", + "source.address": "192.64.157.61", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "192.64.157.61", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713905", + "event.action": "error", + "event.category": [ + "network" + ], + "event.code": 713905, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-713905: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "event.outcome": "failure", + "event.reason": "All IPSec SA proposals found unacceptable!", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "error", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 11652, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.128.1.1" + ], + "service.type": "cisco", + "source.address": "192.128.1.1", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "192.128.1.1", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713904", + "event.action": "error", + "event.category": [ + "network" + ], + "event.code": 713904, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-713904: All IPSec SA proposals found unacceptable!", + "event.outcome": "failure", + "event.reason": "All IPSec SA proposals found unacceptable!", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "error", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 11779, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713903", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 713903, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 11865, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713902", + "event.action": "error", + "event.category": [ + "network" + ], + "event.code": 713902, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!", + "event.outcome": "failure", + "event.reason": "All IPSec SA proposals found unacceptable!", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "error", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 11969, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713901", + "event.action": "error", + "event.category": [ + "network" + ], + "event.code": 713901, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "event.outcome": "failure", + "event.reason": "All IPSec SA proposals found unacceptable!", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "error", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 12078, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.128.1.1" + ], + "service.type": "cisco", + "source.address": "192.128.1.1", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "192.128.1.1", + "tags": [ + "cisco-asa", + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 7dde207d2b0..4e637011f22 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -73,7 +73,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -124,7 +124,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -172,7 +172,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -220,7 +220,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -264,7 +264,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -318,7 +318,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -366,7 +366,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -414,7 +414,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -463,7 +463,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -> inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -522,7 +522,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -> outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 1, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index 355b9450453..5ef9d2d302c 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -4762,7 +4762,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4819,7 +4819,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4876,7 +4876,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4933,7 +4933,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4990,7 +4990,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5047,7 +5047,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5104,7 +5104,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5161,7 +5161,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5218,7 +5218,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5275,7 +5275,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5332,7 +5332,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5389,7 +5389,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5446,7 +5446,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index 948f6c85ab4..ef40c896297 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -50,7 +50,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106001: Inbound TCP connection denied from 10.13.12.11/45321 to 192.168.33.12/443 flags URG+SYN+RST on interface eth0", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 85bfef8b52a..8e79d12f022 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -17,7 +17,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -125,7 +125,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index 34f1549272a..6a04d9e08e4 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -17,7 +17,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -67,7 +67,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -118,7 +118,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -168,7 +168,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -223,7 +223,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -841,7 +841,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -891,7 +891,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -941,7 +941,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -991,7 +991,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1041,7 +1041,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1091,7 +1091,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1141,7 +1141,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1191,7 +1191,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1241,7 +1241,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1291,7 +1291,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1341,7 +1341,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1389,7 +1389,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1436,7 +1436,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1486,7 +1486,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1536,7 +1536,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1586,7 +1586,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1636,7 +1636,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1686,7 +1686,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1736,7 +1736,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1786,7 +1786,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1836,7 +1836,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1886,7 +1886,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1937,7 +1937,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2041,7 +2041,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2092,7 +2092,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2418,18 +2418,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7275, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "outside", "observer.product": "asa", "observer.type": "firewall", @@ -2464,18 +2466,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7417, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "outside", "observer.product": "asa", "observer.type": "firewall", @@ -2512,7 +2516,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2776,7 +2780,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2824,7 +2828,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2872,7 +2876,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2920,7 +2924,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2968,7 +2972,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3016,7 +3020,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3064,7 +3068,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3112,7 +3116,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3163,7 +3167,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3215,7 +3219,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -3265,7 +3269,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3318,7 +3322,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3438,7 +3442,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3486,7 +3490,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3528,7 +3532,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3571,7 +3575,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index ca827be6c56..5211256b5f7 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -75,7 +75,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -127,7 +127,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -176,7 +176,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -225,7 +225,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index 475389976c6..9b6475f3329 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -4679,7 +4679,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4735,7 +4735,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4791,7 +4791,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4847,7 +4847,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4903,7 +4903,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4959,7 +4959,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5015,7 +5015,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5071,7 +5071,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5127,7 +5127,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5183,7 +5183,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5239,7 +5239,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5295,7 +5295,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5351,7 +5351,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index 093665fca98..ffc81a2f737 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -59,7 +59,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -170,7 +170,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -279,7 +279,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -390,7 +390,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -500,7 +500,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -609,7 +609,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -721,7 +721,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -830,7 +830,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -940,7 +940,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1051,7 +1051,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1163,7 +1163,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 205.251.196.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1268,7 +1268,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1378,7 +1378,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1487,7 +1487,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1597,7 +1597,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1708,7 +1708,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1817,7 +1817,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1926,7 +1926,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -2035,7 +2035,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -2142,7 +2142,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -2253,7 +2253,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index cc0af87b551..3f384531b33 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -17,7 +17,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -123,7 +123,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 0e0512e1c3a..865c5a2764e 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -17,7 +17,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -66,7 +66,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -116,7 +116,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -165,7 +165,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -219,7 +219,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -825,7 +825,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -874,7 +874,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -923,7 +923,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -972,7 +972,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1021,7 +1021,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1070,7 +1070,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1119,7 +1119,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1168,7 +1168,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1217,7 +1217,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1266,7 +1266,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1315,7 +1315,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1362,7 +1362,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1408,7 +1408,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1457,7 +1457,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1506,7 +1506,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1555,7 +1555,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1604,7 +1604,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1653,7 +1653,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1702,7 +1702,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1751,7 +1751,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1800,7 +1800,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1849,7 +1849,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1899,7 +1899,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2005,7 +2005,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2059,7 +2059,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2399,18 +2399,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", "log.offset": 7315, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "outside", "observer.hostname": "127.0.0.1", "observer.product": "ftd", @@ -2448,18 +2450,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", "log.offset": 7462, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "outside", "observer.hostname": "127.0.0.1", "observer.product": "ftd", @@ -2499,7 +2503,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2774,7 +2778,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2821,7 +2825,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2868,7 +2872,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2915,7 +2919,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2962,7 +2966,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3009,7 +3013,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3056,7 +3060,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3103,7 +3107,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3153,7 +3157,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3204,7 +3208,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -3253,7 +3257,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3305,7 +3309,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3426,7 +3430,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/8080), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3473,7 +3477,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3514,7 +3518,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3556,7 +3560,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 6a38a072bfc..be1d11ad0af 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -42,7 +42,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.timezone": "-02:00", "event.type": [ @@ -135,7 +135,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-15T16:05:33.000Z", "event.timezone": "-02:00", @@ -239,7 +239,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.timezone": "-02:00", "event.type": [ @@ -348,7 +348,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-15T16:07:00.000Z", "event.timezone": "-02:00", @@ -449,7 +449,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.timezone": "-02:00", "event.type": [ @@ -558,7 +558,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-15T16:07:18.000Z", "event.timezone": "-02:00", @@ -666,7 +666,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.timezone": "-02:00", "event.type": [ @@ -774,7 +774,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-16T09:33:15.000Z", "event.timezone": "-02:00", @@ -874,7 +874,7 @@ "event.type": [ "connection", "start", - "denied" + "failure" ], "fileset.name": "ftd", "host.hostname": "firepower", @@ -974,7 +974,7 @@ "event.type": [ "connection", "end", - "denied" + "failure" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index de4be40b0b5..b23b07b6ac2 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -61,7 +61,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 3.3.3.3, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 0, "event.start": "2020-03-01T01:02:16.000Z", "event.timezone": "-02:00", diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 7cd61253320..b016a5c3fd0 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -135,7 +135,6 @@ processors: }, }, ] - # # Set log.level # @@ -174,6 +173,7 @@ processors: # # Firewall messages + # # This set of messages is shared between FTD and ASA. - set: @@ -226,13 +226,13 @@ processors: field: "message" description: "106014" patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}(%{GREEDYDATA})?" + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?" - grok: if: "ctx._temp_.cisco.message_id == '106015'" field: "message" description: "106015" patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106016'" field: "message" @@ -371,7 +371,7 @@ processors: if: "ctx._temp_.cisco.message_id == '304001'" field: "event.outcome" description: "304001" - value: allow + value: success - dissect: if: "ctx._temp_.cisco.message_id == '304002'" field: "message" @@ -628,12 +628,12 @@ processors: if: "ctx._temp_.cisco.message_id == '710003'" field: "message" description: "710003" - pattern: "%{network.transport} access denied by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '710005'" field: "message" description: "710005" - pattern: "%{network.transport} request discarded from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '713049'" field: "message" @@ -677,6 +677,86 @@ processors: field: "_temp_.cisco.dap_records" separator: ",\\s+" ignore_missing: true + - dissect: + if: "ctx._temp_.cisco.message_id == '434002'" + field: "message" + pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '434004'" + field: "message" + pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" + - dissect: + if: "ctx._temp_.cisco.message_id == '110002'" + field: "message" + pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '419002'" + field: "message" + pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" + - dissect: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." + - dissect: + if: "ctx._temp_.cisco.message_id == '750002'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713120'" + field: "message" + pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})" + - dissect: + if: "ctx._temp_.cisco.message_id == '713202'" + field: "message" + pattern: "IP = %{source.address}, %{event.reason}. %{} packet." + - dissect: + if: "ctx._temp_.cisco.message_id == '750003'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" + - grok: + if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "message" + patterns: + - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$" + # Handle ecs action outcome protocol + - set: + if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "unknown" + - set: + if: '["419002"].contains(ctx._temp_.cisco.message_id)' + field: "network.protocol" + value: "tcp" + - set: + if: '["110002"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["713120"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["713905", "713904", "713906", "713902", "713901", "710005"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "connection-started" + - set: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "error" + - append: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.type" + value: "error" + + # # Handle 302xxx messages (Flow expiration a.k.a "Teardown") @@ -691,19 +771,18 @@ processors: if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" patterns: - - Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} - - Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} - - Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) - - Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.destination_username}\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) + - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.destination_username}\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? pattern_definitions: NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" - # # Decode FTD's Security Event Syslog Messages # @@ -721,7 +800,6 @@ processors: trim_key: " " trim_value: " " ignore_failure: true - # # Remove message. # @@ -732,7 +810,6 @@ processors: field: - message ignore_missing: true - # # Populate ECS fields from Security Events # @@ -1118,7 +1195,6 @@ processors: #******************************************************************************* # End of generated code. #******************************************************************************* - # # Normalize ECS field values # @@ -1133,7 +1209,6 @@ processors: "430003": connection-finished "430004": file-detected "430005": malware-detected - "dns.question.type": map: "a host address": A @@ -1145,14 +1220,12 @@ processors: "marks the start of a zone of authority": SOA "mail exchange": MX "server selection": SRV - "dns.response_code": map: "non-existent domain": NXDOMAIN "server failure": SERVFAIL "query refused": REFUSED "no error": NOERROR - source: | def getField(Map src, String[] path) { for (int i=0; i}" ignore_failure: true - # # Remove temporary fields # - remove: field: _temp_ ignore_missing: true - # # Rename some 7.x fields # @@ -1617,7 +1684,6 @@ processors: field: cisco.{< .internal_prefix >}.list_id target_field: cisco.{< .internal_prefix >}.rule_name ignore_missing: true - # ECS categorization - script: lang: painless @@ -1667,6 +1733,36 @@ processors: - malware type: - info + bypass: + kind: event + category: + - network + type: + - info + - change + error: + kind: event + outcome: failure + category: + - network + type: + - error + deleted: + kind: event + category: + - network + type: + - info + - deletion + - user + creation: + kind: event + category: + - network + type: + - info + - creation + - user source: >- if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { return; @@ -1674,19 +1770,18 @@ processors: ctx.event.kind = params.get(ctx.event.action).get('kind'); ctx.event.category = params.get(ctx.event.action).get('category').clone(); ctx.event.type = params.get(ctx.event.action).get('type').clone(); - if (ctx?.event?.outcome == null) { return; } if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) { - if (ctx.event.outcome == 'allow') { + if (ctx.event.outcome == 'success') { ctx.event.type.add('allowed'); } - if (ctx.event.outcome == 'deny') { + if (ctx.event.outcome == 'failure') { ctx.event.type.add('denied'); } if (ctx.event.outcome == 'block') { - ctx.event.type.add('denied'); + ctx.event.type.add('failure'); } }