x-pack/filebeat/module/cisco: remove invalid values from ECS fields

CHANGELOG.next.asciidoc

@@ -56,6 +56,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...main[Check the HEAD dif
 - aws-s3 input: Stop SQS keep-alive routine on InvalidParameterValue error. {issue}30675[30675] {pull}31499[31499]
 - Supporting the double digit date parsing in ingest pipeline for oracle logs. {pull}31514[31514]
 - Fix handling of code_sign data in ThreatIntel Malwarebazaar. {issue}29972[29972] {pull}31552[31552]
+- Remove invalid term from event.outcome in the cisco asa and ftd modules. {pull}31628[31628]
 
 *Heartbeat*
 - Fix unintentional use of no-op logger. {pull}31543[31543]

x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json

@@ -3440,14 +3440,15 @@
         "destination.port": 80,
         "event.action": "firewall-rule",
         "event.category": [
+            "intrusion_detection",
             "network"
         ],
         "event.code": 338004,
         "event.dataset": "cisco.asa",
         "event.kind": "event",
         "event.module": "cisco",
         "event.original": "%ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware",
-        "event.outcome": "monitored",
+        "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [

x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json

@@ -3427,14 +3427,15 @@
         "destination.port": 80,
         "event.action": "firewall-rule",
         "event.category": [
+            "intrusion_detection",
             "network"
         ],
         "event.code": 338004,
         "event.dataset": "cisco.ftd",
         "event.kind": "event",
         "event.module": "cisco",
         "event.original": "%FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.225/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware",
-        "event.outcome": "monitored",
+        "event.outcome": "success",
         "event.severity": 4,
         "event.timezone": "-02:00",
         "event.type": [

x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml

@@ -1879,6 +1879,10 @@ processors:
         } else if (ctx?.event?.action.startsWith('connection-')) {
           ctx.event.type.add('connection');
         }
+        if (ctx.event.outcome == 'monitored') {
+          ctx.event.category.add('intrusion_detection');
+          ctx.event.outcome = 'success';
+        }
 
   - set:
       description: copy destination.user.name to user.name if it is not set