diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log index 069be4988df..538ef12e221 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log @@ -68,3 +68,18 @@ Apr 27 02:03:03 dev01: %ASA-4-722051: Group some-policy User testuser IP 8.8.8.8 Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested. Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout. Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23 +Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:91.240.17.178/8888 to destinationInterfaceName:192.168.2.2/123123 locally +Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:91.240.17.138/8888 to destinationInterfaceName:192.168.2.2/514514 +Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:91.240.17.178/7777 to 192.168.2.2/123412 +Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:91.240.17.178/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number +Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been created. +Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been deleted. +Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request +Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database +Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.128.1.1, PHASE 2 COMPLETED (msgid=bbe383e88) +Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.64.157.61, Duplicate first packet detected. Ignoring packet. +Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable! diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 76605f3da60..85ca9b9cb3d 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -422,10 +422,12 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67", + "event.outcome": "failure", "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -990,7 +992,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1089,7 +1091,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1324,7 +1326,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1374,7 +1376,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1423,7 +1425,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1474,18 +1476,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", "input.type": "log", "log.level": "informational", "log.offset": 4053, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "out111", "observer.hostname": "dev01", "observer.product": "asa", @@ -1522,18 +1526,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", "input.type": "log", "log.level": "informational", "log.offset": 4197, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "out111", "observer.hostname": "dev01", "observer.product": "asa", @@ -1570,18 +1576,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", "input.type": "log", "log.level": "informational", "log.offset": 4337, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "fw111", "observer.hostname": "dev01", "observer.product": "asa", @@ -1760,7 +1768,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -> fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -1813,7 +1821,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -> fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -1932,10 +1940,12 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985", + "event.outcome": "failure", "event.severity": 7, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2037,7 +2047,7 @@ "cisco.asa.destination_interface": "fw111", "cisco.asa.message_id": "106014", "cisco.asa.source_interface": "fw111", - "destination.address": "10.10.10.10(type", + "destination.address": "10.10.10.10", "destination.ip": "10.10.10.10", "event.action": "firewall-rule", "event.category": [ @@ -2048,7 +2058,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -2141,7 +2151,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -2240,7 +2250,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2285,7 +2295,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2330,7 +2340,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2375,7 +2385,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2498,7 +2508,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2561,7 +2571,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -> OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2612,7 +2622,8 @@ "event.severity": 5, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "allowed" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -2727,7 +2738,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user \"*****\"", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -2817,7 +2828,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user \"admin\"", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -3159,10 +3170,12 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "host.hostname": "dev01", @@ -3201,5 +3214,653 @@ "cisco-asa", "forwarded" ] + }, + { + "cisco.asa.destination_interface": "destinationInterfaceName", + "cisco.asa.message_id": "434004", + "cisco.asa.source_interface": "sourceInterfaceName", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 123123, + "event.action": "bypass", + "event.category": [ + "network" + ], + "event.code": 434004, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:91.240.17.178/8888 to destinationInterfaceName:192.168.2.2/123123 locally", + "event.outcome": "unknown", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 10051, + "network.protocol": "tcp", + "observer.egress.interface.name": "sourceInterfaceName", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "destinationInterfaceName", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "91.240.17.178", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "source.port": 8888, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "destinationInterfaceName", + "cisco.asa.message_id": "434002", + "cisco.asa.source_interface": "sourceInterfaceName", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 514514, + "event.action": "drop", + "event.code": 434002, + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.original": "%ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:91.240.17.138/8888 to destinationInterfaceName:192.168.2.2/514514", + "event.outcome": "unknown", + "event.severity": 4, + "event.timezone": "-02:00", + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 10269, + "network.protocol": "tcp", + "observer.egress.interface.name": "sourceInterfaceName", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "destinationInterfaceName", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "91.240.17.138", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "91.240.17.138", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.138", + "source.port": 8888, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "110002", + "cisco.asa.source_interface": "sourceInterfaceName", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 123412, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 110002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:91.240.17.178/7777 to 192.168.2.2/123412", + "event.outcome": "failure", + "event.reason": "Failed to locate egress interface", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 10436, + "network.protocol": "tcp", + "observer.egress.interface.name": "sourceInterfaceName", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "91.240.17.178", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "source.port": 7777, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "destinationInterfaceName", + "cisco.asa.message_id": "419002", + "cisco.asa.source_interface": "sourceInterfaceName", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 514514, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 419002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:91.240.17.178/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number", + "event.reason": "Duplicate TCP SYN with different initial sequence number", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 10587, + "network.protocol": "tcp", + "observer.egress.interface.name": "sourceInterfaceName", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "destinationInterfaceName", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "91.240.17.178", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "source.port": 7777, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "750002", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 7777, + "event.action": "connection-started", + "event.category": [ + "network" + ], + "event.code": 750002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-750002: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request", + "event.reason": "Received a IKE_INIT_SA request", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "start" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 11102, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "91.240.17.178", + "192.168.2.2" + ], + "related.user": [ + "admin" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "source.port": 7777, + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "admin" + }, + { + "cisco.asa.message_id": "750003", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 7777, + "event.action": "error", + "event.category": [ + "network" + ], + "event.code": 750003, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-750003: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database", + "event.reason": "Negotiation aborted due to Failed to locate an item in the database", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 11240, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "91.240.17.178", + "192.168.2.2" + ], + "related.user": [ + "admin" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "source.port": 7777, + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "admin" + }, + { + "cisco.asa.message_id": "713120", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 713120, + "event.dataset": "cisco.asa", + "event.id": "bbe383e88", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-713120: Group = 100.60.140.10, IP = 192.128.1.1, PHASE 2 COMPLETED (msgid=bbe383e88)", + "event.outcome": "success", + "event.reason": "PHASE 2 COMPLETED", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 11422, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.128.1.1" + ], + "service.type": "cisco", + "source.address": "192.128.1.1", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "192.128.1.1", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713202", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 713202, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-713202: IP = 192.64.157.61, Duplicate first packet detected. Ignoring packet.", + "event.reason": "Duplicate first packet detected", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 11542, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.64.157.61" + ], + "service.type": "cisco", + "source.address": "192.64.157.61", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "192.64.157.61", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713905", + "event.action": "error", + "event.category": [ + "network" + ], + "event.code": 713905, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-713905: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "event.outcome": "failure", + "event.reason": "All IPSec SA proposals found unacceptable!", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "error", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 11655, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.128.1.1" + ], + "service.type": "cisco", + "source.address": "192.128.1.1", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "192.128.1.1", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713904", + "event.action": "error", + "event.category": [ + "network" + ], + "event.code": 713904, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-713904: All IPSec SA proposals found unacceptable!", + "event.outcome": "failure", + "event.reason": "All IPSec SA proposals found unacceptable!", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "error", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 11782, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713903", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 713903, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 11868, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713902", + "event.action": "error", + "event.category": [ + "network" + ], + "event.code": 713902, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!", + "event.outcome": "failure", + "event.reason": "All IPSec SA proposals found unacceptable!", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "error", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 11972, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713901", + "event.action": "error", + "event.category": [ + "network" + ], + "event.code": 713901, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", + "event.outcome": "failure", + "event.reason": "All IPSec SA proposals found unacceptable!", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "error", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 12081, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.128.1.1" + ], + "service.type": "cisco", + "source.address": "192.128.1.1", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "192.128.1.1", + "tags": [ + "cisco-asa", + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index a57299252ca..a82e03747c1 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -72,7 +72,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -124,7 +124,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -173,7 +173,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -222,7 +222,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -267,7 +267,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -321,7 +321,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -369,7 +369,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -417,7 +417,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -466,7 +466,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -> inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -525,7 +525,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -> outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 1, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index ea4dcecdef3..fe4ec1e3959 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -4741,7 +4741,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4798,7 +4798,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4855,7 +4855,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4912,7 +4912,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4969,7 +4969,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5026,7 +5026,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5083,7 +5083,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5140,7 +5140,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5197,7 +5197,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5254,7 +5254,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5311,7 +5311,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5368,7 +5368,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5425,7 +5425,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index 948f6c85ab4..ef40c896297 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -50,7 +50,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106001: Inbound TCP connection denied from 10.13.12.11/45321 to 192.168.33.12/443 flags URG+SYN+RST on interface eth0", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 85bfef8b52a..8e79d12f022 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -17,7 +17,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -125,7 +125,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index fcf7d339222..9ab7c477f0a 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -17,7 +17,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -67,7 +67,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -118,7 +118,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -168,7 +168,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -223,7 +223,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -311,7 +311,7 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.connection_id": "89743274", "cisco.asa.destination_interface": "outside", - "cisco.asa.mapped_destination_ip": "10.123.3.42", + "cisco.asa.mapped_destination_host": "10.123.3.42.130", "cisco.asa.mapped_destination_port": 12834, "cisco.asa.mapped_source_ip": "192.0.2.43", "cisco.asa.mapped_source_port": 443, @@ -838,7 +838,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -888,7 +888,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -938,7 +938,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -988,7 +988,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1038,7 +1038,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1088,7 +1088,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1138,7 +1138,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1188,7 +1188,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1238,7 +1238,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1288,7 +1288,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1338,7 +1338,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1386,7 +1386,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1433,7 +1433,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1483,7 +1483,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1533,7 +1533,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1583,7 +1583,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1633,7 +1633,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1683,7 +1683,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1733,7 +1733,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1783,7 +1783,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1833,7 +1833,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1883,7 +1883,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1934,7 +1934,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2038,7 +2038,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2089,7 +2089,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2412,18 +2412,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7459, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "outside", "observer.product": "asa", "observer.type": "firewall", @@ -2458,18 +2460,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7601, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "outside", "observer.product": "asa", "observer.type": "firewall", @@ -2506,7 +2510,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2769,7 +2773,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2817,7 +2821,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2865,7 +2869,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2913,7 +2917,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2961,7 +2965,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3009,7 +3013,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3057,7 +3061,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3105,7 +3109,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3156,7 +3160,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3208,7 +3212,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -3258,7 +3262,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3311,7 +3315,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3429,7 +3433,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3476,7 +3480,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3518,7 +3522,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3561,7 +3565,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index 72b115c6975..ec51688f8f2 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -74,7 +74,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -127,7 +127,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -177,7 +177,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -227,7 +227,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index 70e87e332d9..f01960247b2 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -4658,7 +4658,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4714,7 +4714,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4770,7 +4770,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4826,7 +4826,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4882,7 +4882,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4938,7 +4938,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -4994,7 +4994,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5050,7 +5050,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5106,7 +5106,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5162,7 +5162,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5218,7 +5218,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5274,7 +5274,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -5330,7 +5330,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index 093665fca98..ffc81a2f737 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -59,7 +59,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -170,7 +170,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -279,7 +279,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -390,7 +390,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -500,7 +500,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -609,7 +609,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -721,7 +721,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -830,7 +830,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -940,7 +940,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1051,7 +1051,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1163,7 +1163,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 205.251.196.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1268,7 +1268,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1378,7 +1378,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1487,7 +1487,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1597,7 +1597,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1708,7 +1708,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1817,7 +1817,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -1926,7 +1926,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -2035,7 +2035,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -2142,7 +2142,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", @@ -2253,7 +2253,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index cc0af87b551..3f384531b33 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -17,7 +17,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -123,7 +123,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 592e7ae85e9..c1362e29b4d 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -17,7 +17,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -66,7 +66,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -116,7 +116,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -165,7 +165,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -219,7 +219,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ @@ -305,7 +305,7 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.ftd.connection_id": "89743274", "cisco.ftd.destination_interface": "outside", - "cisco.ftd.mapped_destination_ip": "10.123.3.42", + "cisco.ftd.mapped_destination_host": "10.123.3.42.130", "cisco.ftd.mapped_destination_port": 12834, "cisco.ftd.mapped_source_ip": "192.0.2.43", "cisco.ftd.mapped_source_port": 443, @@ -822,7 +822,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -871,7 +871,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -920,7 +920,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -969,7 +969,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1018,7 +1018,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1067,7 +1067,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1116,7 +1116,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1165,7 +1165,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1214,7 +1214,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1263,7 +1263,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1312,7 +1312,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1359,7 +1359,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1405,7 +1405,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -1454,7 +1454,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1503,7 +1503,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1552,7 +1552,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1601,7 +1601,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1650,7 +1650,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1699,7 +1699,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1748,7 +1748,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -1797,7 +1797,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1846,7 +1846,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -1896,7 +1896,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -2002,7 +2002,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2056,7 +2056,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2393,18 +2393,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", "log.offset": 7504, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "outside", "observer.hostname": "127.0.0.1", "observer.product": "ftd", @@ -2442,18 +2444,20 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "tcp", + "event.outcome": "failure", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info" + "info", + "denied" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", "log.offset": 7651, - "network.transport": "(no", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "outside", "observer.hostname": "127.0.0.1", "observer.product": "ftd", @@ -2493,7 +2497,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -2767,7 +2771,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2814,7 +2818,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2861,7 +2865,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2908,7 +2912,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -2955,7 +2959,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3002,7 +3006,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3049,7 +3053,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3096,7 +3100,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 2, "event.timezone": "-02:00", "event.type": [ @@ -3146,7 +3150,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3197,7 +3201,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 3, "event.timezone": "-02:00", "event.type": [ @@ -3246,7 +3250,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3298,7 +3302,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3416,7 +3420,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/8080), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 4, "event.timezone": "-02:00", "event.type": [ @@ -3462,7 +3466,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3503,7 +3507,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ @@ -3545,7 +3549,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", - "event.outcome": "deny", + "event.outcome": "failure", "event.severity": 5, "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 6a38a072bfc..be1d11ad0af 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -42,7 +42,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.timezone": "-02:00", "event.type": [ @@ -135,7 +135,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-15T16:05:33.000Z", "event.timezone": "-02:00", @@ -239,7 +239,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.timezone": "-02:00", "event.type": [ @@ -348,7 +348,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-15T16:07:00.000Z", "event.timezone": "-02:00", @@ -449,7 +449,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.timezone": "-02:00", "event.type": [ @@ -558,7 +558,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-15T16:07:18.000Z", "event.timezone": "-02:00", @@ -666,7 +666,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.timezone": "-02:00", "event.type": [ @@ -774,7 +774,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 1, "event.start": "2019-08-16T09:33:15.000Z", "event.timezone": "-02:00", @@ -874,7 +874,7 @@ "event.type": [ "connection", "start", - "denied" + "failure" ], "fileset.name": "ftd", "host.hostname": "firepower", @@ -974,7 +974,7 @@ "event.type": [ "connection", "end", - "denied" + "failure" ], "fileset.name": "ftd", "host.hostname": "siem-ftd", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index de4be40b0b5..b23b07b6ac2 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -61,7 +61,7 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 3.3.3.3, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico", - "event.outcome": "allow", + "event.outcome": "success", "event.severity": 0, "event.start": "2020-03-01T01:02:16.000Z", "event.timezone": "-02:00", diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json index 93b1c694ae6..b1d368c455c 100644 --- a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json @@ -17,8 +17,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.193.124.51", - "10.15.44.253" + "10.15.44.253", + "10.193.124.51" ], "rsa.internal.event_desc": "olaborissecurity_event tur", "rsa.internal.messageid": "security_event", @@ -131,8 +131,8 @@ "appliance" ], "related.ip": [ - "10.112.46.169", - "10.155.236.240" + "10.155.236.240", + "10.112.46.169" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -398,8 +398,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.163.72.17", - "10.74.237.180" + "10.74.237.180", + "10.163.72.17" ], "rsa.internal.event_desc": "remipsum security_event liq", "rsa.internal.messageid": "security_event", @@ -569,8 +569,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.187.77.245", - "10.88.231.224" + "10.88.231.224", + "10.187.77.245" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -638,8 +638,8 @@ "appliance" ], "related.ip": [ - "10.219.84.37", - "10.205.47.51" + "10.205.47.51", + "10.219.84.37" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -753,8 +753,8 @@ "appliance" ], "related.ip": [ - "10.153.0.77", - "10.163.154.210" + "10.163.154.210", + "10.153.0.77" ], "rsa.counters.dclass_r1": "utlabor", "rsa.internal.messageid": "events", @@ -855,8 +855,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.12.182.70", - "10.31.77.157" + "10.31.77.157", + "10.12.182.70" ], "rsa.internal.event_desc": "uiac security_event epte", "rsa.internal.messageid": "security_event", @@ -993,8 +993,8 @@ "appliance" ], "related.ip": [ - "10.66.89.5", - "10.247.30.212" + "10.247.30.212", + "10.66.89.5" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1058,8 +1058,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.173.136.186", - "10.221.102.245" + "10.221.102.245", + "10.173.136.186" ], "rsa.internal.event_desc": "idestlab", "rsa.internal.messageid": "security_event", @@ -1097,8 +1097,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.54.37.86", - "10.58.64.108" + "10.58.64.108", + "10.54.37.86" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1178,8 +1178,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.0.200.27", - "10.183.44.198" + "10.183.44.198", + "10.0.200.27" ], "rsa.internal.event_desc": "uradi security_event tot", "rsa.internal.messageid": "security_event", @@ -1216,8 +1216,8 @@ "appliance" ], "related.ip": [ - "10.28.144.180", - "10.148.124.84" + "10.148.124.84", + "10.28.144.180" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -1257,8 +1257,8 @@ "appliance" ], "related.ip": [ - "10.204.230.166", - "10.98.194.212" + "10.98.194.212", + "10.204.230.166" ], "rsa.counters.dclass_r1": "enimadmi", "rsa.internal.messageid": "events", @@ -1534,8 +1534,8 @@ "appliance" ], "related.ip": [ - "10.193.219.34", - "10.179.40.170" + "10.179.40.170", + "10.193.219.34" ], "rsa.counters.dclass_r1": "emip", "rsa.internal.messageid": "events", @@ -1844,8 +1844,8 @@ "remips188.api.invalid" ], "related.ip": [ - "10.40.101.224", - "10.78.199.43" + "10.78.199.43", + "10.40.101.224" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -1919,8 +1919,8 @@ "appliance" ], "related.ip": [ - "10.39.172.93", - "10.83.131.245" + "10.83.131.245", + "10.39.172.93" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -2402,8 +2402,8 @@ "lors2232.api.example" ], "related.ip": [ - "10.46.217.155", - "10.105.136.146" + "10.105.136.146", + "10.46.217.155" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2446,8 +2446,8 @@ "appliance" ], "related.ip": [ - "10.123.62.215", - "10.245.199.23" + "10.245.199.23", + "10.123.62.215" ], "rsa.db.index": "iusmodt", "rsa.internal.messageid": "flows", @@ -2515,8 +2515,8 @@ "appliance" ], "related.ip": [ - "10.196.176.243", - "10.16.230.121" + "10.16.230.121", + "10.196.176.243" ], "rsa.counters.dclass_r1": "velites", "rsa.internal.messageid": "events", @@ -2977,8 +2977,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.51.121.223", - "10.199.103.185" + "10.199.103.185", + "10.51.121.223" ], "rsa.internal.event_desc": "dipi security_event ecatc", "rsa.internal.messageid": "security_event", @@ -3075,8 +3075,8 @@ "appliance" ], "related.ip": [ - "10.121.37.244", - "10.113.152.241" + "10.113.152.241", + "10.121.37.244" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -3117,8 +3117,8 @@ "appliance" ], "related.ip": [ - "10.247.118.132", - "10.254.96.130" + "10.254.96.130", + "10.247.118.132" ], "rsa.counters.dclass_r1": "ectet", "rsa.internal.messageid": "events", @@ -3299,8 +3299,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.162.202.14", - "10.137.166.97" + "10.137.166.97", + "10.162.202.14" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -3426,8 +3426,8 @@ "appliance" ], "related.ip": [ - "10.75.122.111", - "10.85.59.172" + "10.85.59.172", + "10.75.122.111" ], "rsa.counters.dclass_r1": "sequat", "rsa.internal.messageid": "events", diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 72920d75a0e..6ed7863bf80 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -102,6 +102,7 @@ processors: }, }, ] + - date: if: "ctx.event.timezone != null" timezone: "{{ event.timezone }}" @@ -135,7 +136,6 @@ processors: }, }, ] - # # Set log.level # @@ -171,9 +171,10 @@ processors: field: "log.level" if: "ctx.event.severity == 7" value: debug - + # # Firewall messages + # # This set of messages is shared between FTD and ASA. - set: @@ -217,12 +218,12 @@ processors: if: "ctx._temp_.cisco.message_id == '106014'" field: "message" patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}(%{GREEDYDATA})?" + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?" - grok: if: "ctx._temp_.cisco.message_id == '106015'" field: "message" patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106016'" field: "message" @@ -326,7 +327,7 @@ processors: - set: if: "ctx._temp_.cisco.message_id == '304001'" field: "event.outcome" - value: allow + value: success - dissect: if: "ctx._temp_.cisco.message_id == '304002'" field: "message" @@ -534,11 +535,11 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '710003'" field: "message" - pattern: "%{network.transport} access denied by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '710005'" field: "message" - pattern: "%{network.transport} request discarded from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '713049'" field: "message" @@ -571,6 +572,86 @@ processors: field: "_temp_.cisco.dap_records" separator: ",\\s+" ignore_missing: true + - dissect: + if: "ctx._temp_.cisco.message_id == '434002'" + field: "message" + pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '434004'" + field: "message" + pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" + - dissect: + if: "ctx._temp_.cisco.message_id == '110002'" + field: "message" + pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '419002'" + field: "message" + pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" + - dissect: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." + - dissect: + if: "ctx._temp_.cisco.message_id == '750002'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713120'" + field: "message" + pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})" + - dissect: + if: "ctx._temp_.cisco.message_id == '713202'" + field: "message" + pattern: "IP = %{source.address}, %{event.reason}. %{} packet." + - dissect: + if: "ctx._temp_.cisco.message_id == '750003'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" + - grok: + if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "message" + patterns: + - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$" + # Handle ecs action outcome protocol + - set: + if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "unknown" + - set: + if: '["419002"].contains(ctx._temp_.cisco.message_id)' + field: "network.protocol" + value: "tcp" + - set: + if: '["110002"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["713120"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["713905", "713904", "713906", "713902", "713901", "710005"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "connection-started" + - set: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "error" + - append: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.type" + value: "error" + + # # Handle 302xxx messages (Flow expiration a.k.a "Teardown") @@ -583,14 +664,13 @@ processors: field: "message" if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' patterns: - - Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA} - - Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:%{NOTSPACE:_temp_.cisco.source_username})?%{GREEDYDATA} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA}$ + - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:%{NOTSPACE:_temp_.cisco.source_username})?%{GREEDYDATA}$ pattern_definitions: NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" - # # Decode FTD's Security Event Syslog Messages # @@ -607,7 +687,6 @@ processors: trim_key: " " trim_value: " " ignore_failure: true - # # Remove message. # @@ -618,7 +697,6 @@ processors: field: - message ignore_missing: true - # # Populate ECS fields from Security Events # @@ -1004,7 +1082,6 @@ processors: #******************************************************************************* # End of generated code. #******************************************************************************* - # # Normalize ECS field values # @@ -1019,7 +1096,6 @@ processors: "430003": connection-finished "430004": file-detected "430005": malware-detected - "dns.question.type": map: "a host address": A @@ -1031,14 +1107,12 @@ processors: "marks the start of a zone of authority": SOA "mail exchange": MX "server selection": SRV - "dns.response_code": map: "non-existent domain": NXDOMAIN "server failure": SERVFAIL "query refused": REFUSED "no error": NOERROR - source: | def getField(Map src, String[] path) { for (int i=0; i}" ignore_failure: true - # # Remove temporary fields # - remove: field: _temp_ ignore_missing: true - # # Rename some 7.x fields # @@ -1499,7 +1567,6 @@ processors: field: cisco.{< .internal_prefix >}.list_id target_field: cisco.{< .internal_prefix >}.rule_name ignore_missing: true - # ECS categorization - script: lang: painless @@ -1549,6 +1616,36 @@ processors: - malware type: - info + bypass: + kind: event + category: + - network + type: + - info + - change + error: + kind: event + outcome: failure + category: + - network + type: + - error + deleted: + kind: event + category: + - network + type: + - info + - deletion + - user + creation: + kind: event + category: + - network + type: + - info + - creation + - user source: >- if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { return; @@ -1556,22 +1653,20 @@ processors: ctx.event.kind = params.get(ctx.event.action).get('kind'); ctx.event.category = params.get(ctx.event.action).get('category').clone(); ctx.event.type = params.get(ctx.event.action).get('type').clone(); - if (ctx?.event?.outcome == null) { return; } if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) { - if (ctx.event.outcome == 'allow') { + if (ctx.event.outcome == 'success') { ctx.event.type.add('allowed'); } - if (ctx.event.outcome == 'deny') { + if (ctx.event.outcome == 'failure') { ctx.event.type.add('denied'); } if (ctx.event.outcome == 'block') { - ctx.event.type.add('denied'); + ctx.event.type.add('failure'); } } - # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. - set: field: observer.hostname