[Filebeat] Improve ECS categorization field mappings in cisco module (e…

…lastic#18537) * Improve ECS categorization field mappings in cisco module - asa + explicitly set ECS version + event.kind + event.category + event.type + related.hash + related.ip + related.user - ftd + explicitly set ECS version + event.kind + event.category + event.type + related.hash + related.ip + related.user - ios + explicitly set ECS version + event.kind + event.category + event.type Closes elastic#16028 Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
leehinman · Jun 4, 2020 · f1139f2 · f1139f2
1 parent bca9619
commit f1139f2
Show file tree

Hide file tree

Showing 26 changed files with 4,862 additions and 77 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -370,8 +370,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - The `logstash` module can now automatically detect the log file format (JSON or plaintext) and process it accordingly. {issue}9964[9964] {pull}18095[18095]
 - Improve ECS categorization field mappings in envoyproxy module. {issue}16161[16161] {pull}18395[18395]
 - Improve ECS categorization field mappings in coredns module. {issue}16159[16159] {pull}18424[18424]
+- Improve ECS categorization field mappings in cisco module. {issue}16028[16028] {pull}18537[18537]
 - The s3 input can now automatically detect gzipped objects. {issue}18283[18283] {pull}18764[18764]
 
+
 *Heartbeat*
 
 - Allow a list of status codes for HTTP checks. {pull}15587[15587]

diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml
@@ -20,3 +20,7 @@ publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
 
 processors:
   - add_locale: ~
+  - add_fields:
+      target: ''
+      fields:
+        ecs.version: 1.5.0
diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json
@@ -9,15 +9,23 @@
         "destination.ip": "10.233.123.123",
         "destination.port": 53,
         "event.action": "flow-expiration",
+        "event.category": [
+            "network"
+        ],
         "event.code": 302016,
         "event.dataset": "cisco.asa",
         "event.duration": 0,
         "event.end": "2020-04-17T14:08:08.000-02:00",
+        "event.kind": "event",
         "event.module": "cisco",
         "event.original": "%ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)",
         "event.severity": 6,
         "event.start": "2020-04-17T16:08:08.000Z",
         "event.timezone": "-02:00",
+        "event.type": [
+            "connection",
+            "end"
+        ],
         "fileset.name": "asa",
         "host.hostname": "SNL-ASA-VPN-A01",
         "input.type": "log",
@@ -26,6 +34,10 @@
         "network.bytes": 148,
         "network.iana_number": 17,
         "network.transport": "udp",
+        "related.ip": [
+            "10.123.123.123",
+            "10.233.123.123"
+        ],
         "service.type": "cisco",
         "source.address": "10.123.123.123",
         "source.ip": "10.123.123.123",
@@ -43,20 +55,32 @@
         "destination.address": "10.123.123.123",
         "destination.ip": "10.123.123.123",
         "event.action": "firewall-rule",
+        "event.category": [
+            "network"
+        ],
         "event.code": 106023,
         "event.dataset": "cisco.asa",
+        "event.kind": "event",
         "event.module": "cisco",
         "event.original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]",
         "event.outcome": "deny",
         "event.severity": 4,
         "event.timezone": "-02:00",
+        "event.type": [
+            "info",
+            "denied"
+        ],
         "fileset.name": "asa",
         "host.hostname": "SNL-ASA-VPN-A01",
         "input.type": "log",
         "log.level": "warning",
         "log.offset": 200,
         "network.iana_number": 1,
         "network.transport": "icmp",
+        "related.ip": [
+            "10.123.123.123",
+            "10.123.123.123"
+        ],
         "service.type": "cisco",
         "source.address": "10.123.123.123",
         "source.ip": "10.123.123.123",
@@ -74,19 +98,31 @@
         "destination.ip": "10.123.123.123",
         "destination.port": 53,
         "event.action": "firewall-rule",
+        "event.category": [
+            "network"
+        ],
         "event.code": 106023,
         "event.dataset": "cisco.asa",
+        "event.kind": "event",
         "event.module": "cisco",
         "event.original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]",
         "event.outcome": "deny",
         "event.severity": 4,
         "event.timezone": "-02:00",
+        "event.type": [
+            "info",
+            "denied"
+        ],
         "fileset.name": "asa",
         "input.type": "log",
         "log.level": "warning",
         "log.offset": 381,
         "network.iana_number": 6,
         "network.transport": "tcp",
+        "related.ip": [
+            "10.123.123.123",
+            "10.123.123.123"
+        ],
         "service.type": "cisco",
         "source.address": "10.123.123.123",
         "source.ip": "10.123.123.123",
@@ -106,20 +142,32 @@
         "destination.ip": "10.123.123.123",
         "destination.port": 57621,
         "event.action": "firewall-rule",
+        "event.category": [
+            "network"
+        ],
         "event.code": 106023,
         "event.dataset": "cisco.asa",
+        "event.kind": "event",
         "event.module": "cisco",
         "event.original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]",
         "event.outcome": "deny",
         "event.severity": 4,
         "event.timezone": "-02:00",
+        "event.type": [
+            "info",
+            "denied"
+        ],
         "fileset.name": "asa",
         "host.hostname": "SNL-ASA-VPN-A01",
         "input.type": "log",
         "log.level": "warning",
         "log.offset": 545,
         "network.iana_number": 17,
         "network.transport": "udp",
+        "related.ip": [
+            "10.123.123.123",
+            "10.123.123.123"
+        ],
         "service.type": "cisco",
         "source.address": "10.123.123.123",
         "source.ip": "10.123.123.123",
@@ -134,18 +182,30 @@
         "destination.address": "10.123.123.123",
         "destination.ip": "10.123.123.123",
         "event.action": "firewall-rule",
+        "event.category": [
+            "network"
+        ],
         "event.code": 106017,
         "event.dataset": "cisco.asa",
+        "event.kind": "event",
         "event.module": "cisco",
         "event.original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123",
         "event.outcome": "deny",
         "event.severity": 2,
         "event.timezone": "-02:00",
+        "event.type": [
+            "info",
+            "denied"
+        ],
         "fileset.name": "asa",
         "host.hostname": "SNL-ASA-VPN-A01",
         "input.type": "log",
         "log.level": "critical",
         "log.offset": 734,
+        "related.ip": [
+            "10.123.123.123",
+            "10.123.123.123"
+        ],
         "service.type": "cisco",
         "source.address": "10.123.123.123",
         "source.ip": "10.123.123.123",