From b65f0a442223ff3eb3c0de0edb52a6e8cd6be9b4 Mon Sep 17 00:00:00 2001 From: MarcusCaepio <7324088+MarcusCaepio@users.noreply.github.com> Date: Fri, 21 Feb 2020 18:32:35 +0100 Subject: [PATCH 1/5] Pattern for Cisco Message 734001. Fixes #16212 The split part is needed, because one has to be able to search for an explicit dap_record. As the records order and number can vary a lot, just saving the whole string makes no sense. I chose "user.email", "source.ip" as ECS fields and "cisco.connection_type", "cisco.dap_records", as looking to the syslog messages docs,they also call it like that. I made "make update" in /beats/x.pack/filebeat and /beats/filebeat. Hopefully the pipeline succeeds now. --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 40 +++++++++++++++++++ .../module/cisco/asa/_meta/fields.yml | 10 +++++ .../cisco/asa/test/dap_records-expected.json | 18 +++++++++ .../module/cisco/asa/test/dap_records.log | 1 + x-pack/filebeat/module/cisco/fields.go | 2 +- .../module/cisco/ftd/_meta/fields.yml | 10 +++++ .../cisco/shared/ingest/asa-ftd-pipeline.yml | 7 ++++ 8 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 x-pack/filebeat/module/cisco/asa/test/dap_records-expected.json create mode 100644 x-pack/filebeat/module/cisco/asa/test/dap_records.log diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 0f7189d751ea..1163f4f53339 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -189,6 +189,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS categorization field mappings in iptables module. {issue}16166[16166] {pull}16637[16637] - Add Filebeat Okta module. {pull}16362[16362] - Add custom string mapping to CEF module to support Check Point devices. {issue}16041[16041] {pull}16907[16907] +- Add pattern for Cisco ASA / FTD Message 734001 {issue}16212[16212] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index d83c81842d15..3633a06455b5 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -5476,6 +5476,26 @@ type: short -- +*`cisco.asa.connection_type`*:: ++ +-- +The VPN connection type + + +type: keyword + +-- + +*`cisco.asa.dap_records`*:: ++ +-- +The assigned DAP records + + +type: keyword + +-- + [float] === ftd @@ -5654,6 +5674,26 @@ type: object -- +*`cisco.ftd.connection_type`*:: ++ +-- +The VPN connection type + + +type: keyword + +-- + +*`cisco.ftd.dap_records`*:: ++ +-- +The assigned DAP records + + +type: keyword + +-- + [float] === ios diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml index e5ada6df4410..6e0b2b3376cd 100644 --- a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml @@ -85,3 +85,13 @@ type: short description: > ICMP code. + + - name: connection_type + type: keyword + description: > + The VPN connection type + + - name: dap_records + type: keyword + description: > + The assigned DAP records diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records-expected.json new file mode 100644 index 000000000000..c54cf083bdac --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/dap_records-expected.json @@ -0,0 +1,18 @@ +{ + "source": { + "ip": "1.2.3.4" + }, + "user": { + "email": "firstname.lastname@domain.net" + }, + "cisco": { + "connection_type": "AnyConnect", + "dap_records": [ + "dap_1", + "dap_2" + ], + "asa": { + "message_id": "734001" + } + } +} diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log b/x-pack/filebeat/module/cisco/asa/test/dap_records.log new file mode 100644 index 000000000000..a02a1136b19d --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/dap_records.log @@ -0,0 +1 @@ +Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2 diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index 568f33c53bba..f7ee3563027b 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsmU9v4zYQxe/5FHMp0AKOe8+hQOAkQIBmE1S7h54Mhhxa3FAclRxZ629fkJJtWasoNqJdZAHrEMT6896PI3L4YF/CC26uQJog6QKADVu8gkX7UWGQ3pRsyF3BXxcAAA+kKougyUMunLLGrZrbwSHX5F9A4dpIBEurML8A0AatClfp4UtwosC9XTx4U+IVrDxVZXtmwDUed0kItKeiddxaxKNr07USQezODZmNGHZNybee19k13BmPtbB23rm1778nKDAEscKlUQfKDcoLbmryh1dGcAA+59ghabXBKHRstEG/ZxpACZXW5tuRGPhNFGWcDQFDMOSOZ3xM54Vt/UBoRg+/ReBjQanyEpfGMXotJE5RuSxpwk4zvVTOEbSlGsgDrtHxKJbCwMaJqD8t281e+F2AvrK4jP9OAfVJFAikE8K1lBgCLMixJwt/m8DJDDgXDIVgmaMCzk04grJ9u1VA/yNYo27DZUI60fi15TyKsPuifxpmx/QU1kKUJarldsmUA5y9k282GPbCBSsY1bZ2908glPIYwgksJXkeoLHkVu/lidLHkBys2IlL031fp9WnS/UjitQle7NSnHsUvLS4RjvNDhX1IOmleVwIWwuP8Cc8EzvkSKq1kXN4dGk1rNFvLi3VM4h/enIFKfSCcQa5WeWxDabb44djhiUF44r8ZoqRLVqtXWN+fWR3sV1vN9C18VWYtff0x8eevgo3A2Q5Oh5JzqFsJvIkSeKLM/9V3eiQhiXSbjNKYmRRLqPpAEXI+9N5lOF+8fCUnnzbUJKayjBKzb9LiprVpEkxpsSSavTbFXGDGl3ADxIf7z7f/FrxMQKf4+M5Pp7j4y8dH+FLQLhdZO2luRM8N+UHSpVDgB84bu5wO9dPKOpPj6Kv8p6D6jmonoPqgeFhUB3aClFW3vDQpKHnryhfN+zZ/SPqNoOm4matLtzG/SN8H5YNhUnD8v1jdvB1LoxmYpHixNKaMNSv3rWtxs7ahJWoPlp8LaSxw8UfDcTZ7eK0dro1AiaocyPzZk234d2jRh/gd71fyTPIPj08zSD7N5uBcHF/68lq8pz/MYfrvbgUDp4RBOTCq9Qtmm/yZyCg9MQkyc4grbyi+RGAdL9FxLS0CYwFBNIcReZwz6DQEeNBmmobkxRV2NW+ebTfVpthzi/+DwAA//9UIqfH" + return "eJzsmU9v4zYQxe/5FHMp0AKOe/ehgOEkQIAmMerdAj0ZDDm0uKE4Kjmy19++ICXbsqAodqNdJIB1CGL9ee/HETV8sq/hBbcTkCZIugJgwxYnMKs/KgzSm4INuQn8cQUA8ECqtAiaPGTCKWvcqjodHPKG/AsoXBuJYGkVxlcA2qBVYZIuvgYncjzYxY23BU5g5aks6j0drnG7S0KgPeW1484ibk2bppUIYr+vy6zHsGlKvvacLqZwZzxuhLXjxqlt/wNBjiGIFS6NOlKuUF5wuyF/fKQHB+BLhg2SWhuMQsdGG/QHpg6UUGptvp+Igd9FXsTZEDAEQ+50xqe0X9jaD4Rm9PBLBD4VlEovcWkco9dC4hCVWyRN2Gumm8oZgra0AfKAa3Tci6UwsHEi6g/LdnMQfhegLy0u479DQD2KHIF0QphKiSHAjBx7svCnCZzMgDPBkAuWGSrgzIQTKOu7Wwb0P4I16lZcJqQdlV9dzpMImzf6p2E2TM9hzUVRoFruHpmig7O1880Gw164YAWj2tXufg5CKY8hnMFSkOcOGktu9V6eKH0KydETO3BpmvfrvPo0qX5EkZpkb1aKM4+ClxbXaIdZoaIeJL00j3NhN8Ij/A7PxA45kmpt5BieXHoa1ui315Y2I4h/WnI5KfSCcQSZWWWxDabT44dThiUF44r8doiRzWqtfWN+fWR3sV3vFtC18WUY1ee0x8eevgk3AmTZOx5JzqGsJvIgSeKrM/+WzeiQhiXSatNLYmReLKNpB0XI2tO5l+F+9jBPV75tKEkNZRilTq31K+P8X7nt7/ljQxqOpLsWIVEsPUryKgxFIEIwK4cKbqZzaGvvfDWrQSNzjMsFbdDvWsMNanQBP0iOvvty87lydAS+5OhLjr7k6E+do+FrQLidLepDYyd4bIoPFK+7AD9w7t7jNo6fUdSfnslf5b0k9ktivyT2I8M3E3tAWXrDXZOGnr+hfN2wZfeX2NQZNBV3UevCbVw/QjOpXt4bWr6GwqDvDfdPi6Ov+KH39UCkZLW0JnS17ncljLjIVLktqvfOQy2ksd3zsPfdYHE7O++O7IyACTaZkVnV3ur3GI8afYBf9aGpjWDx+DAfweKfxQiEi0t9S1aT5+y3MUwP4lI4eEYQkAmvUuOsft0ZgYDCE5MkO4LUhPLqhyHS7W4Zg+M2MOYQSHMUGcM9g0JHjEfBsu7RUpRhX/vq0vYKUw1zfPVfAAAA//9lSi8a" } diff --git a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml index 8571cd8dbfb0..d22b5715e8dd 100644 --- a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml @@ -90,3 +90,13 @@ type: object description: Raw fields for Security Events. + + - name: connection_type + type: keyword + description: > + The VPN connection type + + - name: dap_records + type: keyword + description: > + The assigned DAP records diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 75009ac95d5a..806638db4076 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -420,6 +420,13 @@ processors: if: "ctx._temp_.cisco.message_id == '338301'" field: "server.port" value: "{{source.port}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '734001'" + field: "message" + pattern: "DAP: User %{user.email}, Addr %{source.ip}, Connection %{cisco.connection_type}: The following DAP records were selected for this connection: %{cisco.dap_records->}" + - split: + field: "cisco.dap_records" + separator: ",\\s+" # # Handle 302xxx messages (Flow expiration a.k.a "Teardown") From 5e018284d455130cca0f16fc9e08b2a7e5947ef3 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 3 Mar 2020 09:37:37 +0100 Subject: [PATCH 2/5] fixes --- .../asa/test/dap_records.log-expected.json | 35 +++++++++++++++++++ .../cisco/shared/ingest/asa-ftd-pipeline.yml | 5 +-- 2 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json new file mode 100644 index 000000000000..998044932f0c --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json @@ -0,0 +1,35 @@ +[ + { + "cisco.asa.connection_type": "AnyConnect", + "cisco.asa.dap_records": [ + "dap_1", + "dap_2" + ], + "cisco.asa.message_id": "734001", + "event.action": "firewall-rule", + "event.code": 734001, + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.original": "%ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2", + "event.severity": 6, + "event.timezone": "-02:00", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "service.type": "cisco", + "source.address": "1.2.3.4", + "source.geo.city_name": "Moscow", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.location.lat": 55.7527, + "source.geo.location.lon": 37.6172, + "source.geo.region_iso_code": "RU-MOW", + "source.geo.region_name": "Moscow", + "source.ip": "1.2.3.4", + "tags": [ + "cisco-asa" + ], + "user.email": "firsname.lastname@domain.net" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 806638db4076..9dfc96d77e8b 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -423,10 +423,11 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '734001'" field: "message" - pattern: "DAP: User %{user.email}, Addr %{source.ip}, Connection %{cisco.connection_type}: The following DAP records were selected for this connection: %{cisco.dap_records->}" + pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" - split: - field: "cisco.dap_records" + field: "_temp_.cisco.dap_records" separator: ",\\s+" + ignore_missing: true # # Handle 302xxx messages (Flow expiration a.k.a "Teardown") From 2ff940865dcb0d8e8c84c28f038a05d414f22c3b Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 4 Mar 2020 18:01:44 +0100 Subject: [PATCH 3/5] Set default_field: false --- x-pack/filebeat/module/cisco/asa/_meta/fields.yml | 2 ++ x-pack/filebeat/module/cisco/fields.go | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml index 6e0b2b3376cd..2cf9a5a5afd6 100644 --- a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml @@ -88,10 +88,12 @@ - name: connection_type type: keyword + default_field: false description: > The VPN connection type - name: dap_records + default_field: false type: keyword description: > The assigned DAP records diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index f7ee3563027b..78696ba2e467 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsmU9v4zYQxe/5FHMp0AKOe/ehgOEkQIAmMerdAj0ZDDm0uKE4Kjmy19++ICXbsqAodqNdJIB1CGL9ee/HETV8sq/hBbcTkCZIugJgwxYnMKs/KgzSm4INuQn8cQUA8ECqtAiaPGTCKWvcqjodHPKG/AsoXBuJYGkVxlcA2qBVYZIuvgYncjzYxY23BU5g5aks6j0drnG7S0KgPeW1484ibk2bppUIYr+vy6zHsGlKvvacLqZwZzxuhLXjxqlt/wNBjiGIFS6NOlKuUF5wuyF/fKQHB+BLhg2SWhuMQsdGG/QHpg6UUGptvp+Igd9FXsTZEDAEQ+50xqe0X9jaD4Rm9PBLBD4VlEovcWkco9dC4hCVWyRN2Gumm8oZgra0AfKAa3Tci6UwsHEi6g/LdnMQfhegLy0u479DQD2KHIF0QphKiSHAjBx7svCnCZzMgDPBkAuWGSrgzIQTKOu7Wwb0P4I16lZcJqQdlV9dzpMImzf6p2E2TM9hzUVRoFruHpmig7O1880Gw164YAWj2tXufg5CKY8hnMFSkOcOGktu9V6eKH0KydETO3BpmvfrvPo0qX5EkZpkb1aKM4+ClxbXaIdZoaIeJL00j3NhN8Ij/A7PxA45kmpt5BieXHoa1ui315Y2I4h/WnI5KfSCcQSZWWWxDabT44dThiUF44r8doiRzWqtfWN+fWR3sV3vFtC18WUY1ee0x8eevgk3AmTZOx5JzqGsJvIgSeKrM/+WzeiQhiXSatNLYmReLKNpB0XI2tO5l+F+9jBPV75tKEkNZRilTq31K+P8X7nt7/ljQxqOpLsWIVEsPUryKgxFIEIwK4cKbqZzaGvvfDWrQSNzjMsFbdDvWsMNanQBP0iOvvty87lydAS+5OhLjr7k6E+do+FrQLidLepDYyd4bIoPFK+7AD9w7t7jNo6fUdSfnslf5b0k9ktivyT2I8M3E3tAWXrDXZOGnr+hfN2wZfeX2NQZNBV3UevCbVw/QjOpXt4bWr6GwqDvDfdPi6Ov+KH39UCkZLW0JnS17ncljLjIVLktqvfOQy2ksd3zsPfdYHE7O++O7IyACTaZkVnV3ur3GI8afYBf9aGpjWDx+DAfweKfxQiEi0t9S1aT5+y3MUwP4lI4eEYQkAmvUuOsft0ZgYDCE5MkO4LUhPLqhyHS7W4Zg+M2MOYQSHMUGcM9g0JHjEfBsu7RUpRhX/vq0vYKUw1zfPVfAAAA//9lSi8a" + return "eJzsmVFr6zgThu/7K+bmg28hzd7nYiGkLRS2bdics7BXYSqNYp3KklcaJyf/fpHsJI5x3YS6pQfii9LI9ryPRtLoFb6GF9pOQOgg3BUAazY0gVn9U1IQXhesnZ3AH1cAAA9OloZAOQ8ZWmm0XVWPgyXeOP8CktZaEBi3CuMrAKXJyDBJL1+DxZwOcvHibUETWHlXFnVLh2q87lIgUN7lteJOIl5NmaYUBty3dYn1CDZFna81p4sp3GlPGzRm3Hi0rX8gyCkEXNFSy6PIFcoLbTfOH9/pwQH4llGDpI4NWpJlrTT5A1MHSiiV0j9PxKCfmBdxNgQKQTt7OuNTakdT6wEqJg//i8CngrrSC1pqy+QVChoic4sUE/Yx06ByRqCM24DzQGuy3IslKbC2GOMPy3ZzCPwuQF8aWsZ/h4B6xJzAqYQwFYJCgJmz7J2BP3XgJAacIUOOLDKSwJkOJ1DWo1sG8h/BGuNWXDqkhkqvTudJhM2B/jTMhug5rDkWBcnlbskUHZytxjcLDHu0wSCT3OXufg4opacQzmApnOcOGuPs6r08MfQpJEcrduDUNMfrvPw0qT4iSU2yNzPFmSfkpaE1mWF2qBgPUrw0j3M0G/QEv8OzY0scSZXSYgxPNq2GNfnttXGbEcQ/rXC5k+SRaQSZXmWxDKbH449TuiWQaeX8doiezepY+8L8es/uYrnebaBr7cswqp9p94+9+4F2BMSitz/CWUuimsiDOInvVv9bNq1D6ham3aaXRIu8WEbRDoqQtadzL8P97GGe3nxbUDg5lGAMdWquX+lnd7YVloaXyQpOQKEJdN4S/nv+2NCGI+2uXQqLpSfhvAzngbzDe2IIemVJws10Dm3xHZhiOajpjoa7cBvyu+JyQ4psoC/ixO++3fxaTjwCX5z4xYlfnPgv7cTheyC4nS3qW2OLPNbFFzLoXYBf2LnvcRv3z0jqp7v6V3kvnv/i+S+e/0jwTc8fSJRec9ekcc8/SLwu2JL7Cze1B03JXdRx4TbuH6HpVAc8eXzOweKjzw3ahUHPDfdPi6OPBNB7PMDkrJZGh67S/S6HETeZyrfF6L3zUKHQpnse9p4NFrez80ZkJwTsYJNpkVXlrT7HeFLkA/xfHYraCBaPD/MRLP5ZjABt3OpbYZXznP02hukhuEALzwQIGXqZCmf1fWgECIV37IQzI0hFKK8+LTnVrpbROG4DUw7BKY5BxnDPIMk6piNjWddogWXY5756tb3DVN0cX/0XAAD//3aHQYg=" } From fbc6dc5c2a7e5066decac126f1e7abbbd0655c02 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 19 Mar 2020 10:38:52 +0100 Subject: [PATCH 4/5] Missing bits --- CHANGELOG.next.asciidoc | 2 +- x-pack/filebeat/module/cisco/fields.go | 2 +- x-pack/filebeat/module/cisco/ftd/_meta/fields.yml | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 1163f4f53339..728dea2728b0 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -189,7 +189,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS categorization field mappings in iptables module. {issue}16166[16166] {pull}16637[16637] - Add Filebeat Okta module. {pull}16362[16362] - Add custom string mapping to CEF module to support Check Point devices. {issue}16041[16041] {pull}16907[16907] -- Add pattern for Cisco ASA / FTD Message 734001 {issue}16212[16212] +- Add pattern for Cisco ASA / FTD Message 734001 {issue}16212[16212] {pull}16612[16612] *Heartbeat* diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index 78696ba2e467..cee10776bcc7 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsmVFr6zgThu/7K+bmg28hzd7nYiGkLRS2bdics7BXYSqNYp3KklcaJyf/fpHsJI5x3YS6pQfii9LI9ryPRtLoFb6GF9pOQOgg3BUAazY0gVn9U1IQXhesnZ3AH1cAAA9OloZAOQ8ZWmm0XVWPgyXeOP8CktZaEBi3CuMrAKXJyDBJL1+DxZwOcvHibUETWHlXFnVLh2q87lIgUN7lteJOIl5NmaYUBty3dYn1CDZFna81p4sp3GlPGzRm3Hi0rX8gyCkEXNFSy6PIFcoLbTfOH9/pwQH4llGDpI4NWpJlrTT5A1MHSiiV0j9PxKCfmBdxNgQKQTt7OuNTakdT6wEqJg//i8CngrrSC1pqy+QVChoic4sUE/Yx06ByRqCM24DzQGuy3IslKbC2GOMPy3ZzCPwuQF8aWsZ/h4B6xJzAqYQwFYJCgJmz7J2BP3XgJAacIUOOLDKSwJkOJ1DWo1sG8h/BGuNWXDqkhkqvTudJhM2B/jTMhug5rDkWBcnlbskUHZytxjcLDHu0wSCT3OXufg4opacQzmApnOcOGuPs6r08MfQpJEcrduDUNMfrvPw0qT4iSU2yNzPFmSfkpaE1mWF2qBgPUrw0j3M0G/QEv8OzY0scSZXSYgxPNq2GNfnttXGbEcQ/rXC5k+SRaQSZXmWxDKbH449TuiWQaeX8doiezepY+8L8es/uYrnebaBr7cswqp9p94+9+4F2BMSitz/CWUuimsiDOInvVv9bNq1D6ham3aaXRIu8WEbRDoqQtadzL8P97GGe3nxbUDg5lGAMdWquX+lnd7YVloaXyQpOQKEJdN4S/nv+2NCGI+2uXQqLpSfhvAzngbzDe2IIemVJws10Dm3xHZhiOajpjoa7cBvyu+JyQ4psoC/ixO++3fxaTjwCX5z4xYlfnPgv7cTheyC4nS3qW2OLPNbFFzLoXYBf2LnvcRv3z0jqp7v6V3kvnv/i+S+e/0jwTc8fSJRec9ekcc8/SLwu2JL7Cze1B03JXdRx4TbuH6HpVAc8eXzOweKjzw3ahUHPDfdPi6OPBNB7PMDkrJZGh67S/S6HETeZyrfF6L3zUKHQpnse9p4NFrez80ZkJwTsYJNpkVXlrT7HeFLkA/xfHYraCBaPD/MRLP5ZjABt3OpbYZXznP02hukhuEALzwQIGXqZCmf1fWgECIV37IQzI0hFKK8+LTnVrpbROG4DUw7BKY5BxnDPIMk6piNjWddogWXY5756tb3DVN0cX/0XAAD//3aHQYg=" + return "eJzsmcFu4zYQhu95irkUaAHHvftQwHASIECTGPVugZ6MCTm0uKFIlRzZ67cvSMm2LCiOjCiLbGEdgpiS5v84JIc/oWt4oe0EhA7CXQGwZkMTmNU/JQXhdcHa2Qn8cQUA8OBkaQiU85ChlUbbVfU4WOKN8y8gaa0FgXGrML4CUJqMDJP08jVYzOkgFy/eFjSBlXdlUbd0qMbrLgUC5V1eK+4k4tWUaUphwH1bl9gJwaao87XmdDGFO+1pg8aMG4+29Q8EOYWAK1pqeRS5Qnmh7cb54zsncAC+ZNQgqWODlmRZK03+wNSBEkql9PeeGPQd8yLOhkAhaGf7Mz6ldjS1HqBi8vBLBO4L6kovaKktk1coaIjMLVJM2MdMg8oZgTJuA84DrcnySSxJgbXFGH9YtptD4HcB+tLQMv47BNQj5gROJYSpEBQCzJxl7wz8qQMnMeAMGXJkkZEEznToQVmPbhnIfwRrjFtx6ZAaKr06nb0ImwP9wzAbouew5lgUJJe7JVN0cLYa3yww7NEGg0xyl7v7OaCUnkI4g6VwnjtojLOr9/LE0H1IjlbswKlpjtd5+WlSfUSSmmRvZoozT8hLQ2syw+xQMR6keGke52g26Al+h2fHljiSKqXFGJ5sWg1r8ttr4zYjiH9a4XInySPTCDK9ymIZTI/HH326JZBp5fx2iJ7N6lj7wvx6z+5iud5toGvtyzCqn2n3j737hnYExOJkf4SzlkQ1kQdxEl+t/rdsWofULUy7zUkSLfJiGUU7KELWns4nGe5nD/P05tuCwsmhBGOovrl+pZ/d2VZYGl4mKzgBhSbQeUv47/ljQxuOtLt2KSyWnoTzMpwH8g7viSHolSUJN9M5tMV3YIrloKY7Gu7CbcjvissNKbKBPokTv/ty83M58Qh8ceIXJ35x4j+1E4evgeB2tqhvjS3yWBefyKB3AX5i577Hbdw/I6k/3NW/ynvx/BfPf/H8R4Jvev5AovSauyaNe/5G4nXBltxfuKk9aEruoo4Lt3H/CE2n+v87eXwkYq+Th3Zh0JPH/dPi6DMDnDxgYPJmS6NDV/F/l0eJ21Tl/GL0kzNZodCmeyafPF0sbmfnjchOCNjBJtMiqwpkfRLypMgH+FUdyuIIFo8P8xEs/lmMAG00C62wynnOfhvD9BBcoIVnAoQMvUylt/rCNAKEwjt2wpkRpDKWVx+nnGrX22g9t4Eph+AUxyBjuGeQZB3TkTWtq7zAMuxzX73a3qOqbo6v/gsAAP//XBVT9g==" } diff --git a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml index d22b5715e8dd..e1356d78886f 100644 --- a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml @@ -93,10 +93,12 @@ - name: connection_type type: keyword + default_field: false description: > The VPN connection type - name: dap_records type: keyword + default_field: false description: > The assigned DAP records From 5a87a2220436fb4b13e42b32b616e6e6513dd6c5 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 19 Mar 2020 10:54:02 +0100 Subject: [PATCH 5/5] Remove unneeded file --- .../cisco/asa/test/dap_records-expected.json | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 x-pack/filebeat/module/cisco/asa/test/dap_records-expected.json diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records-expected.json deleted file mode 100644 index c54cf083bdac..000000000000 --- a/x-pack/filebeat/module/cisco/asa/test/dap_records-expected.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "source": { - "ip": "1.2.3.4" - }, - "user": { - "email": "firstname.lastname@domain.net" - }, - "cisco": { - "connection_type": "AnyConnect", - "dap_records": [ - "dap_1", - "dap_2" - ], - "asa": { - "message_id": "734001" - } - } -}