From 3e2047f2748f23041aae7625f2474552c8d09da8 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Thu, 12 Mar 2020 09:46:05 -0400 Subject: [PATCH 1/3] [Filebeat] Cisco FTD issues parsing Security Event messages (#16889) * Fix grok and kv split bugs * Fix optional whitespace for field name separator (cherry picked from commit 912eac4e13bb676ec3ec1a46a96b1334c7329516) --- .../firepower-management.log-expected.json | 116 +- .../ftd/test/intrusion.log-expected.json | 28 +- .../cisco/ftd/test/security-malware-site.log | 1 + .../security-malware-site.log-expected.json | 96 + .../cisco/shared/ingest/asa-ftd-pipeline.yml | 2439 +++++++++-------- 5 files changed, 1404 insertions(+), 1276 deletions(-) create mode 100644 x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log create mode 100644 x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json index ddee56c903ca..8e55a34e1a45 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json @@ -3,14 +3,14 @@ "@timestamp": "2019-08-14T13:56:30.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "platformSettingEdit.cgi", "input.type": "log", "log.level": "debug", "log.offset": 0, + "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -21,14 +21,14 @@ "@timestamp": "2019-08-14T13:57:19.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=Banner, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=Banner, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "platformSettingEdit.cgi", "input.type": "log", "log.level": "debug", "log.offset": 194, + "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -39,14 +39,14 @@ "@timestamp": "2019-08-14T13:57:26.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/ChangeReconciliation.cgi, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, System > Configuration > Configuration > /platinum/ChangeReconciliation.cgi, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "ChangeReconciliation.cgi", "input.type": "log", "log.level": "debug", "log.offset": 386, + "process.name": "ChangeReconciliation.cgi", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -57,14 +57,14 @@ "@timestamp": "2019-08-14T13:57:34.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=IntrusionPolicyPrefs, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=IntrusionPolicyPrefs, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "platformSettingEdit.cgi", "input.type": "log", "log.level": "debug", "log.offset": 568, + "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -75,7 +75,7 @@ "@timestamp": "2019-08-14T13:57:43.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /admin/lights_out_mgmt.cgi, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, System > Configuration > Configuration > /admin/lights_out_mgmt.cgi, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", @@ -93,7 +93,7 @@ "@timestamp": "2019-08-14T13:58:02.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, Cloud Services, View url filtering settings\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, Cloud Services, View url filtering settings\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", @@ -111,7 +111,7 @@ "@timestamp": "2019-08-14T13:58:02.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, Cloud Services, View amp settings\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, Cloud Services, View amp settings\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", @@ -129,7 +129,7 @@ "@timestamp": "2019-08-14T13:58:20.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, System > Monitoring > Syslog, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, System > Monitoring > Syslog, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", @@ -147,7 +147,7 @@ "@timestamp": "2019-08-14T13:58:41.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, Devices > Device Management, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, Devices > Device Management, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", @@ -165,14 +165,14 @@ "@timestamp": "2019-08-14T13:58:47.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, Devices > Device Management > NGFW Interfaces, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, Devices > Device Management > NGFW Interfaces, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "sfdccsm", "input.type": "log", "log.level": "debug", "log.offset": 1440, + "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -183,7 +183,7 @@ "@timestamp": "2019-08-14T13:58:52.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, Devices > Device Management > NGFW Device Summary, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, Devices > Device Management > NGFW Device Summary, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", @@ -201,7 +201,7 @@ "@timestamp": "2019-08-14T13:58:54.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, Devices > Device Management > NGFW Device Summary, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, Devices > Device Management > NGFW Device Summary, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", @@ -219,14 +219,14 @@ "@timestamp": "2019-08-14T13:59:10.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, Devices > Platform Settings, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "sfdccsm", "input.type": "log", "log.level": "debug", "log.offset": 1867, + "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -237,14 +237,14 @@ "@timestamp": "2019-08-14T13:59:15.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "sfdccsm", "input.type": "log", "log.level": "debug", "log.offset": 1984, + "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -255,14 +255,14 @@ "@timestamp": "2019-08-14T14:00:37.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "sfdccsm", "input.type": "log", "log.level": "debug", "log.offset": 2128, + "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -273,14 +273,14 @@ "@timestamp": "2019-08-14T14:00:37.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "sfdccsm", "input.type": "log", "log.level": "debug", "log.offset": 2285, + "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -291,14 +291,14 @@ "@timestamp": "2019-08-14T14:00:37.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "sfdccsm", "input.type": "log", "log.level": "debug", "log.offset": 2436, + "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -309,14 +309,14 @@ "@timestamp": "2019-08-14T14:01:12.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "sfdccsm", "input.type": "log", "log.level": "debug", "log.offset": 2580, + "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -327,14 +327,14 @@ "@timestamp": "2019-08-14T14:01:12.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "sfdccsm", "input.type": "log", "log.level": "debug", "log.offset": 2737, + "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -345,14 +345,14 @@ "@timestamp": "2019-08-14T14:01:13.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "sfdccsm", "input.type": "log", "log.level": "debug", "log.offset": 2888, + "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -363,14 +363,14 @@ "@timestamp": "2019-08-14T14:01:20.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "event.original": "csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "sfdccsm", "input.type": "log", "log.level": "debug", "log.offset": 3032, + "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -381,14 +381,14 @@ "@timestamp": "2019-08-14T14:01:31.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "event.original": "csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "ActionQueueScrape.pl", "input.type": "log", "log.level": "debug", "log.offset": 3143, + "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -399,14 +399,14 @@ "@timestamp": "2019-08-14T14:01:31.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Global Configuration Generation\u0000x0a\u0000x00", + "event.original": "admin@localhost, Task Queue, Successful task completion : Pre-deploy Global Configuration Generation\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "ActionQueueScrape.pl", "input.type": "log", "log.level": "debug", "log.offset": 3267, + "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -417,14 +417,14 @@ "@timestamp": "2019-08-14T14:01:35.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "event.original": "csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "ActionQueueScrape.pl", "input.type": "log", "log.level": "debug", "log.offset": 3440, + "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -435,14 +435,14 @@ "@timestamp": "2019-08-14T14:01:36.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Device Configuration for siem-ftd\u0000x0a\u0000x00", + "event.original": "admin@localhost, Task Queue, Successful task completion : Pre-deploy Device Configuration for siem-ftd\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "ActionQueueScrape.pl", "input.type": "log", "log.level": "debug", "log.offset": 3564, + "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -453,7 +453,7 @@ "@timestamp": "2019-08-14T14:01:55.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, System > Configuration > Configuration, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", @@ -471,14 +471,14 @@ "@timestamp": "2019-08-14T14:01:56.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@localhost, Task Queue, Policy Deployment to siem-ftd - SUCCESS\u0000x0a\u0000x00", + "event.original": "admin@localhost, Task Queue, Policy Deployment to siem-ftd - SUCCESS\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "sfdccsm", "input.type": "log", "log.level": "debug", "log.offset": 3874, + "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -489,14 +489,14 @@ "@timestamp": "2019-08-14T14:01:57.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "event.original": "csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "sfdccsm", "input.type": "log", "log.level": "debug", "log.offset": 4002, + "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -507,7 +507,7 @@ "@timestamp": "2019-08-14T14:02:03.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, System > Monitoring > Syslog, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, System > Monitoring > Syslog, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", @@ -525,14 +525,14 @@ "@timestamp": "2019-08-14T14:02:11.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, System > Monitoring > Audit, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, System > Monitoring > Audit, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "index.cgi", "input.type": "log", "log.level": "debug", "log.offset": 4238, + "process.name": "index.cgi", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -543,7 +543,7 @@ "@timestamp": "2019-08-14T14:02:19.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, System > Configuration > Configuration, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", @@ -561,14 +561,14 @@ "@timestamp": "2019-08-14T14:02:31.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "platformSettingEdit.cgi", "input.type": "log", "log.level": "debug", "log.offset": 4492, + "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -579,14 +579,14 @@ "@timestamp": "2019-08-14T14:02:38.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Local System Configuration, Save Local System Configuration\u0000x0a\u0000x00", + "event.original": "admin@10.0.255.31, Devices > Platform Settings > Local System Configuration, Save Local System Configuration\u0000x0a\u0000x00", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "platformSettingEdit.cgi", "input.type": "log", "log.level": "debug", "log.offset": 4686, + "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, "tags": [ @@ -597,14 +597,14 @@ "@timestamp": "2019-08-14T14:02:38.000-02:00", "event.dataset": "cisco.ftd", "event.module": "cisco", - "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled", + "event.original": "admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled", "event.severity": 7, "event.timezone": "-02:00", "fileset.name": "ftd", - "host.hostname": "platformSettingEdit.cgi", "input.type": "log", "log.level": "debug", "log.offset": 4870, + "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, "syslog.priority": 2, diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index c91abb64be9c..0f75bd8cea8b 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -25,6 +25,7 @@ "cisco.ftd.security.protocol": "tcp", "cisco.ftd.security.revision": "12", "cisco.ftd.security.sid": "17279", + "cisco.ftd.security.src_ip": "10.0.1.20", "cisco.ftd.security.src_port": "55644", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", @@ -36,12 +37,12 @@ "event.dataset": "cisco.ftd", "event.module": "cisco", "event.original": "%FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55644, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", - "event.severity": 7, + "event.severity": 0, "event.timezone": "-02:00", "fileset.name": "ftd", "host.hostname": "firepower", "input.type": "log", - "log.level": "debug", + "log.level": "unknown", "log.offset": 0, "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", "network.application": "firefox", @@ -50,6 +51,8 @@ "network.transport": "tcp", "service.id": "1", "service.type": "cisco", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", "source.port": 55644, "tags": [ "cisco-ftd" @@ -83,6 +86,7 @@ "cisco.ftd.security.protocol": "tcp", "cisco.ftd.security.revision": "12", "cisco.ftd.security.sid": "17279", + "cisco.ftd.security.src_ip": "10.0.1.20", "cisco.ftd.security.src_port": "55868", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", @@ -94,12 +98,12 @@ "event.dataset": "cisco.ftd", "event.module": "cisco", "event.original": "%FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55868, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", - "event.severity": 7, + "event.severity": 0, "event.timezone": "-02:00", "fileset.name": "ftd", "host.hostname": "firepower", "input.type": "log", - "log.level": "debug", + "log.level": "unknown", "log.offset": 587, "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", "network.application": "firefox", @@ -108,6 +112,8 @@ "network.transport": "tcp", "service.id": "1", "service.type": "cisco", + "source.address": "10.0.1.20", + "source.ip": "10.0.1.20", "source.port": 55868, "tags": [ "cisco-ftd" @@ -139,6 +145,7 @@ "cisco.ftd.security.protocol": "tcp", "cisco.ftd.security.revision": "6", "cisco.ftd.security.sid": "13360", + "cisco.ftd.security.src_ip": "10.0.100.30", "cisco.ftd.security.src_port": "21", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "outside", @@ -150,18 +157,20 @@ "event.dataset": "cisco.ftd", "event.module": "cisco", "event.original": "%FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 39114, Protocol: tcp, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", - "event.severity": 7, + "event.severity": 0, "event.timezone": "-02:00", "fileset.name": "ftd", "host.hostname": "firepower", "input.type": "log", - "log.level": "debug", + "log.level": "unknown", "log.offset": 1174, "message": "APP-DETECT failed FTP login attempt", "network.iana_number": 6, "network.transport": "tcp", "service.id": "1", "service.type": "cisco", + "source.address": "10.0.100.30", + "source.ip": "10.0.100.30", "source.port": 21, "tags": [ "cisco-ftd" @@ -193,6 +202,7 @@ "cisco.ftd.security.protocol": "6", "cisco.ftd.security.revision": "6", "cisco.ftd.security.sid": "13360", + "cisco.ftd.security.src_ip": "10.0.100.30", "cisco.ftd.security.src_port": "21", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "outside", @@ -204,18 +214,20 @@ "event.dataset": "cisco.ftd", "event.module": "cisco", "event.original": "%FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 40740, Protocol: 6, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", - "event.severity": 7, + "event.severity": 0, "event.timezone": "-02:00", "fileset.name": "ftd", "host.hostname": "firepower", "input.type": "log", - "log.level": "debug", + "log.level": "unknown", "log.offset": 1662, "message": "APP-DETECT failed FTP login attempt", "network.iana_number": 6, "network.transport": "tcp", "service.id": "1", "service.type": "cisco", + "source.address": "10.0.100.30", + "source.ip": "10.0.100.30", "source.port": 21, "tags": [ "cisco-ftd" diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log new file mode 100644 index 000000000000..3caf6780a5c8 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log @@ -0,0 +1 @@ +2020-03-01T01:02:36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 3.3.3.3, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json new file mode 100644 index 000000000000..9be3704d4623 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -0,0 +1,96 @@ +[ + { + "@timestamp": "2020-02-29T23:02:36.000-02:00", + "cisco.ftd.destination_interface": "s1p2", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "COOL-POLICY-3D", + "Inside DMZ-Rule-Inline" + ], + "cisco.ftd.security.ac_policy": "COOL-POLICY-3D", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Inside DMZ-Rule-Inline", + "cisco.ftd.security.access_control_rule_reason": "IP Monitor", + "cisco.ftd.security.application_protocol": "HTTP", + "cisco.ftd.security.client": "Chrome", + "cisco.ftd.security.client_version": "80.0.3987.87", + "cisco.ftd.security.connection_duration": "20", + "cisco.ftd.security.dst_ip": "2.2.2.2", + "cisco.ftd.security.dst_port": "80", + "cisco.ftd.security.egress_interface": "s1p2", + "cisco.ftd.security.egress_zone": "Inside-DMZ-Interface-Inline", + "cisco.ftd.security.http_referer": "http://eyedropper-color-pick.info/mk?c=1581483445764", + "cisco.ftd.security.ingress_interface": "s1p1", + "cisco.ftd.security.ingress_zone": "Inside-DMZ-Interface-Inline", + "cisco.ftd.security.initiator_bytes": "729", + "cisco.ftd.security.initiator_packets": "4", + "cisco.ftd.security.ip_reputation_si_category": "Malware", + "cisco.ftd.security.nap_policy": "State-Backbone", + "cisco.ftd.security.prefilter_policy": "Unknown", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.referenced_host": "eyedropper-color-pick.info", + "cisco.ftd.security.responder_bytes": "246", + "cisco.ftd.security.responder_packets": "4", + "cisco.ftd.security.sec_int_matching_ip": "Destination", + "cisco.ftd.security.src_ip": "3.3.3.3", + "cisco.ftd.security.src_port": "65090", + "cisco.ftd.security.url": "http://bad-malwaresite-grr.info/favicon.ico", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.security.user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36", + "cisco.ftd.source_interface": "s1p1", + "destination.address": "2.2.2.2", + "destination.as.number": 3215, + "destination.as.organization.name": "Orange", + "destination.bytes": 246, + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "FR", + "destination.geo.location.lat": 48.8582, + "destination.geo.location.lon": 2.3387, + "destination.ip": "2.2.2.2", + "destination.packets": 4, + "destination.port": 80, + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 20000000000, + "event.end": "2020-02-29T23:02:36.000-02:00", + "event.module": "cisco", + "event.original": "%NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 3.3.3.3, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico", + "event.outcome": "allow", + "event.severity": 0, + "event.start": "2020-03-01T01:02:16.000Z", + "event.timezone": "-02:00", + "fileset.name": "ftd", + "host.hostname": "CISCO-SENSOR-3D", + "http.request.referrer": "http://eyedropper-color-pick.info/mk?c=1581483445764", + "input.type": "log", + "log.level": "unknown", + "log.offset": 0, + "network.application": "chrome", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "process.name": "Alerts", + "service.type": "cisco", + "source.address": "3.3.3.3", + "source.bytes": 729, + "source.geo.city_name": "Seattle", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 47.6348, + "source.geo.location.lon": -122.3451, + "source.geo.region_iso_code": "US-WA", + "source.geo.region_name": "Washington", + "source.ip": "3.3.3.3", + "source.packets": 4, + "source.port": 65090, + "tags": [ + "cisco-ftd" + ], + "url.domain": "eyedropper-color-pick.info", + "url.original": "http://bad-malwaresite-grr.info/favicon.ico", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required", + "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index c9b53e0a7163..75009ac95d5a 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -1,1253 +1,1272 @@ description: "Pipeline for Cisco {< .internal_PREFIX >} logs" processors: + # + # Parse the syslog header + # + # This populates the host.hostname, process.name, timestamp and other fields + # from the header and stores the message contents in log.original. + - grok: + field: message + patterns: + - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:log.original}" + pattern_definitions: + SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?" + SYSLOGFACILITY: "<%{NONNEGINT:syslog.facility:int}(?:.%{NONNEGINT:syslog.priority:int})?>" + # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. + FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" + ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" + PROCESS: "(?:[^%\\s:\\[]+)" + SYSLOG_END: "(?:(:|\\s)\\s+)" + # exactly match the syntax for firepower management logs + PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})" + HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?" -# -# Parse the syslog header -# -# This populates the host.hostname, process.name, timestamp and other fields -# from the header and stores the message contents in log.original. - - grok: - field: message - patterns: - - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:log.original}" - pattern_definitions: - SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date})?(?:\\s+%{SYSLOGHOST:host.hostname})?(?: %{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?(?:{DATA})?%{SYSLOG_END}" - SYSLOGFACILITY: "<%{NONNEGINT:syslog.facility:int}(?:.%{NONNEGINT:syslog.priority:int})?>" - # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. - FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" - ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" - PROCESS: "(?:[^\\s:\\[]+)" - SYSLOG_END: "(?::|\\s\\s+)" + # + # Parse FTD/ASA style message + # + # This parses the header of an EMBLEM-style message for FTD and ASA prefixes. + - grok: + field: log.original + patterns: + - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" + # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. + - "%{GREEDYDATA:message}" + pattern_definitions: + FTD_SUFFIX: "[^0-9-]+" + # Before version 6.3, FTD used ASA prefix in syslog messages + FTD_PREFIX: "%{DATA}%(?:[A-Z]+)" -# -# Parse FTD/ASA style message -# -# This parses the header of an EMBLEM-style message for FTD and ASA prefixes. - - grok: - field: log.original - patterns: - - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{POSINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" - # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. - - "%{GREEDYDATA:message}" - pattern_definitions: - FTD_SUFFIX: "[^0-9-]+" - # Before version 6.3, FTD used ASA prefix in syslog messages - FTD_PREFIX: "%{DATA}%(?:FTD|ASA)" + # + # Create missing fields when no %FTD label is present + # + # message_id is needed in order for some processors below to work. + - set: + field: _temp_.cisco.message_id + value: "" + if: "ctx?._temp_?.cisco?.message_id == null" -# -# Create missing fields when no %FTD label is present -# -# message_id is needed in order for some processors below to work. - - set: - field: _temp_.cisco.message_id - value: '' - if: "ctx?._temp_?.cisco?.message_id == null" + # + # set default event.severity to 7 (debug): + # + # This value is read from the EMBLEM header and won't be present if this is not + # an emblem message (firewalls can be configured to report other kinds of events) + # This has no effect unless var.log_level is above 7 (default) to filter some + # messages. + - set: + field: event.severity + value: 7 + if: "ctx?.event?.severity == null" -# -# set default event.severity to 7 (debug): -# -# This value is read from the EMBLEM header and won't be present if this is not -# an emblem message (firewalls can be configured to report other kinds of events) -# This has no effect unless var.log_level is above 7 (default) to filter some -# messages. - - set: - field: event.severity - value: 7 - if: "ctx?.event?.severity == null" + # + # Drop messages above configured log_level + # + - drop: + if: "ctx.event.severity > {< .log_level >}" -# -# Drop messages above configured log_level -# - - drop: - if: "ctx.event.severity > {< .log_level >}" + # + # Parse the date included in FTD logs + # + - date: + if: "ctx.event.timezone == null" + field: "_temp_.raw_date" + target_field: "@timestamp" + formats: + - "ISO8601" + - "MMM d HH:mm:ss" + - "MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "EEE MMM dd HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + [ + { + "append": + { + "field": "error.message", + "value": "{{ _ingest.on_failure_message }}", + }, + }, + ] + - date: + if: "ctx.event.timezone != null" + timezone: "{{ event.timezone }}" + field: "_temp_.raw_date" + target_field: "@timestamp" + formats: + - "ISO8601" + - "MMM d HH:mm:ss" + - "MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "EEE MMM dd HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + [ + { + "append": + { + "field": "error.message", + "value": "{{ _ingest.on_failure_message }}", + }, + }, + ] -# -# Parse the date included in FTD logs -# - - date: - if: "ctx.event.timezone == null" - field: "_temp_.raw_date" - target_field: "@timestamp" - formats: - - "ISO8601" - - "MMM d HH:mm:ss" - - "MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "EEE MMM dd HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - - date: - if: "ctx.event.timezone != null" - timezone: "{{ event.timezone }}" - field: "_temp_.raw_date" - target_field: "@timestamp" - formats: - - "ISO8601" - - "MMM d HH:mm:ss" - - "MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "EEE MMM dd HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + # + # Set log.level + # + - set: + field: "log.level" + if: "ctx.event.severity == 0" + value: unknown + - set: + field: "log.level" + if: "ctx.event.severity == 1" + value: alert + - set: + field: "log.level" + if: "ctx.event.severity == 2" + value: critical + - set: + field: "log.level" + if: "ctx.event.severity == 3" + value: error + - set: + field: "log.level" + if: "ctx.event.severity == 4" + value: warning + - set: + field: "log.level" + if: "ctx.event.severity == 5" + value: notification + - set: + field: "log.level" + if: "ctx.event.severity == 6" + value: informational + - set: + field: "log.level" + if: "ctx.event.severity == 7" + value: debug -# -# Set log.level -# - - set: - field: "log.level" - if: "ctx.event.severity == 0" - value: unknown - - set: - field: "log.level" - if: "ctx.event.severity == 1" - value: alert - - set: - field: "log.level" - if: "ctx.event.severity == 2" - value: critical - - set: - field: "log.level" - if: "ctx.event.severity == 3" - value: error - - set: - field: "log.level" - if: "ctx.event.severity == 4" - value: warning - - set: - field: "log.level" - if: "ctx.event.severity == 5" - value: notification - - set: - field: "log.level" - if: "ctx.event.severity == 6" - value: informational - - set: - field: "log.level" - if: "ctx.event.severity == 7" - value: debug + # + # Firewall messages + # + # This set of messages is shared between FTD and ASA. + - set: + if: 'ctx._temp_.cisco.message_id != ""' + field: "event.action" + value: "firewall-rule" + - dissect: + if: "ctx._temp_.cisco.message_id == '106001'" + field: "message" + pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106002'" + field: "message" + pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106006'" + field: "message" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106007'" + field: "message" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106010'" + field: "message" + pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "message" + pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}" + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.transport" + value: icmp + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.direction" + value: inbound + - dissect: + if: "ctx._temp_.cisco.message_id == '106014'" + field: "message" + pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address} %{}dst %{_temp_.cisco.destination_interface}:%{destination.address} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106015'" + field: "message" + pattern: "%{event.outcome} %{network.transport} (no connection) from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106016'" + field: "message" + pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106017'" + field: "message" + pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106018'" + field: "message" + pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106020'" + field: "message" + pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106021'" + field: "message" + pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106022'" + field: "message" + pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106023'" + field: "message" + pattern: '%{event.outcome} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{} access%{}group "%{_temp_.cisco.list_id}"%{}' + - dissect: + if: "ctx._temp_.cisco.message_id == '106027'" + field: "message" + pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '106100'" + field: "message" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port}) -> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port}) %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106102'" + field: "message" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.address} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.address} %{destination.port} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106103'" + field: "message" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.address} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.address} %{destination.port} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "message" + pattern: "%{source.address} %{}ccessed URL %{destination.address}:%{url.original}" + - set: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "event.outcome" + value: allow + - dissect: + if: "ctx._temp_.cisco.message_id == '304002'" + field: "message" + pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313001'" + field: "message" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313004'" + field: "message" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" + - dissect: + if: "ctx._temp_.cisco.message_id == '313005'" + field: "message" + pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313008'" + field: "message" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type} , code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313009'" + field: "message" + pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code} , for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '322001'" + field: "message" + pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "message" + pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338003'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338004'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338007'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338008'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338103'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338104'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "message" + pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.address" + value: "{{destination.address}}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.port" + value: "{{destination.port}}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.address" + value: "{{source.address}}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.port" + value: "{{source.port}}" -# -# Firewall messages -# -# This set of messages is shared between FTD and ASA. - - set: - if: 'ctx._temp_.cisco.message_id != ""' - field: "event.action" - value: "firewall-rule" - - dissect: - if: "ctx._temp_.cisco.message_id == '106001'" - field: "message" - pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106002'" - field: "message" - pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106006'" - field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106007'" - field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106010'" - field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106013'" - field: "message" - pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}" - - set: - if: "ctx._temp_.cisco.message_id == '106013'" - field: "network.transport" - value: icmp - - set: - if: "ctx._temp_.cisco.message_id == '106013'" - field: "network.direction" - value: inbound - - dissect: - if: "ctx._temp_.cisco.message_id == '106014'" - field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address} %{}dst %{_temp_.cisco.destination_interface}:%{destination.address} %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106015'" - field: "message" - pattern: "%{event.outcome} %{network.transport} (no connection) from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106016'" - field: "message" - pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106017'" - field: "message" - pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106018'" - field: "message" - pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106020'" - field: "message" - pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106021'" - field: "message" - pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106022'" - field: "message" - pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106023'" - field: "message" - pattern: "%{event.outcome} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{} access%{}group \"%{_temp_.cisco.list_id}\"%{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106027'" - field: "message" - pattern: "%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group \"%{_temp_.cisco.list_id}\"" - - dissect: - if: "ctx._temp_.cisco.message_id == '106100'" - field: "message" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port}) -> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port}) %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106102'" - field: "message" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.address} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.address} %{destination.port} %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '106103'" - field: "message" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.address} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.address} %{destination.port} %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '304001'" - field: "message" - pattern: "%{source.address} %{}ccessed URL %{destination.address}:%{url.original}" - - set: - if: "ctx._temp_.cisco.message_id == '304001'" - field: "event.outcome" - value: allow - - dissect: - if: "ctx._temp_.cisco.message_id == '304002'" - field: "message" - pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '313001'" - field: "message" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '313004'" - field: "message" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" - - dissect: - if: "ctx._temp_.cisco.message_id == '313005'" - field: "message" - pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '313008'" - field: "message" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type} , code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '313009'" - field: "message" - pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code} , for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '322001'" - field: "message" - pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338001'" - field: "message" - pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338001'" - field: "server.domain" - value: "{{source.domain}}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338002'" - field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - - set: - if: "ctx._temp_.cisco.message_id == '338002'" - field: "server.domain" - value: "{{destination.domain}}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338003'" - field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338004'" - field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338005'" - field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338005'" - field: "server.domain" - value: "{{source.domain}}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338006'" - field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338006'" - field: "server.domain" - value: "{{destination.domain}}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338007'" - field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338008'" - field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338101'" - field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" - - set: - if: "ctx._temp_.cisco.message_id == '338101'" - field: "server.domain" - value: "{{source.domain}}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338102'" - field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - - set: - if: "ctx._temp_.cisco.message_id == '338102'" - field: "server.domain" - value: "{{destination.domain}}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338103'" - field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338104'" - field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338201'" - field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338201'" - field: "server.domain" - value: "{{source.domain}}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338202'" - field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338202'" - field: "server.domain" - value: "{{destination.domain}}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338203'" - field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338203'" - field: "server.domain" - value: "{{source.domain}}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338204'" - field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - - set: - if: "ctx._temp_.cisco.message_id == '338204'" - field: "server.domain" - value: "{{destination.domain}}" - - dissect: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "message" - pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}" - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "client.address" - value: "{{destination.address}}" - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "client.port" - value: "{{destination.port}}" - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "server.address" - value: "{{source.address}}" - - set: - if: "ctx._temp_.cisco.message_id == '338301'" - field: "server.port" - value: "{{source.port}}" + # + # Handle 302xxx messages (Flow expiration a.k.a "Teardown") + # + - set: + if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "flow-expiration" + - grok: + field: "message" + if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' + patterns: + - "Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int} (?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int} (?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA}" + - "Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER} (?:%{NOTSPACE:_temp_.cisco.destination_username} )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}(?: %{NOTSPACE:_temp_.cisco.source_username})?%{GREEDYDATA}" + pattern_definitions: + NOTCOLON: "[^:]*" + ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" + ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" + MAPPEDSRC: "(?:%{DATA:_temp_.cisco.mapped_source_ip}|%{HOSTNAME})" -# -# Handle 302xxx messages (Flow expiration a.k.a "Teardown") -# - - set: - if: "[\"302014\", \"302016\", \"302018\", \"302021\", \"302036\", \"302304\", \"302306\"].contains(ctx._temp_.cisco.message_id)" - field: "event.action" - value: "flow-expiration" - - grok: - field: "message" - if: "[\"302014\", \"302016\", \"302018\", \"302021\", \"302036\", \"302304\", \"302306\"].contains(ctx._temp_.cisco.message_id)" - patterns: - - "Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int} (?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int} (?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA}" - - "Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER} (?:%{NOTSPACE:_temp_.cisco.destination_username} )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}(?: %{NOTSPACE:_temp_.cisco.source_username})?%{GREEDYDATA}" - pattern_definitions: - NOTCOLON: "[^:]*" - ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" - ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" - MAPPEDSRC: "(?:%{DATA:_temp_.cisco.mapped_source_ip}|%{HOSTNAME})" + # + # Decode FTD's Security Event Syslog Messages + # + # 43000x messages are security event syslog messages specific to FTD. + # Format is a comma-separated sequence of key: value pairs. + # + # The result of this decoding is saved as _temp_.orig_security.{Key}: {Value} + - kv: + if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)' + field: "message" + field_split: ",(?=[A-za-z1-9\\s]+:)" + value_split: ":" + target_field: "_temp_.orig_security" + trim_key: " " + trim_value: " " + ignore_failure: true -# -# Decode FTD's Security Event Syslog Messages -# -# 43000x messages are security event syslog messages specific to FTD. -# Format is a comma-separated sequence of key: value pairs. -# -# The result of this decoding is saved as _temp_.orig_security.{Key}: {Value} - - kv: - if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)' - field: "message" - field_split: "," - value_split: ":" - target_field: "_temp_.orig_security" - trim_key: " " - trim_value: " " - ignore_failure: true + # + # Remove message. + # + # The field has been used as temporary buffer while decoding. The full message + # is kept log.original. Processors below can still add a message field, as some + # security events contain an explanatory Message field. + - remove: + field: + - message + ignore_missing: true -# -# Remove message. -# -# The field has been used as temporary buffer while decoding. The full message -# is kept log.original. Processors below can still add a message field, as some -# security events contain an explanatory Message field. - - remove: - field: - - message - ignore_missing: true - -# -# Populate ECS fields from Security Events -# -# This script uses the key-value pairs from Security Events to populate -# the appropriate ECS fields. -# -# A single key can be mapped to multiple ECS fields, and more than one key can -# map to the same ECS field, which results in an array being created. -# -# This script performs an additional job: -# -# Before FTD version 6.3, the message_id was not included in Security Events. -# As this field encodes the kind of event (intrusion, connection, malware...) -# the script below will guess the right message_id from the keys present in -# the event. -# -# The reason for overloading this script with different behaviors is -# that this pipeline is already reaching the limit on script compilations. -# -#******************************************************************************* -# Code generated by go generate. DO NOT EDIT. -#******************************************************************************* - - script: - if: ctx._temp_?.orig_security != null - params: - ACPolicy: - target: ac_policy - id: ["430001", "430002", "430003"] - ecs: [_temp_.cisco.rule_name] - AccessControlRuleAction: - target: access_control_rule_action - id: ["430002", "430003"] - ecs: [event.outcome] - AccessControlRuleName: - target: access_control_rule_name - id: ["430002", "430003"] - ecs: [_temp_.cisco.rule_name] - AccessControlRuleReason: - target: access_control_rule_reason - id: ["430002", "430003"] - ApplicationProtocol: - target: application_protocol - ecs: [network.protocol] - ArchiveDepth: - target: archive_depth - id: ["430004", "430005"] - ArchiveFileName: - target: archive_file_name - id: ["430004", "430005"] - ecs: [file.name] - ArchiveFileStatus: - target: archive_file_status - id: ["430004", "430005"] - ArchiveSHA256: - target: archive_sha256 - id: ["430004", "430005"] - ecs: [file.hash.sha256] - Classification: - target: classification - id: ["430001"] - Client: - target: client - ecs: [network.application] - ClientVersion: - target: client_version - id: ["430002", "430003"] - ConnectionDuration: - target: connection_duration - id: ["430003"] - ecs: [event.duration] - DNS_Sinkhole: - target: dns_sinkhole - id: ["430002", "430003"] - DNS_TTL: - target: dns_ttl - id: ["430002", "430003"] - DNSQuery: - target: dns_query - id: ["430002", "430003"] - ecs: [dns.question.name] - DNSRecordType: - target: dns_record_type - id: ["430002", "430003"] - ecs: [dns.question.type] - DNSResponseType: - target: dns_response_type - id: ["430002", "430003"] - ecs: [dns.response_code] - DNSSICategory: - target: dnssi_category - id: ["430002", "430003"] - DstIP: - target: dst_ip - ecs: [destination.address] - DstPort: - target: dst_port - ecs: [destination.port] - EgressInterface: - target: egress_interface - id: ["430001", "430002", "430003"] - ecs: [_temp_.cisco.destination_interface] - EgressZone: - target: egress_zone - id: ["430001", "430002", "430003"] - Endpoint Profile: - target: endpoint_profile - id: ["430002", "430003"] - FileAction: - target: file_action - id: ["430004", "430005"] - FileCount: - target: file_count - id: ["430002", "430003"] - FileDirection: - target: file_direction - id: ["430004", "430005"] - FileName: - target: file_name - id: ["430004", "430005"] - ecs: [file.name] - FilePolicy: - target: file_policy - id: ["430004", "430005"] - ecs: [_temp_.cisco.rule_name] - FileSHA256: - target: file_sha256 - id: ["430004", "430005"] - ecs: [file.hash.sha256] - FileSandboxStatus: - target: file_sandbox_status - id: ["430004", "430005"] - FileSize: - target: file_size - id: ["430004", "430005"] - ecs: [file.size] - FileStorageStatus: - target: file_storage_status - id: ["430004", "430005"] - FileType: - target: file_type - id: ["430004", "430005"] - FirstPacketSecond: - target: first_packet_second - id: ["430004", "430005"] - ecs: [event.start] - GID: - target: gid - id: ["430001"] - ecs: [service.id] - HTTPReferer: - target: http_referer - id: ["430002", "430003"] - ecs: [http.request.referrer] - HTTPResponse: - target: http_response - id: ["430001", "430002", "430003"] - ecs: [http.response.status_code] - ICMPCode: - target: icmp_code - id: ["430001", "430002", "430003"] - ICMPType: - target: icmp_type - id: ["430001", "430002", "430003"] - IPReputationSICategory: - target: ip_reputation_si_category - id: ["430002", "430003"] - IPSCount: - target: ips_count - id: ["430002", "430003"] - IngressInterface: - target: ingress_interface - id: ["430001", "430002", "430003"] - ecs: [_temp_.cisco.source_interface] - IngressZone: - target: ingress_zone - id: ["430001", "430002", "430003"] - InitiatorBytes: - target: initiator_bytes - id: ["430003"] - ecs: [source.bytes] - InitiatorPackets: - target: initiator_packets - id: ["430003"] - ecs: [source.packets] - InlineResult: - target: inline_result - id: ["430001"] - ecs: [event.outcome] - IntrusionPolicy: - target: intrusion_policy - id: ["430001"] - ecs: [_temp_.cisco.rule_name] - MPLS_Label: - target: mpls_label - id: ["430001"] - Message: - target: message - id: ["430001"] - ecs: [message] - NAPPolicy: - target: nap_policy - id: ["430001", "430002", "430003"] - NetBIOSDomain: - target: net_bios_domain - id: ["430002", "430003"] - ecs: [host.hostname] - NumIOC: - target: num_ioc - id: ["430001"] - Prefilter Policy: - target: prefilter_policy - id: ["430002", "430003"] - Priority: - target: priority - id: ["430001"] - Protocol: - target: protocol - ecs: [network.transport] - ReferencedHost: - target: referenced_host - id: ["430002", "430003"] - ecs: [url.domain] - ResponderBytes: - target: responder_bytes - id: ["430003"] - ecs: [destination.bytes] - ResponderPackets: - target: responder_packets - id: ["430003"] - ecs: [destination.packets] - Revision: - target: revision - id: ["430001"] - SHA_Disposition: - target: sha_disposition - id: ["430004", "430005"] - SID: - target: sid - id: ["430001"] - SSLActualAction: - target: ssl_actual_action - ecs: [event.outcome] - SSLCertificate: - target: ssl_certificate - id: ["430002", "430003", "430004", "430005"] - SSLExpectedAction: - target: ssl_expected_action - id: ["430002", "430003"] - SSLFlowStatus: - target: ssl_flow_status - id: ["430002", "430003", "430004", "430005"] - SSLPolicy: - target: ssl_policy - id: ["430002", "430003"] - SSLRuleName: - target: ssl_rule_name - id: ["430002", "430003"] - SSLServerCertStatus: - target: ssl_server_cert_status - id: ["430002", "430003"] - SSLServerName: - target: ssl_server_name - id: ["430002", "430003"] - ecs: [server.domain] - SSLSessionID: - target: ssl_session_id - id: ["430002", "430003"] - SSLTicketID: - target: ssl_ticket_id - id: ["430002", "430003"] - SSLURLCategory: - target: sslurl_category - id: ["430002", "430003"] - SSLVersion: - target: ssl_version - id: ["430002", "430003"] - SSSLCipherSuite: - target: sssl_cipher_suite - id: ["430002", "430003"] - SecIntMatchingIP: - target: sec_int_matching_ip - id: ["430002", "430003"] - Security Group: - target: security_group - id: ["430002", "430003"] - SperoDisposition: - target: spero_disposition - id: ["430004", "430005"] - SrcIP: - target: src_ip - ecs: [source.address] - SrcPort: - target: src_port - ecs: [source.port] - TCPFlags: - target: tcp_flags - id: ["430002", "430003"] - ThreatName: - target: threat_name - id: ["430005"] - ecs: [_temp_.cisco.threat_category] - ThreatScore: - target: threat_score - id: ["430005"] - ecs: [_temp_.cisco.threat_level] - Tunnel or Prefilter Rule: - target: tunnel_or_prefilter_rule - id: ["430002", "430003"] - URI: - target: uri - id: ["430004", "430005"] - ecs: [url.original] - URL: - target: url - id: ["430002", "430003"] - ecs: [url.original] - URLCategory: - target: url_category - id: ["430002", "430003"] - URLReputation: - target: url_reputation - id: ["430002", "430003"] - URLSICategory: - target: urlsi_category - id: ["430002", "430003"] - User: - target: user - ecs: [user.id, user.name] - UserAgent: - target: user_agent - id: ["430002", "430003"] - ecs: [user_agent.original] - VLAN_ID: - target: vlan_id - id: ["430001", "430002", "430003"] - WebApplication: - target: web_application - ecs: [network.application] - originalClientSrcIP: - target: original_client_src_ip - id: ["430002", "430003"] - ecs: [client.address] - lang: painless - source: | - boolean isEmpty(def value) { - return (value instanceof AbstractList? value.size() : value.length()) == 0; - } - def appendOrCreate(Map dest, String[] path, def value) { - for (int i=0; i new HashMap()); + # + # Populate ECS fields from Security Events + # + # This script uses the key-value pairs from Security Events to populate + # the appropriate ECS fields. + # + # A single key can be mapped to multiple ECS fields, and more than one key can + # map to the same ECS field, which results in an array being created. + # + # This script performs an additional job: + # + # Before FTD version 6.3, the message_id was not included in Security Events. + # As this field encodes the kind of event (intrusion, connection, malware...) + # the script below will guess the right message_id from the keys present in + # the event. + # + # The reason for overloading this script with different behaviors is + # that this pipeline is already reaching the limit on script compilations. + # + #******************************************************************************* + # Code generated by go generate. DO NOT EDIT. + #******************************************************************************* + - script: + if: ctx._temp_?.orig_security != null + params: + ACPolicy: + target: ac_policy + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.rule_name] + AccessControlRuleAction: + target: access_control_rule_action + id: ["430002", "430003"] + ecs: [event.outcome] + AccessControlRuleName: + target: access_control_rule_name + id: ["430002", "430003"] + ecs: [_temp_.cisco.rule_name] + AccessControlRuleReason: + target: access_control_rule_reason + id: ["430002", "430003"] + ApplicationProtocol: + target: application_protocol + ecs: [network.protocol] + ArchiveDepth: + target: archive_depth + id: ["430004", "430005"] + ArchiveFileName: + target: archive_file_name + id: ["430004", "430005"] + ecs: [file.name] + ArchiveFileStatus: + target: archive_file_status + id: ["430004", "430005"] + ArchiveSHA256: + target: archive_sha256 + id: ["430004", "430005"] + ecs: [file.hash.sha256] + Classification: + target: classification + id: ["430001"] + Client: + target: client + ecs: [network.application] + ClientVersion: + target: client_version + id: ["430002", "430003"] + ConnectionDuration: + target: connection_duration + id: ["430003"] + ecs: [event.duration] + DNS_Sinkhole: + target: dns_sinkhole + id: ["430002", "430003"] + DNS_TTL: + target: dns_ttl + id: ["430002", "430003"] + DNSQuery: + target: dns_query + id: ["430002", "430003"] + ecs: [dns.question.name] + DNSRecordType: + target: dns_record_type + id: ["430002", "430003"] + ecs: [dns.question.type] + DNSResponseType: + target: dns_response_type + id: ["430002", "430003"] + ecs: [dns.response_code] + DNSSICategory: + target: dnssi_category + id: ["430002", "430003"] + DstIP: + target: dst_ip + ecs: [destination.address] + DstPort: + target: dst_port + ecs: [destination.port] + EgressInterface: + target: egress_interface + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.destination_interface] + EgressZone: + target: egress_zone + id: ["430001", "430002", "430003"] + Endpoint Profile: + target: endpoint_profile + id: ["430002", "430003"] + FileAction: + target: file_action + id: ["430004", "430005"] + FileCount: + target: file_count + id: ["430002", "430003"] + FileDirection: + target: file_direction + id: ["430004", "430005"] + FileName: + target: file_name + id: ["430004", "430005"] + ecs: [file.name] + FilePolicy: + target: file_policy + id: ["430004", "430005"] + ecs: [_temp_.cisco.rule_name] + FileSHA256: + target: file_sha256 + id: ["430004", "430005"] + ecs: [file.hash.sha256] + FileSandboxStatus: + target: file_sandbox_status + id: ["430004", "430005"] + FileSize: + target: file_size + id: ["430004", "430005"] + ecs: [file.size] + FileStorageStatus: + target: file_storage_status + id: ["430004", "430005"] + FileType: + target: file_type + id: ["430004", "430005"] + FirstPacketSecond: + target: first_packet_second + id: ["430004", "430005"] + ecs: [event.start] + GID: + target: gid + id: ["430001"] + ecs: [service.id] + HTTPReferer: + target: http_referer + id: ["430002", "430003"] + ecs: [http.request.referrer] + HTTPResponse: + target: http_response + id: ["430001", "430002", "430003"] + ecs: [http.response.status_code] + ICMPCode: + target: icmp_code + id: ["430001", "430002", "430003"] + ICMPType: + target: icmp_type + id: ["430001", "430002", "430003"] + IPReputationSICategory: + target: ip_reputation_si_category + id: ["430002", "430003"] + IPSCount: + target: ips_count + id: ["430002", "430003"] + IngressInterface: + target: ingress_interface + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.source_interface] + IngressZone: + target: ingress_zone + id: ["430001", "430002", "430003"] + InitiatorBytes: + target: initiator_bytes + id: ["430003"] + ecs: [source.bytes] + InitiatorPackets: + target: initiator_packets + id: ["430003"] + ecs: [source.packets] + InlineResult: + target: inline_result + id: ["430001"] + ecs: [event.outcome] + IntrusionPolicy: + target: intrusion_policy + id: ["430001"] + ecs: [_temp_.cisco.rule_name] + MPLS_Label: + target: mpls_label + id: ["430001"] + Message: + target: message + id: ["430001"] + ecs: [message] + NAPPolicy: + target: nap_policy + id: ["430001", "430002", "430003"] + NetBIOSDomain: + target: net_bios_domain + id: ["430002", "430003"] + ecs: [host.hostname] + NumIOC: + target: num_ioc + id: ["430001"] + Prefilter Policy: + target: prefilter_policy + id: ["430002", "430003"] + Priority: + target: priority + id: ["430001"] + Protocol: + target: protocol + ecs: [network.transport] + ReferencedHost: + target: referenced_host + id: ["430002", "430003"] + ecs: [url.domain] + ResponderBytes: + target: responder_bytes + id: ["430003"] + ecs: [destination.bytes] + ResponderPackets: + target: responder_packets + id: ["430003"] + ecs: [destination.packets] + Revision: + target: revision + id: ["430001"] + SHA_Disposition: + target: sha_disposition + id: ["430004", "430005"] + SID: + target: sid + id: ["430001"] + SSLActualAction: + target: ssl_actual_action + ecs: [event.outcome] + SSLCertificate: + target: ssl_certificate + id: ["430002", "430003", "430004", "430005"] + SSLExpectedAction: + target: ssl_expected_action + id: ["430002", "430003"] + SSLFlowStatus: + target: ssl_flow_status + id: ["430002", "430003", "430004", "430005"] + SSLPolicy: + target: ssl_policy + id: ["430002", "430003"] + SSLRuleName: + target: ssl_rule_name + id: ["430002", "430003"] + SSLServerCertStatus: + target: ssl_server_cert_status + id: ["430002", "430003"] + SSLServerName: + target: ssl_server_name + id: ["430002", "430003"] + ecs: [server.domain] + SSLSessionID: + target: ssl_session_id + id: ["430002", "430003"] + SSLTicketID: + target: ssl_ticket_id + id: ["430002", "430003"] + SSLURLCategory: + target: sslurl_category + id: ["430002", "430003"] + SSLVersion: + target: ssl_version + id: ["430002", "430003"] + SSSLCipherSuite: + target: sssl_cipher_suite + id: ["430002", "430003"] + SecIntMatchingIP: + target: sec_int_matching_ip + id: ["430002", "430003"] + Security Group: + target: security_group + id: ["430002", "430003"] + SperoDisposition: + target: spero_disposition + id: ["430004", "430005"] + SrcIP: + target: src_ip + ecs: [source.address] + SrcPort: + target: src_port + ecs: [source.port] + TCPFlags: + target: tcp_flags + id: ["430002", "430003"] + ThreatName: + target: threat_name + id: ["430005"] + ecs: [_temp_.cisco.threat_category] + ThreatScore: + target: threat_score + id: ["430005"] + ecs: [_temp_.cisco.threat_level] + Tunnel or Prefilter Rule: + target: tunnel_or_prefilter_rule + id: ["430002", "430003"] + URI: + target: uri + id: ["430004", "430005"] + ecs: [url.original] + URL: + target: url + id: ["430002", "430003"] + ecs: [url.original] + URLCategory: + target: url_category + id: ["430002", "430003"] + URLReputation: + target: url_reputation + id: ["430002", "430003"] + URLSICategory: + target: urlsi_category + id: ["430002", "430003"] + User: + target: user + ecs: [user.id, user.name] + UserAgent: + target: user_agent + id: ["430002", "430003"] + ecs: [user_agent.original] + VLAN_ID: + target: vlan_id + id: ["430001", "430002", "430003"] + WebApplication: + target: web_application + ecs: [network.application] + originalClientSrcIP: + target: original_client_src_ip + id: ["430002", "430003"] + ecs: [client.address] + lang: painless + source: | + boolean isEmpty(def value) { + return (value instanceof AbstractList? value.size() : value.length()) == 0; + } + def appendOrCreate(Map dest, String[] path, def value) { + for (int i=0; i new HashMap()); + } + String key = path[path.length - 1]; + def existing = dest.get(key); + return existing == null? + dest.put(key, value) + : existing instanceof AbstractList? + existing.add(value) + : dest.put(key, new ArrayList([existing, value])); } - String key = path[path.length - 1]; - def existing = dest.get(key); - return existing == null? - dest.put(key, value) - : existing instanceof AbstractList? - existing.add(value) - : dest.put(key, new ArrayList([existing, value])); - } - def msg = ctx._temp_.orig_security; - def counters = new HashMap(); - def dest = new HashMap(); - ctx._temp_.cisco['security'] = dest; - for (entry in msg.entrySet()) { - def param = params.get(entry.getKey()); - if (param == null) { - continue; + def msg = ctx._temp_.orig_security; + def counters = new HashMap(); + def dest = new HashMap(); + ctx._temp_.cisco['security'] = dest; + for (entry in msg.entrySet()) { + def param = params.get(entry.getKey()); + if (param == null) { + continue; + } + param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) ); + if (!isEmpty(entry.getValue())) { + param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) ); + dest[param.target] = entry.getValue(); + } } - param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) ); - if (!isEmpty(entry.getValue())) { - param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) ); - dest[param.target] = entry.getValue(); + if (ctx._temp_.cisco.message_id != "") return; + def best; + for (entry in counters.entrySet()) { + if (best == null || best.getValue() < entry.getValue()) best = entry; } - } - if (ctx._temp_.cisco.message_id != "") return; - def best; - for (entry in counters.entrySet()) { - if (best == null || best.getValue() < entry.getValue()) best = entry; - } - if (best != null) ctx._temp_.cisco.message_id = best.getKey(); -#******************************************************************************* -# End of generated code. -#******************************************************************************* + if (best != null) ctx._temp_.cisco.message_id = best.getKey(); + #******************************************************************************* + # End of generated code. + #******************************************************************************* + # + # Normalize ECS field values + # + - script: + lang: painless + params: + "ctx._temp_.cisco.message_id": + target: event.action + map: + "430001": intrusion-detected + "430002": connection-started + "430003": connection-finished + "430004": file-detected + "430005": malware-detected -# -# Normalize ECS field values -# - - script: - lang: painless - params: - 'ctx._temp_.cisco.message_id': - target: event.action - map: - '430001': intrusion-detected - '430002': connection-started - '430003': connection-finished - '430004': file-detected - '430005': malware-detected + "dns.question.type": + map: + "a host address": A + "ip6 address": AAAA + "text strings": TXT + "a domain name pointer": PTR + "an authoritative name server": NS + "the canonical name for an alias": CNAME + "marks the start of a zone of authority": SOA + "mail exchange": MX + "server selection": SRV - 'dns.question.type': - map: - 'a host address': A - 'ip6 address': AAAA - 'text strings': TXT - 'a domain name pointer': PTR - 'an authoritative name server': NS - 'the canonical name for an alias': CNAME - 'marks the start of a zone of authority': SOA - 'mail exchange': MX - 'server selection': SRV + "dns.response_code": + map: + "non-existent domain": NXDOMAIN + "server failure": SERVFAIL + "query refused": REFUSED + "no error": NOERROR - 'dns.response_code': - map: - 'non-existent domain': NXDOMAIN - 'server failure': SERVFAIL - 'query refused': REFUSED - 'no error': NOERROR - - source: | - def getField(Map src, String[] path) { - for (int i=0; i new HashMap()); - } - dest[path[path.length-1]] = value; - } - for (entry in params.entrySet()) { - def srcField = entry.getKey(); - def param = entry.getValue(); - String oldVal = getField(ctx, srcField.splitOnToken('.')); - if (oldVal == null) continue; - def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null); - if (newVal != null) { - def dstField = param.getOrDefault('target', srcField); - setField(ctx, dstField.splitOnToken('.'), newVal); + def setField(Map dest, String[] path, def value) { + for (int i=0; i new HashMap()); } - } + dest[path[path.length-1]] = value; + } + for (entry in params.entrySet()) { + def srcField = entry.getKey(); + def param = entry.getValue(); + String oldVal = getField(ctx, srcField.splitOnToken('.')); + if (oldVal == null) continue; + def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null); + if (newVal != null) { + def dstField = param.getOrDefault('target', srcField); + setField(ctx, dstField.splitOnToken('.'), newVal); + } + } - - set: - if: 'ctx.dns?.question?.type != null && ctx.dns?.response_code == null' - field: dns.response_code - value: NOERROR + - set: + if: "ctx.dns?.question?.type != null && ctx.dns?.response_code == null" + field: dns.response_code + value: NOERROR - - set: - if: 'ctx._temp_.cisco.message_id == "430001"' - field: event.action - value: intrusion-detected - - set: - if: 'ctx._temp_.cisco.message_id == "430002"' - field: event.action - value: connection-started - - set: - if: 'ctx._temp_.cisco.message_id == "430003"' - field: event.action - value: connection-finished - - set: - if: 'ctx._temp_.cisco.message_id == "430004"' - field: event.action - value: file-detected - - set: - if: 'ctx._temp_.cisco.message_id == "430005"' - field: event.action - value: malware-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430001"' + field: event.action + value: intrusion-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430002"' + field: event.action + value: connection-started + - set: + if: 'ctx._temp_.cisco.message_id == "430003"' + field: event.action + value: connection-finished + - set: + if: 'ctx._temp_.cisco.message_id == "430004"' + field: event.action + value: file-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430005"' + field: event.action + value: malware-detected -# -# Handle event.duration -# -# It can be set from ConnectionDuration FTD field above. This field holds -# seconds as a string. Copy it to _temp_.duration_hms so that the following -# processor converts it to the right value and populates start and end. - - set: - field: '_temp_.duration_hms' - value: '{{event.duration}}' - if: 'ctx.event?.duration != null' + # + # Handle event.duration + # + # It can be set from ConnectionDuration FTD field above. This field holds + # seconds as a string. Copy it to _temp_.duration_hms so that the following + # processor converts it to the right value and populates start and end. + - set: + field: "_temp_.duration_hms" + value: "{{event.duration}}" + if: "ctx.event?.duration != null" -# -# Process the flow duration "hh:mm:ss" present in some messages -# This will fill event.start, event.end and event.duration -# - - script: - lang: painless - if: "ctx?._temp_?.duration_hms != null" - source: > - long parse_hms(String s) { - long cur = 0, total = 0; - for (char c: s.toCharArray()) { - if (c >= (char)'0' && c <= (char)'9') { - cur = (cur*10) + (long)c - (char)'0'; - } else if (c == (char)':') { - total = (total + cur) * 60; - cur = 0; - } else { - return 0; - } - } - return total + cur; - } - if (ctx?.event == null) { - ctx['event'] = new HashMap(); - } - String end = ctx['@timestamp']; - ctx.event['end'] = end; - long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; - ctx.event['duration'] = nanos; - ctx.event['start'] = ZonedDateTime.ofInstant( - Instant.parse(end).minusNanos(nanos), - ZoneOffset.UTC); + # + # Process the flow duration "hh:mm:ss" present in some messages + # This will fill event.start, event.end and event.duration + # + - script: + lang: painless + if: "ctx?._temp_?.duration_hms != null" + source: > + long parse_hms(String s) { + long cur = 0, total = 0; + for (char c: s.toCharArray()) { + if (c >= (char)'0' && c <= (char)'9') { + cur = (cur*10) + (long)c - (char)'0'; + } else if (c == (char)':') { + total = (total + cur) * 60; + cur = 0; + } else { + return 0; + } + } + return total + cur; + } + if (ctx?.event == null) { + ctx['event'] = new HashMap(); + } + String end = ctx['@timestamp']; + ctx.event['end'] = end; + long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; + ctx.event['duration'] = nanos; + ctx.event['start'] = ZonedDateTime.ofInstant( + Instant.parse(end).minusNanos(nanos), + ZoneOffset.UTC); -# -# Normalize protocol names -# - - lowercase: - field: "network.transport" - ignore_failure: true - - lowercase: - field: "network.protocol" - ignore_failure: true - - lowercase: - field: "network.application" - ignore_failure: true - - lowercase: - field: "file.type" - ignore_failure: true - - lowercase: - field: "network.direction" - ignore_failure: true + # + # Normalize protocol names + # + - lowercase: + field: "network.transport" + ignore_failure: true + - lowercase: + field: "network.protocol" + ignore_failure: true + - lowercase: + field: "network.application" + ignore_failure: true + - lowercase: + field: "file.type" + ignore_failure: true + - lowercase: + field: "network.direction" + ignore_failure: true -# -# Populate network.iana_number from network.transport. Also does reverse -# mapping in case network.transport contains the iana_number. -# - - script: - if: 'ctx?.network?.transport != null' - lang: painless - params: - icmp: 1 - igmp: 2 - ipv4: 4 - tcp: 6 - egp: 8 - igp: 9 - pup: 12 - udp: 17 - rdp: 27 - irtp: 28 - dccp: 33 - idpr: 35 - ipv6: 41 - ipv6-route: 43 - ipv6-frag: 44 - rsvp: 46 - gre: 47 - esp: 50 - ipv6-icmp: 58 - ipv6-nonxt: 59 - ipv6-opts: 60 - source: > - def net = ctx.network; - def iana = params[net.transport]; - if (iana != null) { - net['iana_number'] = iana; - return; - } - def reverse = new HashMap(); - def[] arr = new def[] { null }; - for (entry in params.entrySet()) { - arr[0] = entry.getValue(); - reverse.put(String.format("%d", arr), entry.getKey()); - } - def trans = reverse[net.transport]; - if (trans != null) { - net['iana_number'] = net.transport; - net['transport'] = trans; - } + # + # Populate network.iana_number from network.transport. Also does reverse + # mapping in case network.transport contains the iana_number. + # + - script: + if: "ctx?.network?.transport != null" + lang: painless + params: + icmp: 1 + igmp: 2 + ipv4: 4 + tcp: 6 + egp: 8 + igp: 9 + pup: 12 + udp: 17 + rdp: 27 + irtp: 28 + dccp: 33 + idpr: 35 + ipv6: 41 + ipv6-route: 43 + ipv6-frag: 44 + rsvp: 46 + gre: 47 + esp: 50 + ipv6-icmp: 58 + ipv6-nonxt: 59 + ipv6-opts: 60 + source: > + def net = ctx.network; + def iana = params[net.transport]; + if (iana != null) { + net['iana_number'] = iana; + return; + } + def reverse = new HashMap(); + def[] arr = new def[] { null }; + for (entry in params.entrySet()) { + arr[0] = entry.getValue(); + reverse.put(String.format("%d", arr), entry.getKey()); + } + def trans = reverse[net.transport]; + if (trans != null) { + net['iana_number'] = net.transport; + net['transport'] = trans; + } -# -# Normalize event.outcome -# - - lowercase: - field: "event.outcome" - ignore_missing: true - - set: - field: "event.outcome" - if: "ctx.event?.outcome == \"est-allowed\"" - value: allow - - set: - field: "event.outcome" - if: "ctx.event?.outcome == \"permitted\"" - value: allow - - set: - field: "event.outcome" - if: "ctx.event?.outcome == \"denied\"" - value: deny - - set: - field: "event.outcome" - if: "ctx.event?.outcome == \"dropped\"" - value: deny + # + # Normalize event.outcome + # + - lowercase: + field: "event.outcome" + ignore_missing: true + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "est-allowed"' + value: allow + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "permitted"' + value: allow + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "denied"' + value: deny + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "dropped"' + value: deny - - set: - field: "network.transport" - if: "ctx.network?.transport == \"icmpv6\"" - value: "ipv6-icmp" + - set: + field: "network.transport" + if: 'ctx.network?.transport == "icmpv6"' + value: "ipv6-icmp" -# -# Convert integer fields, as output of dissect and kv processors is always a string -# - - convert: - field: "source.port" - type: integer - ignore_failure: true - - convert: - field: "destination.port" - type: integer - ignore_failure: true - - convert: - field: "source.bytes" - type: integer - ignore_failure: true - - convert: - field: "destination.bytes" - type: integer - ignore_failure: true - - convert: - field: "source.packets" - type: integer - ignore_failure: true - - convert: - field: "destination.packets" - type: integer - ignore_failure: true - - convert: - field: "_temp_.cisco.mapped_source_port" - type: integer - ignore_failure: true - - convert: - field: "_temp_.cisco.mapped_destination_port" - type: integer - ignore_failure: true - - convert: - field: "_temp_.cisco.icmp_code" - type: integer - ignore_failure: true - - convert: - field: "_temp_.cisco.icmp_type" - type: integer - ignore_failure: true - - convert: - field: "network.iana_number" - type: integer - ignore_failure: true + # + # Convert integer fields, as output of dissect and kv processors is always a string + # + - convert: + field: "source.port" + type: integer + ignore_failure: true + - convert: + field: "destination.port" + type: integer + ignore_failure: true + - convert: + field: "source.bytes" + type: integer + ignore_failure: true + - convert: + field: "destination.bytes" + type: integer + ignore_failure: true + - convert: + field: "source.packets" + type: integer + ignore_failure: true + - convert: + field: "destination.packets" + type: integer + ignore_failure: true + - convert: + field: "_temp_.cisco.mapped_source_port" + type: integer + ignore_failure: true + - convert: + field: "_temp_.cisco.mapped_destination_port" + type: integer + ignore_failure: true + - convert: + field: "_temp_.cisco.icmp_code" + type: integer + ignore_failure: true + - convert: + field: "_temp_.cisco.icmp_type" + type: integer + ignore_failure: true + - convert: + field: "network.iana_number" + type: integer + ignore_failure: true -# -# Assign ECS .ip fields from .address is a valid IP address is found, -# otherwise set .domain field. -# - - grok: - field: source.address - patterns: - - "(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})" - ignore_failure: true - - grok: - field: destination.address - patterns: - - "(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})" - ignore_failure: true - - grok: - field: client.address - patterns: - - "(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})" - ignore_failure: true - - grok: - field: server.address - patterns: - - "(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})" - ignore_failure: true + # + # Assign ECS .ip fields from .address is a valid IP address is found, + # otherwise set .domain field. + # + - grok: + field: source.address + patterns: + - "(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})" + ignore_failure: true + - grok: + field: destination.address + patterns: + - "(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})" + ignore_failure: true + - grok: + field: client.address + patterns: + - "(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})" + ignore_failure: true + - grok: + field: server.address + patterns: + - "(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})" + ignore_failure: true -# -# Geolocation for source and destination addresses -# - - geoip: - field: "source.ip" - target_field: "source.geo" - ignore_missing: true - - geoip: - field: "destination.ip" - target_field: "destination.geo" - ignore_missing: true + # + # Geolocation for source and destination addresses + # + - geoip: + field: "source.ip" + target_field: "source.geo" + ignore_missing: true + - geoip: + field: "destination.ip" + target_field: "destination.geo" + ignore_missing: true -# -# IP Autonomous System (AS) Lookup -# - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true + # + # IP Autonomous System (AS) Lookup + # + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true -# -# NAT fields -# -# The firewall always populates mapped ip and port even if there was no NAT. -# This populates both nat.ip and nat.port only when some translation is done. -# Fills nat.ip and nat.port even when only the ip or port changed. - - set: - field: source.nat.ip - value: "{{_temp_.cisco.mapped_source_ip}}" - if: "ctx._temp_.cisco.mapped_source_ip != null && (ctx._temp_.cisco.mapped_source_ip != ctx.source.ip || ctx._temp_.cisco.mapped_source_port != ctx.source.port)" - - set: - field: source.nat.port - value: "{{_temp_.cisco.mapped_source_port}}" - if: "ctx._temp_.cisco.mapped_source_port != null && (ctx._temp_.cisco.mapped_source_ip != ctx.source.ip || ctx._temp_.cisco.mapped_source_port != ctx.source.port)" - - set: - field: destination.nat.ip - value: "{{_temp_.cisco.mapped_destination_ip}}" - if: "ctx._temp_.cisco.mapped_destination_ip != null && (ctx._temp_.cisco.mapped_destination_ip != ctx.destination.ip || ctx._temp_.cisco.mapped_destination_port != ctx.destination.port)" - - set: - field: destination.nat.port - value: "{{_temp_.cisco.mapped_destination_port}}" - if: "ctx._temp_.cisco.mapped_destination_port != null && (ctx._temp_.cisco.mapped_destination_ip != ctx.destination.ip || ctx._temp_.cisco.mapped_destination_port != ctx.destination.port)" + # + # NAT fields + # + # The firewall always populates mapped ip and port even if there was no NAT. + # This populates both nat.ip and nat.port only when some translation is done. + # Fills nat.ip and nat.port even when only the ip or port changed. + - set: + field: source.nat.ip + value: "{{_temp_.cisco.mapped_source_ip}}" + if: "ctx._temp_.cisco.mapped_source_ip != null && (ctx._temp_.cisco.mapped_source_ip != ctx.source.ip || ctx._temp_.cisco.mapped_source_port != ctx.source.port)" + - set: + field: source.nat.port + value: "{{_temp_.cisco.mapped_source_port}}" + if: "ctx._temp_.cisco.mapped_source_port != null && (ctx._temp_.cisco.mapped_source_ip != ctx.source.ip || ctx._temp_.cisco.mapped_source_port != ctx.source.port)" + - set: + field: destination.nat.ip + value: "{{_temp_.cisco.mapped_destination_ip}}" + if: "ctx._temp_.cisco.mapped_destination_ip != null && (ctx._temp_.cisco.mapped_destination_ip != ctx.destination.ip || ctx._temp_.cisco.mapped_destination_port != ctx.destination.port)" + - set: + field: destination.nat.port + value: "{{_temp_.cisco.mapped_destination_port}}" + if: "ctx._temp_.cisco.mapped_destination_port != null && (ctx._temp_.cisco.mapped_destination_ip != ctx.destination.ip || ctx._temp_.cisco.mapped_destination_port != ctx.destination.port)" -# -# Populate ECS event.code -# - - convert: - field: _temp_.cisco.message_id - target_field: event.code - type: integer - ignore_failure: true + # + # Populate ECS event.code + # + - convert: + field: _temp_.cisco.message_id + target_field: event.code + type: integer + ignore_failure: true - - remove: - field: - - _temp_.cisco.message_id - - event.code - if: 'ctx._temp_.cisco.message_id == ""' - ignore_failure: true + - remove: + field: + - _temp_.cisco.message_id + - event.code + if: 'ctx._temp_.cisco.message_id == ""' + ignore_failure: true -# -# Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd. -# - - rename: - field: _temp_.cisco - target_field: 'cisco.{< .internal_prefix >}' - ignore_failure: true + # + # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd. + # + - rename: + field: _temp_.cisco + target_field: "cisco.{< .internal_prefix >}" + ignore_failure: true -# -# Remove temporary fields -# - - remove: - field: _temp_ - ignore_missing: true + # + # Remove temporary fields + # + - remove: + field: _temp_ + ignore_missing: true -# -# Rename some 7.x fields -# - - rename: - field: log.original - target_field: event.original - ignore_missing: true - - rename: - field: cisco.{< .internal_prefix >}.list_id - target_field: cisco.{< .internal_prefix >}.rule_name - ignore_missing: true + # + # Rename some 7.x fields + # + - rename: + field: log.original + target_field: event.original + ignore_missing: true + - rename: + field: cisco.{< .internal_prefix >}.list_id + target_field: cisco.{< .internal_prefix >}.rule_name + ignore_missing: true on_failure: - - append: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" + - append: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" From c198d21d67481113aec368766d17b90338daf1ca Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Thu, 19 Mar 2020 13:54:34 -0400 Subject: [PATCH 2/3] [Filebeat] Add changelog entry for Cisco fixes (#17124) * Add changelog entry for Cisco fixes * move new entry to the end of the changelog section --- CHANGELOG.next.asciidoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index dc74ce083848..f634de5e669f 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -119,6 +119,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Adding the var definitions in azure manifest files, fix for errors when executing command setup. {issue}16270[16270] {pull}16468[16468] - Fix merging of fileset inputs to replace paths and append processors. {pull}16450{16450} - Add queue_url definition in manifest file for aws module. {pull}16640{16640} +- Fix issue where autodiscover hints default configuration was not being copied. {pull}16987[16987] +- Fix Elasticsearch `_id` field set by S3 and Google Pub/Sub inputs. {pull}17026[17026] +- Fixed various Cisco FTD parsing issues. {issue}16863[16863] {pull}16889[16889] *Heartbeat* From 421ef35f2200370a3f6db00575deb9c373b18c64 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Thu, 19 Mar 2020 13:57:19 -0400 Subject: [PATCH 3/3] Remove stray changelog entries from cherry-pick --- CHANGELOG.next.asciidoc | 2 -- 1 file changed, 2 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index f634de5e669f..1d988baf9f8d 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -119,8 +119,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Adding the var definitions in azure manifest files, fix for errors when executing command setup. {issue}16270[16270] {pull}16468[16468] - Fix merging of fileset inputs to replace paths and append processors. {pull}16450{16450} - Add queue_url definition in manifest file for aws module. {pull}16640{16640} -- Fix issue where autodiscover hints default configuration was not being copied. {pull}16987[16987] -- Fix Elasticsearch `_id` field set by S3 and Google Pub/Sub inputs. {pull}17026[17026] - Fixed various Cisco FTD parsing issues. {issue}16863[16863] {pull}16889[16889] *Heartbeat*