From 2a6c58f8261b1ebce0180dd3b7a3545e1391c87e Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 28 Aug 2019 18:22:00 +0200 Subject: [PATCH] [Filebeat] [SIEM] Fileset for Cisco FTD logs (#13286) This adds a new `ftd` fileset to the `cisco` module for parsing Firepower Threat Defense logs. As the FTD logs are a superset of the Cisco ASA logs, this PR introduces a shared ingest pipeline that is used both by the new `ftd` and the existing `asa` filesets. As a side effect of this, it improves the existing ASA fileset so that it uses custom syslog message decoding instead of relying on Filebeat's syslog input, which has caused compatibility problems with some ASA devices. Closes #12690 --- CHANGELOG.next.asciidoc | 2 + filebeat/docs/fields.asciidoc | 182 +- filebeat/docs/modules/cisco.asciidoc | 152 +- x-pack/filebeat/filebeat.reference.yml | 18 + x-pack/filebeat/module/cisco/_meta/config.yml | 18 + .../filebeat/module/cisco/_meta/docs.asciidoc | 152 +- .../module/cisco/asa/_meta/fields.yml | 4 +- .../module/cisco/asa/config/input.yml | 6 +- .../module/cisco/asa/ingest/pipeline.yml | 511 --- x-pack/filebeat/module/cisco/asa/manifest.yml | 7 +- .../cisco/asa/test/asa.log-expected.json | 672 +++- .../cisco/asa/test/filtered.log-expected.json | 6 +- .../filebeat/module/cisco/asa/test/sample.log | 32 +- .../cisco/asa/test/sample.log-expected.json | 425 ++- x-pack/filebeat/module/cisco/fields.go | 2 +- .../module/cisco/ftd/_meta/fields.yml | 92 + .../module/cisco/ftd/config/input.yml | 20 + x-pack/filebeat/module/cisco/ftd/manifest.yml | 32 + x-pack/filebeat/module/cisco/ftd/test/asa.log | 268 ++ .../cisco/ftd/test/asa.log-expected.json | 2761 +++++++++++++++++ x-pack/filebeat/module/cisco/ftd/test/dns.log | 21 + .../cisco/ftd/test/dns.log-expected.json | 1654 ++++++++++ .../module/cisco/ftd/test/filtered.log | 2 + .../cisco/ftd/test/filtered.log-expected.json | 24 + .../cisco/ftd/test/firepower-management.log | Bin 0 -> 5064 bytes .../firepower-management.log-expected.json | 615 ++++ .../module/cisco/ftd/test/intrusion.log | 4 + .../ftd/test/intrusion.log-expected.json | 222 ++ .../module/cisco/ftd/test/no-type-id.log | 4 + .../ftd/test/no-type-id.log-expected.json | 126 + .../filebeat/module/cisco/ftd/test/sample.log | 72 + .../cisco/ftd/test/sample.log-expected.json | 1949 ++++++++++++ .../cisco/ftd/test/security-connection.log | 10 + .../security-connection.log-expected.json | 717 +++++ .../cisco/ftd/test/security-file-malware.log | 10 + .../security-file-malware.log-expected.json | 570 ++++ .../cisco/shared/gen-ecs-mapping-docs.go | 143 + .../cisco/shared/gen-ftd-ecs-mapping.go | 249 ++ x-pack/filebeat/module/cisco/shared/gen.go | 8 + .../cisco/shared/ingest/asa-ftd-pipeline.yml | 1202 +++++++ .../module/cisco/shared/security-mappings.csv | 215 ++ .../filebeat/module/cisco/shared/stringset.go | 56 + x-pack/filebeat/modules.d/cisco.yml.disabled | 18 + 43 files changed, 12459 insertions(+), 794 deletions(-) delete mode 100644 x-pack/filebeat/module/cisco/asa/ingest/pipeline.yml create mode 100644 x-pack/filebeat/module/cisco/ftd/_meta/fields.yml create mode 100644 x-pack/filebeat/module/cisco/ftd/config/input.yml create mode 100644 x-pack/filebeat/module/cisco/ftd/manifest.yml create mode 100644 x-pack/filebeat/module/cisco/ftd/test/asa.log create mode 100644 x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json create mode 100644 x-pack/filebeat/module/cisco/ftd/test/dns.log create mode 100644 x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json create mode 100644 x-pack/filebeat/module/cisco/ftd/test/filtered.log create mode 100644 x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json create mode 100644 x-pack/filebeat/module/cisco/ftd/test/firepower-management.log create mode 100644 x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json create mode 100644 x-pack/filebeat/module/cisco/ftd/test/intrusion.log create mode 100644 x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json create mode 100644 x-pack/filebeat/module/cisco/ftd/test/no-type-id.log create mode 100644 x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json create mode 100644 x-pack/filebeat/module/cisco/ftd/test/sample.log create mode 100644 x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json create mode 100644 x-pack/filebeat/module/cisco/ftd/test/security-connection.log create mode 100644 x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json create mode 100644 x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log create mode 100644 x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json create mode 100644 x-pack/filebeat/module/cisco/shared/gen-ecs-mapping-docs.go create mode 100644 x-pack/filebeat/module/cisco/shared/gen-ftd-ecs-mapping.go create mode 100644 x-pack/filebeat/module/cisco/shared/gen.go create mode 100644 x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml create mode 100644 x-pack/filebeat/module/cisco/shared/security-mappings.csv create mode 100644 x-pack/filebeat/module/cisco/shared/stringset.go diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 394559e28ee8..b0b45ddfde90 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -28,6 +28,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add read_buffer configuration option. {pull}11739[11739] - `convert_timezone` option is removed and locale is always added to the event so timezone is used when parsing the timestamp, this behaviour can be overriden with processors. {pull}12410[12410] - Fix a race condition in the TCP input when close the client socket. {pull}13038[13038] +- cisco/asa fileset: Renamed log.original to event.original and cisco.asa.list_id to cisco.asa.rule_name. {pull}13286[13286] *Heartbeat* @@ -284,6 +285,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Update PAN-OS fileset to use the ECS NAT fields. {issue}13320[13320] {pull}13330[13330] - Add fields to the Zeek DNS fileset for ECS DNS. {issue}13320[13320] {pull}13324[13324] - Add container image in Kubernetes metadata {pull}13356[13356] {issue}12688[12688] +- Add module for ingesting Cisco FTD logs over syslog. {pull}13286[13286] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 2740d86e0e90..8c51873bb932 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -1381,10 +1381,10 @@ type: keyword -- -*`cisco.asa.list_id`*:: +*`cisco.asa.rule_name`*:: + -- -Name of the Access Control List that matched this event. +Name of the Access Control List rule that matched this event. type: keyword @@ -1501,6 +1501,184 @@ type: short -- +[float] +=== ftd + +Fields for Cisco Firepower Threat Defense Firewall. + + + +*`cisco.ftd.message_id`*:: ++ +-- +The Cisco FTD message identifier. + + +type: keyword + +-- + +*`cisco.ftd.suffix`*:: ++ +-- +Optional suffix after %FTD identifier. + + +type: keyword + +example: session + +-- + +*`cisco.ftd.source_interface`*:: ++ +-- +Source interface for the flow or event. + + +type: keyword + +-- + +*`cisco.ftd.destination_interface`*:: ++ +-- +Destination interface for the flow or event. + + +type: keyword + +-- + +*`cisco.ftd.rule_name`*:: ++ +-- +Name of the Access Control List rule that matched this event. + + +type: keyword + +-- + +*`cisco.ftd.source_username`*:: ++ +-- +Name of the user that is the source for this event. + + +type: keyword + +-- + +*`cisco.ftd.destination_username`*:: ++ +-- +Name of the user that is the destination for this event. + + +type: keyword + +-- + +*`cisco.ftd.mapped_source_ip`*:: ++ +-- +The translated source IP address. Use ECS source.nat.ip. + + +type: ip + +-- + +*`cisco.ftd.mapped_source_port`*:: ++ +-- +The translated source port. Use ECS source.nat.port. + + +type: long + +-- + +*`cisco.ftd.mapped_destination_ip`*:: ++ +-- +The translated destination IP address. Use ECS destination.nat.ip. + + +type: ip + +-- + +*`cisco.ftd.mapped_destination_port`*:: ++ +-- +The translated destination port. Use ECS destination.nat.port. + + +type: long + +-- + +*`cisco.ftd.threat_level`*:: ++ +-- +Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. + + +type: keyword + +-- + +*`cisco.ftd.threat_category`*:: ++ +-- +Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. + + +type: keyword + +-- + +*`cisco.ftd.connection_id`*:: ++ +-- +Unique identifier for a flow. + + +type: keyword + +-- + +*`cisco.ftd.icmp_type`*:: ++ +-- +ICMP type. + + +type: short + +-- + +*`cisco.ftd.icmp_code`*:: ++ +-- +ICMP code. + + +type: short + +-- + +*`cisco.ftd.security`*:: ++ +-- +Raw fields for Security Events. + +type: object + +-- + [float] === ios diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc index 5c6441e556f3..ec83358d3d94 100644 --- a/filebeat/docs/modules/cisco.asciidoc +++ b/filebeat/docs/modules/cisco.asciidoc @@ -12,10 +12,12 @@ This file is generated! See scripts/docs_collector.py beta[] -This is a module for Cisco network device's logs. The `asa` fileset supports -Cisco ASA firewall logs received over syslog or read from a file. And the `ios` -fileset supports Cisco IOS router and switch logs received over syslog or read -from a file. +This is a module for Cisco network device's logs. It includes the following +filesets for receiving logs over syslog or read from a file: + +- `asa` fileset: supports Cisco ASA firewall logs. +- `ftd` fileset: supports Cisco Firepower Threat Defense logs. +- `ios` fileset: supports Cisco IOS router and switch logs. Cisco ASA devices also support exporting flow records using NetFlow, which is supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in @@ -103,6 +105,148 @@ The UDP port to listen for syslog traffic. Defaults to 9001. :fileset_ex!: +[float] +==== `ftd` fileset settings + +The Cisco FTD fileset primarily supports parsing IPv4 and IPv6 access list log +messages similar to that of ASA devices as well as Security Event Syslog +Messages for Intrusion, Connection, File and Malware events. + +*ECS Field mapping* + +The `ftd` fileset maps Security Event Syslog Messages to the Elastic Common +Schema (ECS) format. The following table illustrates the mapping from +Security Event fields to ECS. The `cisco.ftd` prefix is used when there is no +corresponding ECS field available. + +Mappings for Intrusion events fields: +[options="header"] +|==================================== +| FTD Field | Mapped fields +| ApplicationProtocol | network.protocol +| DstIP | destination.ip +| DstPort | destination.port +| EgressInterface | cisco.ftd.destination_interface +| GID | service.id +| HTTPResponse | http.response.status_code +| IngressInterface | cisco.ftd.source_interface +| InlineResult | event.outcome +| IntrusionPolicy | cisco.ftd.rule_name +| Message | message +| Protocol | network.transport +| SrcIP | source.ip +| SrcPort | source.port +| User | user.id, user.name +| WebApplication | network.application +|==================================== + +Mappings for Connection and Security Intelligence events fields: +[options="header"] +|==================================== +| FTD Field | Mapped fields +| ACPolicy | cisco.ftd.rule_name +| AccessControlRuleAction | event.outcome +| AccessControlRuleName | cisco.ftd.rule_name +| ApplicationProtocol | network.protocol +| ConnectionDuration | event.duration +| DNSQuery | dns.question.name +| DNSRecordType | dns.question.type +| DNSResponseType | dns.response_code +| DstIP | destination.ip +| DstPort | destination.port +| EgressInterface | cisco.ftd.destination_interface +| HTTPReferer | http.request.referrer +| HTTPResponse | http.response.status_code +| IngressInterface | cisco.ftd.source_interface +| InitiatorBytes | source.bytes +| InitiatorPackets | source.packets +| NetBIOSDomain | host.hostname +| Protocol | network.transport +| ReferencedHost | url.domain +| ResponderBytes | destination.bytes +| ResponderPackets | destination.packets +| SSLActualAction | event.outcome +| SSLServerName | server.domain +| SrcIP | source.ip +| SrcPort | source.port +| URL | url.original +| User | user.name +| UserAgent | user_agent.original +| WebApplication | network.application +| originalClientSrcIP | client.ip +|==================================== + +Mappings for File and Malware events fields: +[options="header"] +|==================================== +| FTD Field | Mapped fields +| ApplicationProtocol | network.protocol +| ArchiveFileName | file.name +| ArchiveSHA256 | file.hash.sha256 +| Client | network.application +| DstIP | destination.ip +| DstPort | destination.port +| FileName | file.name +| FilePolicy | cisco.ftd.rule_name +| FileSHA256 | file.hash.sha256 +| FileSize | file.size +| FirstPacketSecond | event.start +| Protocol | network.transport +| SrcIP | source.ip +| SrcPort | source.port +| URI | url.original +| User | user.name +| WebApplication | network.application +|==================================== + +*Example configuration:* + +[source,yaml] +---- +- module: cisco + ftd: + var.syslog_host: 0.0.0.0 + var.syslog_port: 9003 + var.log_level: 5 +---- + +include::../include/var-paths.asciidoc[] + +*`var.log_level`*:: + +An integer between 1 and 7 that allows to filter messages based on the +severity level. The different severity levels supported by the Cisco ASA are: + +[width="30%",cols="^1,2",options="header"] +|=========================== +| log_level | severity +| 1 | Alert +| 2 | Critical +| 3 | Error +| 4 | Warning +| 5 | Notification +| 6 | Informational +| 7 | Debugging +|=========================== + +A value of 7 (default) will not filter any messages. A lower value will drop +any messages with a severity level higher than the specified value. For +example, `var.log_level: 3` will allow messages of level 1 (Alert), 2 (Critical) +and 3 (Error). All other messages will be dropped. + +*`var.syslog_host`*:: + +The interface to listen to UDP based syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The UDP port to listen for syslog traffic. Defaults to 9003. + +:has-dashboards!: + +:fileset_ex!: + [float] ==== `ios` fileset settings diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 83a944f7eedf..d9450fffe7ac 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -107,6 +107,24 @@ filebeat.modules: # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html #var.log_level: 7 + ftd: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9003. + #var.syslog_port: 9003 + + # Set the log level from 1 (alerts only) to 7 (include all messages). + # Messages with a log level higher than the specified will be dropped. + # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html + #var.log_level: 7 + ios: enabled: true diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml index 8a42d938a2d1..b5d555b03b51 100644 --- a/x-pack/filebeat/module/cisco/_meta/config.yml +++ b/x-pack/filebeat/module/cisco/_meta/config.yml @@ -17,6 +17,24 @@ # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html #var.log_level: 7 + ftd: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9003. + #var.syslog_port: 9003 + + # Set the log level from 1 (alerts only) to 7 (include all messages). + # Messages with a log level higher than the specified will be dropped. + # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html + #var.log_level: 7 + ios: enabled: true diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc index 2b19673057fa..bc07891dfc68 100644 --- a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc @@ -7,10 +7,12 @@ beta[] -This is a module for Cisco network device's logs. The `asa` fileset supports -Cisco ASA firewall logs received over syslog or read from a file. And the `ios` -fileset supports Cisco IOS router and switch logs received over syslog or read -from a file. +This is a module for Cisco network device's logs. It includes the following +filesets for receiving logs over syslog or read from a file: + +- `asa` fileset: supports Cisco ASA firewall logs. +- `ftd` fileset: supports Cisco Firepower Threat Defense logs. +- `ios` fileset: supports Cisco IOS router and switch logs. Cisco ASA devices also support exporting flow records using NetFlow, which is supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in @@ -98,6 +100,148 @@ The UDP port to listen for syslog traffic. Defaults to 9001. :fileset_ex!: +[float] +==== `ftd` fileset settings + +The Cisco FTD fileset primarily supports parsing IPv4 and IPv6 access list log +messages similar to that of ASA devices as well as Security Event Syslog +Messages for Intrusion, Connection, File and Malware events. + +*ECS Field mapping* + +The `ftd` fileset maps Security Event Syslog Messages to the Elastic Common +Schema (ECS) format. The following table illustrates the mapping from +Security Event fields to ECS. The `cisco.ftd` prefix is used when there is no +corresponding ECS field available. + +Mappings for Intrusion events fields: +[options="header"] +|==================================== +| FTD Field | Mapped fields +| ApplicationProtocol | network.protocol +| DstIP | destination.ip +| DstPort | destination.port +| EgressInterface | cisco.ftd.destination_interface +| GID | service.id +| HTTPResponse | http.response.status_code +| IngressInterface | cisco.ftd.source_interface +| InlineResult | event.outcome +| IntrusionPolicy | cisco.ftd.rule_name +| Message | message +| Protocol | network.transport +| SrcIP | source.ip +| SrcPort | source.port +| User | user.id, user.name +| WebApplication | network.application +|==================================== + +Mappings for Connection and Security Intelligence events fields: +[options="header"] +|==================================== +| FTD Field | Mapped fields +| ACPolicy | cisco.ftd.rule_name +| AccessControlRuleAction | event.outcome +| AccessControlRuleName | cisco.ftd.rule_name +| ApplicationProtocol | network.protocol +| ConnectionDuration | event.duration +| DNSQuery | dns.question.name +| DNSRecordType | dns.question.type +| DNSResponseType | dns.response_code +| DstIP | destination.ip +| DstPort | destination.port +| EgressInterface | cisco.ftd.destination_interface +| HTTPReferer | http.request.referrer +| HTTPResponse | http.response.status_code +| IngressInterface | cisco.ftd.source_interface +| InitiatorBytes | source.bytes +| InitiatorPackets | source.packets +| NetBIOSDomain | host.hostname +| Protocol | network.transport +| ReferencedHost | url.domain +| ResponderBytes | destination.bytes +| ResponderPackets | destination.packets +| SSLActualAction | event.outcome +| SSLServerName | server.domain +| SrcIP | source.ip +| SrcPort | source.port +| URL | url.original +| User | user.name +| UserAgent | user_agent.original +| WebApplication | network.application +| originalClientSrcIP | client.ip +|==================================== + +Mappings for File and Malware events fields: +[options="header"] +|==================================== +| FTD Field | Mapped fields +| ApplicationProtocol | network.protocol +| ArchiveFileName | file.name +| ArchiveSHA256 | file.hash.sha256 +| Client | network.application +| DstIP | destination.ip +| DstPort | destination.port +| FileName | file.name +| FilePolicy | cisco.ftd.rule_name +| FileSHA256 | file.hash.sha256 +| FileSize | file.size +| FirstPacketSecond | event.start +| Protocol | network.transport +| SrcIP | source.ip +| SrcPort | source.port +| URI | url.original +| User | user.name +| WebApplication | network.application +|==================================== + +*Example configuration:* + +[source,yaml] +---- +- module: cisco + ftd: + var.syslog_host: 0.0.0.0 + var.syslog_port: 9003 + var.log_level: 5 +---- + +include::../include/var-paths.asciidoc[] + +*`var.log_level`*:: + +An integer between 1 and 7 that allows to filter messages based on the +severity level. The different severity levels supported by the Cisco ASA are: + +[width="30%",cols="^1,2",options="header"] +|=========================== +| log_level | severity +| 1 | Alert +| 2 | Critical +| 3 | Error +| 4 | Warning +| 5 | Notification +| 6 | Informational +| 7 | Debugging +|=========================== + +A value of 7 (default) will not filter any messages. A lower value will drop +any messages with a severity level higher than the specified value. For +example, `var.log_level: 3` will allow messages of level 1 (Alert), 2 (Critical) +and 3 (Error). All other messages will be dropped. + +*`var.syslog_host`*:: + +The interface to listen to UDP based syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The UDP port to listen for syslog traffic. Defaults to 9003. + +:has-dashboards!: + +:fileset_ex!: + [float] ==== `ios` fileset settings diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml index 4c1f51000072..e5ada6df4410 100644 --- a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml @@ -24,10 +24,10 @@ description: > Destination interface for the flow or event. - - name: list_id + - name: rule_name type: keyword description: > - Name of the Access Control List that matched this event. + Name of the Access Control List rule that matched this event. - name: source_username type: keyword diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml index 32e87abc8388..68e985ae5448 100644 --- a/x-pack/filebeat/module/cisco/asa/config/input.yml +++ b/x-pack/filebeat/module/cisco/asa/config/input.yml @@ -1,8 +1,8 @@ {{ if eq .input "syslog" }} -type: syslog -protocol.udp: - host: "{{.syslog_host}}:{{.syslog_port}}" +type: udp +udp: +host: "{{.syslog_host}}:{{.syslog_port}}" {{ else if eq .input "file" }} diff --git a/x-pack/filebeat/module/cisco/asa/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/asa/ingest/pipeline.yml deleted file mode 100644 index d117cdcb94ec..000000000000 --- a/x-pack/filebeat/module/cisco/asa/ingest/pipeline.yml +++ /dev/null @@ -1,511 +0,0 @@ -description: "Pipeline for Cisco ASA" -processors: - - - grok: - field: message - patterns: - - "(:?%{ASA_DATE:_temp_.raw_date})?%{ASA_PREFIX}-(:?%{ASA_SUFFIX:cisco.asa.suffix}-)?%{POSINT:event.severity:int}-%{POSINT:cisco.asa.message_id}:?\\s*%{GREEDYDATA:log.original}" - pattern_definitions: - ASA_PREFIX: "%{DATA}%ASA" - ASA_SUFFIX: "[^0-9-]+" - ASA_DATE: "(:?%{DAY} )?%{MONTH} *%{MONTHDAY}(:? %{YEAR})? %{TIME}(:? %{TZ})?" - -# -# Drop messages above configured log_level -# - - drop: - if: "ctx.event.severity > {< .log_level >}" - -# -# Parse the date included in ASA logs -# - - date: - field: "_temp_.raw_date" - ignore_failure: true - formats: - - "MMM d HH:mm:ss" - - "MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "EEE MMM dd HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - - date: - if: "ctx.event.timezone != null" - field: "@timestamp" - formats: ["ISO8601"] - timezone: "{{ event.timezone }}" - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - -# -# Set log.level -# - - set: - field: "log.level" - if: "ctx.event.severity == 1" - value: alert - - set: - field: "log.level" - if: "ctx.event.severity == 2" - value: critical - - set: - field: "log.level" - if: "ctx.event.severity == 3" - value: error - - set: - field: "log.level" - if: "ctx.event.severity == 4" - value: warning - - set: - field: "log.level" - if: "ctx.event.severity == 5" - value: notification - - set: - field: "log.level" - if: "ctx.event.severity == 6" - value: informational - - set: - field: "log.level" - if: "ctx.event.severity == 7" - value: debug - -# -# Firewall messages -# - - set: - field: "event.action" - value: "firewall-rule" - - dissect: - if: "ctx.cisco.asa.message_id == '106001'" - field: "log.original" - pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} flags %{} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '106002'" - field: "log.original" - pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{cisco.asa.list_id} src %{source.ip} dest %{destination.ip}" - - dissect: - if: "ctx.cisco.asa.message_id == '106006'" - field: "log.original" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '106007'" - field: "log.original" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} due to %{network.protocol} %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '106010'" - field: "log.original" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{cisco.asa.source_interface}:%{source.ip}/%{source.port} %{} dst %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '106013'" - field: "log.original" - pattern: "Dropping echo request from %{source.ip} to PAT address %{destination.ip}" - - set: - if: "ctx.cisco.asa.message_id == '106013'" - field: "network.transport" - value: icmp - - set: - if: "ctx.cisco.asa.message_id == '106013'" - field: "network.direction" - value: inbound - - dissect: - if: "ctx.cisco.asa.message_id == '106014'" - field: "log.original" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{cisco.asa.source_interface}:%{source.ip} %{}dst %{cisco.asa.destination_interface}:%{destination.ip} %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '106015'" - field: "log.original" - pattern: "%{event.outcome} %{network.transport} (no connection) from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} flags %{} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '106016'" - field: "log.original" - pattern: "%{event.outcome} IP spoof from (%{source.ip}) to %{destination.ip} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '106017'" - field: "log.original" - pattern: "%{event.outcome} IP due to Land Attack from %{source.ip} to %{destination.ip}" - - dissect: - if: "ctx.cisco.asa.message_id == '106018'" - field: "log.original" - pattern: "%{network.transport} packet type %{cisco.asa.icmp_type} %{event.outcome} by %{network.direction} list %{cisco.asa.list_id} src %{source.ip} dest %{destination.ip}" - - dissect: - if: "ctx.cisco.asa.message_id == '106020'" - field: "log.original" - pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.ip} to %{destination.ip}" - - dissect: - if: "ctx.cisco.asa.message_id == '106021'" - field: "log.original" - pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.ip} to %{destination.ip} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '106022'" - field: "log.original" - pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.ip} to %{destination.ip} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '106023'" - field: "log.original" - pattern: "%{event.outcome} %{network.transport} src %{cisco.asa.source_interface}:%{source.ip}/%{source.port} dst %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} %{} access%{}group \"%{cisco.asa.list_id}\"%{}" - - dissect: - if: "ctx.cisco.asa.message_id == '106027'" - field: "log.original" - pattern: "%{} %{event.outcome} src %{source.ip} dst %{destination.ip} by access-group \"%{cisco.asa.list_id}\"" - - dissect: - if: "ctx.cisco.asa.message_id == '106100'" - field: "log.original" - pattern: "access-list %{cisco.asa.list_id} %{event.outcome} %{network.transport} %{cisco.asa.source_interface}/%{source.ip}(%{source.port}) -> %{cisco.asa.destination_interface}/%{destination.ip}(%{destination.port}) %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '106102'" - field: "log.original" - pattern: "access-list %{cisco.asa.list_id} %{event.outcome} %{network.transport} for user %{cisco.asa.username} %{cisco.asa.source_interface}/%{source.ip} %{source.port} %{cisco.asa.destination_interface}/%{destination.ip} %{destination.port} %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '106103'" - field: "log.original" - pattern: "access-list %{cisco.asa.list_id} %{event.outcome} %{network.transport} for user %{cisco.asa.username} %{cisco.asa.source_interface}/%{source.ip} %{source.port} %{cisco.asa.destination_interface}/%{destination.ip} %{destination.port} %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '304001'" - field: "log.original" - pattern: "%{source.ip} %{}ccessed URL %{destination.ip}:%{url.original}" - - set: - if: "ctx.cisco.asa.message_id == '304001'" - field: "event.outcome" - value: allow - - dissect: - if: "ctx.cisco.asa.message_id == '304002'" - field: "log.original" - pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.ip} %{}EST %{destination.ip} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '313001'" - field: "log.original" - pattern: "%{event.outcome} %{network.transport} type=%{cisco.asa.icmp_type}, code=%{cisco.asa.icmp_code} from %{source.ip} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '313004'" - field: "log.original" - pattern: "%{event.outcome} %{network.transport} type=%{cisco.asa.icmp_type}, from%{}addr %{source.ip} on interface %{cisco.asa.source_interface} to %{destination.ip}: no matching session" - - dissect: - if: "ctx.cisco.asa.message_id == '313005'" - field: "log.original" - pattern: "No matching connection for %{network.transport} error message: %{} on %{cisco.asa.source_interface} interface.%{}riginal IP payload: %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '313008'" - field: "log.original" - pattern: "%{event.outcome} %{network.transport} type=%{cisco.asa.icmp_type} , code=%{cisco.asa.icmp_code} from %{source.ip} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '313009'" - field: "log.original" - pattern: "%{event.outcome} invalid %{network.transport} code %{cisco.asa.icmp_code} , for %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}" - - dissect: - if: "ctx.cisco.asa.message_id == '322001'" - field: "log.original" - pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '338001'" - field: "log.original" - pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{source.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - set: - if: "ctx.cisco.asa.message_id == '338001'" - field: "server.domain" - value: "{{source.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338002'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{destination.domain}" - - set: - if: "ctx.cisco.asa.message_id == '338002'" - field: "server.domain" - value: "{{destination.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338003'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - dissect: - if: "ctx.cisco.asa.message_id == '338004'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - dissect: - if: "ctx.cisco.asa.message_id == '338005'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{source.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - set: - if: "ctx.cisco.asa.message_id == '338005'" - field: "server.domain" - value: "{{source.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338006'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{destination.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - set: - if: "ctx.cisco.asa.message_id == '338006'" - field: "server.domain" - value: "{{destination.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338007'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - dissect: - if: "ctx.cisco.asa.message_id == '338008'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - dissect: - if: "ctx.cisco.asa.message_id == '338101'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{source.domain}" - - set: - if: "ctx.cisco.asa.message_id == '338101'" - field: "server.domain" - value: "{{source.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338102'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{destination.domain}" - - set: - if: "ctx.cisco.asa.message_id == '338102'" - field: "server.domain" - value: "{{destination.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338103'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '338104'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '338201'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{source.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - set: - if: "ctx.cisco.asa.message_id == '338201'" - field: "server.domain" - value: "{{source.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338202'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{destination.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - set: - if: "ctx.cisco.asa.message_id == '338202'" - field: "server.domain" - value: "{{destination.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338203'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{source.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - set: - if: "ctx.cisco.asa.message_id == '338203'" - field: "server.domain" - value: "{{source.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338204'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{destination.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - set: - if: "ctx.cisco.asa.message_id == '338204'" - field: "server.domain" - value: "{{destination.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338301'" - field: "log.original" - pattern: "Intercepted DNS reply for domain %{source.domain} from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port}, matched %{cisco.asa.list_id}" - - set: - if: "ctx.cisco.asa.message_id == '338301'" - field: "client.ip" - value: "{{destination.ip}}" - - set: - if: "ctx.cisco.asa.message_id == '338301'" - field: "client.port" - value: "{{destination.port}}" - - set: - if: "ctx.cisco.asa.message_id == '338301'" - field: "server.ip" - value: "{{source.ip}}" - - set: - if: "ctx.cisco.asa.message_id == '338301'" - field: "server.port" - value: "{{source.port}}" - -# -# Handle 302xxx messages (Flow expiration a.k.a "Teardown") -# - - set: - if: "[\"302014\", \"302016\", \"302018\", \"302021\", \"302036\", \"302304\", \"302306\"].contains(ctx.cisco.asa.message_id)" - field: "event.action" - value: "flow-expiration" - - grok: - field: "log.original" - if: "[\"302014\", \"302016\", \"302018\", \"302021\", \"302036\", \"302304\", \"302306\"].contains(ctx.cisco.asa.message_id)" - patterns: - - "Teardown %{NOTSPACE:network.transport} (:?state-bypass )?connection %{NOTSPACE:cisco.asa.connection_id} (:?for|from) %{NOTCOLON:cisco.asa.source_interface}:%{IP:source.ip}/%{NUMBER:source.port:int} (:?%{NOTSPACE:cisco.asa.source_username} )?to %{NOTCOLON:cisco.asa.destination_interface}:%{IP:destination.ip}/%{NUMBER:destination.port:int} (:?%{NOTSPACE:cisco.asa.destination_username} )?(:?duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA}" - - "Teardown %{NOTSPACE:network.transport} connection for faddr (:?%{NOTCOLON:cisco.asa.source_interface}:)?%{IP:source.ip}/%{NUMBER:source.port:int} (:?%{NOTSPACE:cisco.asa.source_username} )?gaddr (:?%{NOTCOLON}:)?%{IP}/%{NUMBER} laddr (:?%{NOTCOLON:cisco.asa.destination_interface}:)?%{IP:destination.ip}/%{NUMBER:destination.port:int}(:? %{NOTSPACE:cisco.asa.destination_username})?%{GREEDYDATA}" - pattern_definitions: - NOTCOLON: "[^:]*" - -# -# Process the flow duration "hh:mm:ss" present in some messages -# This will fill event.start, event.end and event.duration -# - - script: - lang: painless - if: "ctx?._temp_?.duration_hms != null" - source: > - long parse_hms(String s) { - long cur = 0, total = 0; - for (char c: s.toCharArray()) { - if (c >= (char)'0' && c <= (char)'9') { - cur = (cur*10) + (long)c - (char)'0'; - } else if (c == (char)':') { - total = (total + cur) * 60; - cur = 0; - } else { - return 0; - } - } - return total + cur; - } - if (ctx?.event == null) { - ctx['event'] = new HashMap(); - } - String end = ctx['@timestamp']; - ctx.event['end'] = end; - long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; - ctx.event['duration'] = nanos; - ctx.event['start'] = ZonedDateTime.ofInstant( - Instant.parse(end).minusNanos(nanos), - ZoneOffset.UTC); - -# -# Normalize protocol names -# - - lowercase: - field: "network.transport" - ignore_missing: true - - lowercase: - field: "network.protocol" - ignore_missing: true - -# -# Normalize event.outcome -# - - lowercase: - field: "event.outcome" - ignore_missing: true - - set: - field: "event.outcome" - if: "ctx.event?.outcome == \"est-allowed\"" - value: allow - - set: - field: "event.outcome" - if: "ctx.event?.outcome == \"permitted\"" - value: allow - - set: - field: "event.outcome" - if: "ctx.event?.outcome == \"denied\"" - value: deny - - set: - field: "event.outcome" - if: "ctx.event?.outcome == \"dropped\"" - value: deny - - - set: - field: "network.transport" - if: "ctx.network?.transport == \"icmpv6\"" - value: "ipv6-icmp" - -# -# Convert integer fields, as output of dissect processor is always a string -# - - convert: - field: "source.port" - type: integer - ignore_failure: true - - convert: - field: "destination.port" - type: integer - ignore_failure: true - - convert: - field: "cisco.asa.mapped_source_port" - type: integer - ignore_failure: true - - convert: - field: "cisco.asa.mapped_destination_port" - type: integer - ignore_failure: true - - convert: - field: "cisco.asa.icmp_code" - type: integer - ignore_failure: true - - convert: - field: "cisco.asa.icmp_type" - type: integer - ignore_failure: true - -# -# Geolocation for source and destination addresses -# - - geoip: - field: "source.ip" - target_field: "source.geo" - ignore_missing: true - - geoip: - field: "destination.ip" - target_field: "destination.geo" - ignore_missing: true - -# -# IP Autonomous System (AS) Lookup -# - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -# -# Remove temporary fields -# - - remove: - field: - - message - - _temp_ - ignore_missing: true - -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" - - remove: - field: - - _temp_ - ignore_missing: true diff --git a/x-pack/filebeat/module/cisco/asa/manifest.yml b/x-pack/filebeat/module/cisco/asa/manifest.yml index 0366432ca7a6..9a87696d0237 100644 --- a/x-pack/filebeat/module/cisco/asa/manifest.yml +++ b/x-pack/filebeat/module/cisco/asa/manifest.yml @@ -19,8 +19,13 @@ var: min_elasticsearch_version: version: 6.1.0 value: false + # These flags are used internally by the shared pipeline + - name: internal_prefix + default: asa + - name: internal_PREFIX + default: ASA -ingest_pipeline: ingest/pipeline.yml +ingest_pipeline: ../shared/ingest/asa-ftd-pipeline.yml input: config/input.yml requires.processors: diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index c404a1420d74..23e4029d414f 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -3,15 +3,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 0, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -21,15 +25,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 150, - "log.original": "Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -44,20 +52,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1758, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 67000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T12:33:49.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 345, - "log.original": "Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", "network.bytes": 38110, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.211.242", "source.port": 80, @@ -74,20 +87,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1757, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 67000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T12:33:49.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 535, - "log.original": "Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", "network.bytes": 44010, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.211.242", "source.port": 80, @@ -104,20 +122,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1755, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 67000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T12:33:49.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 725, - "log.original": "Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", "network.bytes": 7652, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.185.90", "source.port": 80, @@ -134,20 +157,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1754, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 67000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T12:33:49.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 913, - "log.original": "Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", "network.bytes": 7062, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.185.90", "source.port": 80, @@ -164,20 +192,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1752, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 68000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T12:33:48.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 1101, - "log.original": "Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", "network.bytes": 5738, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.160.197", "source.port": 80, @@ -194,20 +227,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1749, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 68000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T12:33:48.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 1290, - "log.original": "Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", "network.bytes": 4176, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.205.14", "source.port": 80, @@ -224,20 +262,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1750, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 68000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T12:33:48.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 1478, - "log.original": "Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", "network.bytes": 1715, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.124.33", "source.port": 80, @@ -254,20 +297,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1747, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 69000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T12:33:47.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 1666, - "log.original": "Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", "network.bytes": 45595, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.35.9", "source.port": 80, @@ -284,20 +332,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1742, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 69000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T12:33:47.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 1853, - "log.original": "Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", "network.bytes": 27359, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.211.242", "source.port": 80, @@ -314,20 +367,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1741, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 69000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T12:33:47.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 2043, - "log.original": "Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", "network.bytes": 4457, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.218.21", "source.port": 80, @@ -344,20 +402,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1739, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 69000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T12:33:47.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 2231, - "log.original": "Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", "network.bytes": 26709, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.198.27", "source.port": 80, @@ -374,20 +437,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1740, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 69000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T12:33:47.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 2420, - "log.original": "Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", "network.bytes": 22097, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.198.27", "source.port": 80, @@ -404,20 +472,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1738, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 70000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T12:33:46.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 2609, - "log.original": "Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", "network.bytes": 2209, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.202.211", "source.port": 80, @@ -434,20 +507,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1756, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 67000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T12:33:49.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 2798, - "log.original": "Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", "network.bytes": 10404, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.124.15", "source.port": 80, @@ -464,20 +542,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1737, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 70000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T12:33:46.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 2987, - "log.original": "Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", "network.bytes": 123694, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.124.15", "source.port": 80, @@ -494,20 +577,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1736, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 71000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T12:33:45.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 3177, - "log.original": "Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", "network.bytes": 35835, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.209.247", "source.port": 80, @@ -524,20 +612,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1765, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 30000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", "event.severity": 6, "event.start": "2018-10-10T12:34:26.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 3367, - "log.original": "Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", "network.bytes": 0, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.35.162", "source.port": 80, @@ -549,15 +642,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 3552, - "log.original": "Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -567,15 +664,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.code": 302015, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 3703, - "log.original": "Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -590,20 +691,25 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", "event.severity": 6, "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 3896, - "log.original": "Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", "network.bytes": 148, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.80.32", "source.port": 53, @@ -615,15 +721,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.code": 302015, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 4071, - "log.original": "Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -638,20 +748,25 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", "event.severity": 6, "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 4264, - "log.original": "Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", "network.bytes": 164, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.252.6", "source.port": 53, @@ -663,15 +778,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 4439, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -681,15 +800,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 4589, - "log.original": "Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -699,15 +822,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 4784, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -717,15 +844,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 4934, - "log.original": "Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -735,15 +866,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.code": 302015, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 5129, - "log.original": "Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -753,15 +888,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.code": 302015, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 5326, - "log.original": "Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -776,20 +915,25 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", "event.severity": 6, "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 5519, - "log.original": "Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", "network.bytes": 111, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.238.126", "source.port": 53, @@ -806,20 +950,25 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", "event.severity": 6, "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 5696, - "log.original": "Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", "network.bytes": 237, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.93.51", "source.port": 53, @@ -831,15 +980,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 5871, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -849,15 +1002,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 6021, - "log.original": "Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -867,15 +1024,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 6218, - "log.original": "Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -885,15 +1046,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.code": 302015, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 6369, - "log.original": "Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -903,15 +1068,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.code": 302015, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 6566, - "log.original": "Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -926,20 +1095,25 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", "event.severity": 6, "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 6759, - "log.original": "Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", "network.bytes": 87, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.240.126", "source.port": 53, @@ -956,20 +1130,25 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", "event.severity": 6, "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 6935, - "log.original": "Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", "network.bytes": 221, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.44.45", "source.port": 53, @@ -981,15 +1160,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 7110, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -999,15 +1182,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 7260, - "log.original": "Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1017,15 +1204,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.code": 302015, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 7455, - "log.original": "Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1035,15 +1226,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.code": 302015, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 7652, - "log.original": "Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1058,20 +1253,25 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", "event.severity": 6, "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 7849, - "log.original": "Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", "network.bytes": 101, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.157.232", "source.port": 53, @@ -1088,20 +1288,25 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", "event.severity": 6, "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 8026, - "log.original": "Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", "network.bytes": 126, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.178.133", "source.port": 53, @@ -1113,15 +1318,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 8203, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1131,15 +1340,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 8353, - "log.original": "Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1154,20 +1367,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1453, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", "event.severity": 6, "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 8548, - "log.original": "Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", "network.bytes": 862, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.133.112", "source.port": 80, @@ -1179,15 +1397,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.code": 302015, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 8733, - "log.original": "Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1202,20 +1424,25 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "event.severity": 6, "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 8930, - "log.original": "Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "network.bytes": 104, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.157.232", "source.port": 53, @@ -1232,20 +1459,25 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", "event.severity": 6, "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 9107, - "log.original": "Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", "network.bytes": 176, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.204.197", "source.port": 53, @@ -1257,15 +1489,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 9284, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1275,15 +1511,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 9434, - "log.original": "Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1293,15 +1533,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 9625, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1311,15 +1555,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 9775, - "log.original": "Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1329,15 +1577,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 9966, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1347,15 +1599,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 10116, - "log.original": "Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1365,15 +1621,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.code": 302015, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 10307, - "log.original": "Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1388,20 +1648,25 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "event.severity": 6, "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 10500, - "log.original": "Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "network.bytes": 104, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.100.4", "source.port": 53, @@ -1413,15 +1678,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 10675, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1431,15 +1700,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 10825, - "log.original": "Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1449,15 +1722,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 11018, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1467,15 +1744,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 11168, - "log.original": "Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1485,15 +1766,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.code": 302015, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 11361, - "log.original": "Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1508,20 +1793,25 @@ "destination.ip": "172.31.98.44", "destination.port": 1457, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", "event.severity": 6, "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 11554, - "log.original": "Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", "network.bytes": 593, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.198.40", "source.port": 80, @@ -1533,15 +1823,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 11738, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1551,15 +1845,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 11888, - "log.original": "Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1574,20 +1872,25 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", "event.severity": 6, "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 12081, - "log.original": "Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", "network.bytes": 375, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.1.107", "source.port": 53, @@ -1599,15 +1902,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 12256, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1617,15 +1924,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 12406, - "log.original": "Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1635,15 +1946,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305012", "event.action": "firewall-rule", + "event.code": 305012, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 12599, - "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1653,15 +1968,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 12769, - "log.original": "Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1671,15 +1990,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 12920, - "log.original": "Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1689,15 +2012,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305012", "event.action": "firewall-rule", + "event.code": 305012, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13115, - "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1707,15 +2034,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305012", "event.action": "firewall-rule", + "event.code": 305012, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13285, - "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1725,15 +2056,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305012", "event.action": "firewall-rule", + "event.code": 305012, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13455, - "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1743,15 +2078,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305012", "event.action": "firewall-rule", + "event.code": 305012, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13625, - "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1761,15 +2100,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305012", "event.action": "firewall-rule", + "event.code": 305012, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13795, - "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1779,15 +2122,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305012", "event.action": "firewall-rule", + "event.code": 305012, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13965, - "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1802,20 +2149,25 @@ "destination.ip": "172.31.156.80", "destination.port": 1382, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 325000000000, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", "event.severity": 6, "event.start": "2018-10-10T12:29:31.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 14135, - "log.original": "Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", "network.bytes": 575, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.115.46", "source.port": 80, @@ -1832,20 +2184,25 @@ "destination.ip": "172.31.156.80", "destination.port": 1385, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 14320, - "log.original": "Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", "network.bytes": 5391, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -1857,15 +2214,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 14509, - "log.original": "Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1875,15 +2236,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 14660, - "log.original": "Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1892,23 +2257,28 @@ { "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.destination_interface": "inside", - "cisco.asa.list_id": "inbound", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 14855, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -1919,23 +2289,28 @@ { "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.destination_interface": "inside", - "cisco.asa.list_id": "inbound", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 15020, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -1946,23 +2321,28 @@ { "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.destination_interface": "inside", - "cisco.asa.list_id": "inbound", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 15185, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -1973,23 +2353,28 @@ { "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.destination_interface": "inside", - "cisco.asa.list_id": "inbound", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 15350, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2000,23 +2385,28 @@ { "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.destination_interface": "inside", - "cisco.asa.list_id": "inbound", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 15515, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2027,23 +2417,28 @@ { "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.destination_interface": "inside", - "cisco.asa.list_id": "inbound", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 15680, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2054,23 +2449,28 @@ { "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.destination_interface": "inside", - "cisco.asa.list_id": "inbound", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 15845, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2081,23 +2481,28 @@ { "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.destination_interface": "inside", - "cisco.asa.list_id": "inbound", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 16010, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2108,23 +2513,28 @@ { "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.destination_interface": "inside", - "cisco.asa.list_id": "inbound", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 16175, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2135,23 +2545,28 @@ { "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.destination_interface": "inside", - "cisco.asa.list_id": "inbound", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 16340, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2162,23 +2577,28 @@ { "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.destination_interface": "inside", - "cisco.asa.list_id": "inbound", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 16505, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2189,23 +2609,28 @@ { "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.destination_interface": "inside", - "cisco.asa.list_id": "inbound", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 16670, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2216,23 +2641,28 @@ { "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.destination_interface": "inside", - "cisco.asa.list_id": "inbound", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 16835, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2244,15 +2674,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 17000, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -2262,15 +2696,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 17150, - "log.original": "Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -2280,15 +2718,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 17343, - "log.original": "Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -2298,15 +2740,19 @@ "@timestamp": "2018-10-10T12:34:56.000Z", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.code": 302015, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 17494, - "log.original": "Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index 901e68fd3d35..b02bee041e34 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -3,15 +3,19 @@ "@timestamp": "2019-01-01T01:00:27.000Z", "cisco.asa.message_id": "999999", "event.action": "firewall-rule", + "event.code": 999999, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-7-999999: This message is not filtered.", "event.severity": 7, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "beats", "input.type": "log", "log.level": "debug", "log.offset": 0, - "log.original": "This message is not filtered.", + "process.name": "asa", + "process.pid": 1234, "service.type": "cisco", "tags": [ "cisco-asa" diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log b/x-pack/filebeat/module/cisco/asa/test/sample.log index 2f3e126bb9ad..d583acdc132e 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log @@ -37,22 +37,22 @@ Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Dec 11 2018 08:01:24 %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80) -Dec 11 2018 08:01:24 %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80) -Dec 11 2018 08:01:24 %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] -Dec 11 2018 08:01:24 %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] -Dec 11 2018 08:01:31 %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) -Dec 11 2018 08:01:31 %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) -Dec 11 2018 08:01:31 %ASA-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs -Dec 11 2018 08:01:38 %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs -Dec 11 2018 08:01:38 %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs -Dec 11 2018 08:01:38 %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside -Dec 11 2018 08:01:38 %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside -Dec 11 2018 08:01:39 %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group "dmz" [0x123a465e, 0x8c20f21] -Dec 11 2018 08:01:53 %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) -Dec 11 2018 08:01:53 %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) -Dec 11 2018 08:01:53 %ASA-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs -Aug 15 2012 23:30:09 %ASA-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416 +Dec 11 2018 08:01:24 : %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80) +Dec 11 2018 08:01:24 : %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80) +Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:31 : %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 : %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 : %ASA-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs +Dec 11 2018 08:01:38 : %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 : %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 : %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:38 : %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:39 : %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group "dmz" [0x123a465e, 0x8c20f21] +Dec 11 2018 08:01:53 : %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 : %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 : %ASA-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs +Aug 15 2012 23:30:09 : %ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416 Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index 1bb10b9825f7..fe699dde26e6 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -2,14 +2,16 @@ { "@timestamp": "2013-04-15T09:36:50.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_dmz", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "acl_dmz", "cisco.asa.source_interface": "dmz", "destination.ip": "192.0.0.8", "destination.port": 53, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", @@ -17,7 +19,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 0, - "log.original": "Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.1.2.30", @@ -29,14 +31,16 @@ { "@timestamp": "2013-04-15T09:36:50.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_dmz", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "acl_dmz", "cisco.asa.source_interface": "dmz", "destination.ip": "192.0.0.8", "destination.port": 53, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", @@ -44,7 +48,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 139, - "log.original": "Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.1.2.30", @@ -56,15 +60,17 @@ { "@timestamp": "2014-04-15T13:34:34.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "cisco.asa.suffix": "session", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", @@ -72,7 +78,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 294, - "log.original": "access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.1.2.16", @@ -84,22 +90,25 @@ { "@timestamp": "2013-04-24T16:00:28.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "inside", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "inside", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.2.10", "destination.port": 53, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", "event.outcome": "deny", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "INT-FW01", "input.type": "log", "log.level": "informational", "log.offset": 465, - "log.original": "access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", + "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", "source.ip": "172.29.2.101", @@ -111,22 +120,25 @@ { "@timestamp": "2013-04-24T16:00:27.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "inside", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "inside", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.2.57", "destination.port": 53, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", "event.outcome": "allow", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "INT-FW01", "input.type": "log", "log.level": "informational", "log.offset": 632, - "log.original": "access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", + "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", "source.ip": "172.29.2.3", @@ -139,15 +151,16 @@ "@timestamp": "2013-04-29T12:59:50.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", "log.offset": 812, - "log.original": "Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", "service.type": "cisco", "tags": [ "cisco-asa" @@ -157,15 +170,16 @@ "@timestamp": "2013-04-29T12:59:50.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42.130/12834)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", "log.offset": 938, - "log.original": "Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42.130/12834)", "service.type": "cisco", "tags": [ "cisco-asa" @@ -175,15 +189,16 @@ "@timestamp": "2013-04-29T12:59:50.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", "log.offset": 1110, - "log.original": "Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", "service.type": "cisco", "tags": [ "cisco-asa" @@ -193,15 +208,16 @@ "@timestamp": "2013-04-29T12:59:50.000Z", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.code": 302015, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", "log.offset": 1237, - "log.original": "Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", "service.type": "cisco", "tags": [ "cisco-asa" @@ -211,15 +227,16 @@ "@timestamp": "2013-04-29T12:59:50.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", "log.offset": 1405, - "log.original": "Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", "service.type": "cisco", "tags": [ "cisco-asa" @@ -229,15 +246,16 @@ "@timestamp": "2013-04-29T12:59:50.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", "log.offset": 1531, - "log.original": "Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", "service.type": "cisco", "tags": [ "cisco-asa" @@ -252,10 +270,12 @@ "destination.ip": "10.123.1.35", "destination.port": 52925, "event.action": "flow-expiration", + "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 5025000000000, "event.end": "2013-04-29T12:59:50.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", "event.severity": 6, "event.start": "2013-04-29T11:36:05.000Z", "event.timezone": "+00:00", @@ -263,8 +283,8 @@ "input.type": "log", "log.level": "informational", "log.offset": 1696, - "log.original": "Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", "network.bytes": 140, + "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", "source.ip": "192.0.2.222", @@ -284,10 +304,12 @@ "destination.ip": "10.123.1.35", "destination.port": 52925, "event.action": "flow-expiration", + "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 36000000000000, "event.end": "2013-04-29T12:59:50.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", "event.severity": 6, "event.start": "2013-04-29T02:59:50.000Z", "event.timezone": "+00:00", @@ -295,8 +317,8 @@ "input.type": "log", "log.level": "informational", "log.offset": 1848, - "log.original": "Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", "network.bytes": 9999999, + "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", "source.ip": "192.0.2.222", @@ -311,15 +333,18 @@ "destination.ip": "192.168.132.46", "destination.port": 17233, "event.action": "flow-expiration", + "event.code": 302021, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "FJSG2NRFW01", "input.type": "log", "log.level": "informational", "log.offset": 2012, - "log.original": "Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", + "network.iana_number": 1, "network.transport": "icmp", "service.type": "cisco", "source.ip": "172.24.177.29", @@ -332,15 +357,16 @@ "@timestamp": "2013-04-29T12:59:50.000Z", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.code": 305011, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", "log.offset": 2167, - "log.original": "Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", "service.type": "cisco", "tags": [ "cisco-asa" @@ -350,15 +376,16 @@ "@timestamp": "2013-04-29T12:59:50.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", "log.offset": 2293, - "log.original": "Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", "service.type": "cisco", "tags": [ "cisco-asa" @@ -370,8 +397,10 @@ "destination.ip": "10.1.2.60", "destination.port": 53, "event.action": "firewall-rule", + "event.code": 106007, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", "event.outcome": "deny", "event.severity": 2, "event.timezone": "+00:00", @@ -379,8 +408,8 @@ "input.type": "log", "log.level": "critical", "log.offset": 2458, - "log.original": "Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", "network.direction": "inbound", + "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", @@ -393,14 +422,16 @@ { "@timestamp": "2013-04-30T09:22:38.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", @@ -408,7 +439,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 2567, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -420,14 +451,16 @@ { "@timestamp": "2013-04-30T09:22:38.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", @@ -435,7 +468,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 2726, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.46", @@ -447,14 +480,16 @@ { "@timestamp": "2013-04-30T09:22:39.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", @@ -462,7 +497,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 2887, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.46", @@ -474,14 +509,16 @@ { "@timestamp": "2013-04-30T09:22:39.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", @@ -489,7 +526,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3048, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.46", @@ -501,14 +538,16 @@ { "@timestamp": "2013-04-30T09:22:39.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", @@ -516,7 +555,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3209, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.46", @@ -528,14 +567,16 @@ { "@timestamp": "2013-04-30T09:22:40.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", @@ -543,7 +584,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3370, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.46", @@ -555,14 +596,16 @@ { "@timestamp": "2013-04-30T09:22:41.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", @@ -570,7 +613,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3531, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.46", @@ -582,14 +625,16 @@ { "@timestamp": "2013-04-30T09:22:47.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", @@ -597,7 +642,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3692, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -609,14 +654,16 @@ { "@timestamp": "2013-04-30T09:22:48.000Z", "cisco.asa.destination_interface": "dmz", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "destination.ip": "192.168.33.31", "destination.port": 25, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", @@ -624,7 +671,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3851, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.13", @@ -636,14 +683,16 @@ { "@timestamp": "2013-04-30T09:22:56.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", @@ -651,7 +700,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 4008, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -667,8 +716,10 @@ "destination.ip": "10.1.2.42", "destination.port": 137, "event.action": "firewall-rule", + "event.code": 106006, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", "event.outcome": "deny", "event.severity": 2, "event.timezone": "+00:00", @@ -676,8 +727,8 @@ "input.type": "log", "log.level": "critical", "log.offset": 4167, - "log.original": "Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", "network.direction": "inbound", + "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", "source.ip": "192.0.2.66", @@ -692,8 +743,10 @@ "destination.ip": "10.1.5.60", "destination.port": 53, "event.action": "firewall-rule", + "event.code": 106007, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", "event.outcome": "deny", "event.severity": 2, "event.timezone": "+00:00", @@ -701,8 +754,8 @@ "input.type": "log", "log.level": "critical", "log.offset": 4278, - "log.original": "Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", "network.direction": "inbound", + "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", @@ -715,14 +768,16 @@ { "@timestamp": "2013-04-30T09:23:06.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", @@ -730,7 +785,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 4387, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -742,14 +797,16 @@ { "@timestamp": "2013-04-30T09:23:08.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", @@ -757,7 +814,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 4546, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.46", @@ -769,14 +826,16 @@ { "@timestamp": "2013-04-30T09:23:15.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", @@ -784,7 +843,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 4707, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -796,14 +855,16 @@ { "@timestamp": "2013-04-30T09:23:24.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "deny", "event.severity": 5, "event.timezone": "+00:00", @@ -811,7 +872,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 4866, - "log.original": "access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -823,14 +884,16 @@ { "@timestamp": "2013-04-30T09:23:34.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "deny", "event.severity": 5, "event.timezone": "+00:00", @@ -838,7 +901,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 5022, - "log.original": "access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -850,14 +913,16 @@ { "@timestamp": "2013-04-30T09:23:40.000Z", "cisco.asa.destination_interface": "inside", - "cisco.asa.list_id": "acl_out", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "acl_out", "cisco.asa.source_interface": "outside", "destination.ip": "10.0.0.132", "destination.port": 8111, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", @@ -865,7 +930,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 5178, - "log.original": "Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "192.0.2.126", @@ -877,14 +942,16 @@ { "@timestamp": "2013-04-30T09:23:41.000Z", "cisco.asa.destination_interface": "inside", - "cisco.asa.list_id": "acl_out", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "acl_out", "cisco.asa.source_interface": "outside", "destination.ip": "10.0.0.132", "destination.port": 8111, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", @@ -892,7 +959,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 5325, - "log.original": "Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "192.0.2.126", @@ -904,14 +971,16 @@ { "@timestamp": "2013-04-30T09:23:43.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", @@ -919,7 +988,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 5472, - "log.original": "access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.46", @@ -931,14 +1000,16 @@ { "@timestamp": "2013-04-30T09:23:43.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", @@ -946,7 +1017,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 5635, - "log.original": "access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -958,15 +1029,17 @@ { "@timestamp": "2018-04-15T13:34:34.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "acl_in", "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "cisco.asa.suffix": "session", "destination.ip": "192.0.0.99", "destination.port": 2000, "event.action": "firewall-rule", + "event.code": 106100, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", @@ -974,7 +1047,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 5796, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -987,15 +1060,17 @@ "@timestamp": "2018-12-11T08:01:24.000Z", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.code": 302015, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", "log.offset": 5967, - "log.original": "Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", + "process.name": "", "service.type": "cisco", "tags": [ "cisco-asa" @@ -1005,15 +1080,17 @@ "@timestamp": "2018-12-11T08:01:24.000Z", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.code": 302015, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 6141, - "log.original": "Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)", + "log.offset": 6142, + "process.name": "", "service.type": "cisco", "tags": [ "cisco-asa" @@ -1022,23 +1099,26 @@ { "@timestamp": "2018-12-11T08:01:24.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "dmz", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "dmz", "cisco.asa.source_interface": "dmz", "destination.ip": "192.0.0.12", "destination.port": 53, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "warning", - "log.offset": 6320, - "log.original": "Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "log.offset": 6322, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "", "service.type": "cisco", "source.ip": "192.168.1.33", "source.port": 5555, @@ -1049,23 +1129,26 @@ { "@timestamp": "2018-12-11T08:01:24.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "dmz", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "dmz", "cisco.asa.source_interface": "dmz", "destination.ip": "192.0.0.12", "destination.port": 53, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "warning", - "log.offset": 6469, - "log.original": "Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "log.offset": 6472, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "", "service.type": "cisco", "source.ip": "192.168.1.33", "source.port": 5555, @@ -1077,15 +1160,17 @@ "@timestamp": "2018-12-11T08:01:31.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 6618, - "log.original": "Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "log.offset": 6622, + "process.name": "", "service.type": "cisco", "tags": [ "cisco-asa" @@ -1095,15 +1180,17 @@ "@timestamp": "2018-12-11T08:01:31.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 6787, - "log.original": "Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "log.offset": 6792, + "process.name": "", "service.type": "cisco", "tags": [ "cisco-asa" @@ -1118,20 +1205,23 @@ "destination.ip": "192.168.1.34", "destination.port": 5678, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-12-11T08:01:31.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", "event.severity": 6, "event.start": "2018-12-11T08:01:31.000Z", "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 6956, - "log.original": "Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", + "log.offset": 6962, "network.bytes": 14804, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "", "service.type": "cisco", "source.ip": "192.0.2.222", "source.port": 1234, @@ -1148,20 +1238,23 @@ "destination.ip": "192.168.1.35", "destination.port": 5678, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 68000000000, "event.end": "2018-12-11T08:01:38.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "event.severity": 6, "event.start": "2018-12-11T08:00:30.000Z", "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 7120, - "log.original": "Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "log.offset": 7127, "network.bytes": 134781, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "", "service.type": "cisco", "source.ip": "192.0.2.222", "source.port": 1234, @@ -1178,20 +1271,23 @@ "destination.ip": "192.168.1.35", "destination.port": 5678, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 68000000000, "event.end": "2018-12-11T08:01:38.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "event.severity": 6, "event.start": "2018-12-11T08:00:30.000Z", "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 7285, - "log.original": "Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "log.offset": 7293, "network.bytes": 134781, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "", "service.type": "cisco", "source.ip": "192.0.2.222", "source.port": 1234, @@ -1206,17 +1302,20 @@ "destination.ip": "192.168.1.34", "destination.port": 5679, "event.action": "firewall-rule", + "event.code": 106015, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "event.outcome": "deny", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 7450, - "log.original": "Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "log.offset": 7459, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "", "service.type": "cisco", "source.ip": "192.0.2.222", "source.port": 1234, @@ -1231,17 +1330,20 @@ "destination.ip": "192.168.1.34", "destination.port": 5679, "event.action": "firewall-rule", + "event.code": 106015, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "event.outcome": "deny", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 7591, - "log.original": "Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "log.offset": 7601, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "", "service.type": "cisco", "source.ip": "192.0.2.222", "source.port": 1234, @@ -1252,23 +1354,26 @@ { "@timestamp": "2018-12-11T08:01:39.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "dmz", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "dmz", "cisco.asa.source_interface": "dmz", "destination.ip": "192.0.0.12", "destination.port": 5000, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "warning", - "log.offset": 7732, - "log.original": "Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", + "log.offset": 7743, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "", "service.type": "cisco", "source.ip": "192.168.1.34", "source.port": 5679, @@ -1280,15 +1385,17 @@ "@timestamp": "2018-12-11T08:01:53.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 7882, - "log.original": "Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "log.offset": 7894, + "process.name": "", "service.type": "cisco", "tags": [ "cisco-asa" @@ -1298,15 +1405,17 @@ "@timestamp": "2018-12-11T08:01:53.000Z", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.code": 302013, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 8055, - "log.original": "Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "log.offset": 8068, + "process.name": "", "service.type": "cisco", "tags": [ "cisco-asa" @@ -1321,20 +1430,23 @@ "destination.ip": "10.10.10.10", "destination.port": 1235, "event.action": "flow-expiration", + "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 86399000000000, "event.end": "2018-12-11T08:01:53.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", "event.severity": 6, "event.start": "2018-12-10T08:01:54.000Z", "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 8228, - "log.original": "Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", + "log.offset": 8242, "network.bytes": 11420, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "", "service.type": "cisco", "source.ip": "192.0.2.222", "source.port": 1234, @@ -1351,19 +1463,21 @@ "destination.ip": "10.44.2.2", "destination.port": 500, "event.action": "flow-expiration", + "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 122000000000, "event.end": "2012-08-15T23:30:09.000Z", "event.module": "cisco", + "event.original": "%ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", "event.severity": 6, "event.start": "2012-08-15T23:28:07.000Z", "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 8392, - "log.original": "Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", + "log.offset": 8407, "network.bytes": 1416, + "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", "source.ip": "10.44.4.4", @@ -1378,16 +1492,18 @@ "cisco.asa.source_interface": "Mobile_Traffic", "destination.ip": "192.88.99.47", "event.action": "firewall-rule", + "event.code": 106016, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 8533, - "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "log.offset": 8549, "service.type": "cisco", "source.ip": "0.0.0.0", "tags": [ @@ -1400,16 +1516,18 @@ "cisco.asa.source_interface": "Mobile_Traffic", "destination.ip": "192.88.99.57", "event.action": "firewall-rule", + "event.code": 106016, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 8654, - "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "log.offset": 8670, "service.type": "cisco", "source.ip": "0.0.0.0", "tags": [ @@ -1422,16 +1540,18 @@ "cisco.asa.source_interface": "Mobile_Traffic", "destination.ip": "192.88.99.47", "event.action": "firewall-rule", + "event.code": 106016, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 8775, - "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "log.offset": 8791, "service.type": "cisco", "source.ip": "0.0.0.0", "tags": [ @@ -1444,16 +1564,18 @@ "cisco.asa.source_interface": "Mobile_Traffic", "destination.ip": "192.88.99.47", "event.action": "firewall-rule", + "event.code": 106016, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 8896, - "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "log.offset": 8912, "service.type": "cisco", "source.ip": "0.0.0.0", "tags": [ @@ -1466,16 +1588,18 @@ "cisco.asa.source_interface": "Mobile_Traffic", "destination.ip": "192.88.99.57", "event.action": "firewall-rule", + "event.code": 106016, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 9017, - "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "log.offset": 9033, "service.type": "cisco", "source.ip": "0.0.0.0", "tags": [ @@ -1488,16 +1612,18 @@ "cisco.asa.source_interface": "Mobile_Traffic", "destination.ip": "192.88.99.57", "event.action": "firewall-rule", + "event.code": 106016, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 9138, - "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "log.offset": 9154, "service.type": "cisco", "source.ip": "0.0.0.0", "tags": [ @@ -1510,16 +1636,18 @@ "cisco.asa.source_interface": "Mobile_Traffic", "destination.ip": "192.168.1.255", "event.action": "firewall-rule", + "event.code": 106016, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 9259, - "log.original": "Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "log.offset": 9275, "service.type": "cisco", "source.ip": "0.0.0.0", "tags": [ @@ -1532,16 +1660,18 @@ "cisco.asa.source_interface": "Mobile_Traffic", "destination.ip": "192.168.1.255", "event.action": "firewall-rule", + "event.code": 106016, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 9381, - "log.original": "Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "log.offset": 9397, "service.type": "cisco", "source.ip": "0.0.0.0", "tags": [ @@ -1551,22 +1681,25 @@ { "@timestamp": "2014-09-12T06:53:01.000Z", "cisco.asa.destination_interface": "inside", - "cisco.asa.list_id": "PERMIT_IN", "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "PERMIT_IN", "cisco.asa.source_interface": "outside", "destination.ip": "10.32.112.125", "destination.port": 25, "event.action": "firewall-rule", + "event.code": 106023, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "warning", - "log.offset": 9503, - "log.original": "Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", + "log.offset": 9519, + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "192.0.2.95", @@ -1582,16 +1715,19 @@ "cisco.asa.message_id": "313001", "cisco.asa.source_interface": "Outside", "event.action": "firewall-rule", + "event.code": 313001, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", "event.outcome": "deny", "event.severity": 3, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "error", - "log.offset": 9657, - "log.original": "Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", + "log.offset": 9673, + "network.iana_number": 1, "network.transport": "icmp", "service.type": "cisco", "source.ip": "10.2.3.5", @@ -1606,16 +1742,18 @@ "cisco.asa.source_interface": "inside", "destination.ip": "172.16.1.10", "event.action": "firewall-rule", + "event.code": 313004, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "warning", - "log.offset": 9767, - "log.original": "Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", + "log.offset": 9783, + "network.iana_number": 1, "network.transport": "icmp", "service.type": "cisco", "source.ip": "172.16.30.2", @@ -1626,31 +1764,35 @@ { "@timestamp": "2015-01-14T13:16:14.000Z", "cisco.asa.destination_interface": "outside", - "cisco.asa.list_id": "dynamic", "cisco.asa.mapped_destination_ip": "192.88.99.129", "cisco.asa.mapped_destination_port": 80, "cisco.asa.mapped_source_ip": "192.88.99.1", "cisco.asa.mapped_source_port": 7890, "cisco.asa.message_id": "338002", + "cisco.asa.rule_name": "dynamic", "cisco.asa.source_interface": "inside", "destination.domain": "bad.example.com", "destination.ip": "192.88.99.129", "destination.port": 80, "event.action": "firewall-rule", + "event.code": 338002, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", "event.outcome": "allow", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "warning", - "log.offset": 9903, - "log.original": "Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", + "log.offset": 9919, + "network.iana_number": 6, "network.transport": "tcp", "server.domain": "bad.example.com", "service.type": "cisco", "source.ip": "10.1.1.45", + "source.nat.ip": "192.88.99.1", + "source.nat.port": "7890", "source.port": 6798, "tags": [ "cisco-asa" @@ -1659,31 +1801,35 @@ { "@timestamp": "2015-01-14T13:16:14.000Z", "cisco.asa.destination_interface": "outsidet", - "cisco.asa.list_id": "dynamic", "cisco.asa.mapped_destination_ip": "192.0.2.223", "cisco.asa.mapped_destination_port": 80, "cisco.asa.mapped_source_ip": "10.2.1.1", "cisco.asa.mapped_source_port": 33340, "cisco.asa.message_id": "338004", + "cisco.asa.rule_name": "dynamic", "cisco.asa.source_interface": "inside", "cisco.asa.threat_category": "Malware", "cisco.asa.threat_level": "very-high", "destination.ip": "192.0.2.223", "destination.port": 80, "event.action": "firewall-rule", + "event.code": 338004, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", "event.outcome": "monitored", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "warning", - "log.offset": 10154, - "log.original": "Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "log.offset": 10170, + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.1.1.1", + "source.nat.ip": "10.2.1.1", + "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-asa" @@ -1692,31 +1838,35 @@ { "@timestamp": "2015-01-14T13:16:14.000Z", "cisco.asa.destination_interface": "outsidet", - "cisco.asa.list_id": "dynamic", "cisco.asa.mapped_destination_ip": "192.0.2.223", "cisco.asa.mapped_destination_port": 80, "cisco.asa.mapped_source_ip": "10.2.1.1", "cisco.asa.mapped_source_port": 33340, "cisco.asa.message_id": "338008", + "cisco.asa.rule_name": "dynamic", "cisco.asa.source_interface": "inside", "cisco.asa.threat_category": "Malware", "cisco.asa.threat_level": "very-high", "destination.ip": "192.0.2.223", "destination.port": 80, "event.action": "firewall-rule", + "event.code": 338008, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", "event.outcome": "deny", "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "warning", - "log.offset": 10453, - "log.original": "Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "log.offset": 10469, + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.1.1.1", + "source.nat.ip": "10.2.1.1", + "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-asa" @@ -1727,16 +1877,17 @@ "cisco.asa.message_id": "304001", "destination.ip": "192.0.2.1", "event.action": "firewall-rule", + "event.code": 304001, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "notification", - "log.offset": 10750, - "log.original": "10.30.30.30 Accessed URL 192.0.2.1:/app", + "log.offset": 10766, "service.type": "cisco", "source.ip": "10.30.30.30", "tags": [ @@ -1749,16 +1900,17 @@ "cisco.asa.message_id": "304001", "destination.ip": "192.0.2.32", "event.action": "firewall-rule", + "event.code": 304001, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", "event.outcome": "allow", "event.severity": 5, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "notification", - "log.offset": 10827, - "log.original": "10.5.111.32 Accessed URL 192.0.2.32:http://example.com", + "log.offset": 10843, "service.type": "cisco", "source.ip": "10.5.111.32", "tags": [ @@ -1772,16 +1924,17 @@ "cisco.asa.source_interface": "inside", "destination.ip": "192.0.0.19", "event.action": "firewall-rule", + "event.code": 304002, "event.dataset": "cisco.asa", "event.module": "cisco", + "event.original": "%ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", "event.outcome": "deny", "event.severity": 5, "event.timezone": "+00:00", "fileset.name": "asa", "input.type": "log", "log.level": "notification", - "log.offset": 10919, - "log.original": "Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", + "log.offset": 10935, "service.type": "cisco", "source.ip": "10.69.6.39", "tags": [ diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index 56718bde0dc7..1b9d5d6f5e56 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJy8l81u6zYQhfd5itkUaAHF3XtRIHAbwEBzE8DtoitjLjm02FAclRzZ129fkJJtWXUVGVGrRQAz0jkfR5wfPcI7HZegbFT8ACBWHC1h1f3UFFWwtVj2S/jpAQDghXXjCAwHKNFrZ/2uvR08yYHDO2jaW0XgeBcXDwDGktNxmR9+BI8VXezSJcealrAL3NTdyg3XdD1nITCBq87xZJGuvk3fCiOe126ZjRj2TTl0nk+bJ3i2gQ7o3KJ369D/QlBRjLijrdVXyi3KOx0PHK7/M4ID8FtJPZJOG6wmL9ZYChemGyixMcZ+m4hB37Cq02mIFKNlP53xNa+j6/wAjVCA7xLwVFBugqKt9ULBoKI5IrfJmnDWzC9VSgLj+AAcgPbkZRRLUxTrMenPy/bzRfhTgM5GmemgfcGKgE0GeFKKYoQVewns4FcbBaREgQpFlaRBShsn4HWvtYkU0sLcmEm35bIxL7R+XRwnEfbf8P+G2TO9h7XCuia9PeVKfYNzsPhhZZGAPjoU0qfYrd8AtQ4U4x0sNQe5QePY7z7Lk6SnkFyl6syh6b+v++LTp/ovgtQn+zBSUgZC2Trak5unNSU9yHr5HFfoDhgIfoSvLJ4kkRpj1QJefc6GPYXjo+NDAenPQK5iTQGFCijtrkz1L9+efkzZlkKhHYfjHDtbdVrnivzvO3tOdfrUOfc2NLHo7hnuTwL/ib4AEjW6H8Xek2oP8iyV/Xdv/2r6M0PeFuY2M0piVVVvk+kNilgOj/Mow3r18paf/NhQsZ7LMEkt/jEiWo6zjojr183VaAqj4yHm3rpNnXvuRpNqU9u5k/popA0q66xMzZbzCd/8srqvWJ2MQBgOpVVlm0/dHBvIUIjwvblkUQGbLy9vBWz+2BSAPjWCgazhIOUPC3i6iCv08JUAocSgc6a2XyUFINSBhRW7AvKpr9oPGjbD9EzzwzEKVRDZSBJZwFpAk2ehq/miKwoKm3iOffvosKS121w8/B0AAP//Krahjg==" + return "eJzsmU9v4zYQxe/5FHMp0AKOe8+hQOAkQIBmE1S7h54Mhhxa3FAclRxZ629fkJJtWasoNqJdZAHrEMT6896PI3L4YF/CC26uQJog6QKADVu8gkX7UWGQ3pRsyF3BXxcAAA+kKougyUMunLLGrZrbwSHX5F9A4dpIBEurML8A0AatClfp4UtwosC9XTx4U+IVrDxVZXtmwDUed0kItKeiddxaxKNr07USQezODZmNGHZNybee19k13BmPtbB23rm1778nKDAEscKlUQfKDcoLbmryh1dGcAA+59ghabXBKHRstEG/ZxpACZXW5tuRGPhNFGWcDQFDMOSOZ3xM54Vt/UBoRg+/ReBjQanyEpfGMXotJE5RuSxpwk4zvVTOEbSlGsgDrtHxKJbCwMaJqD8t281e+F2AvrK4jP9OAfVJFAikE8K1lBgCLMixJwt/m8DJDDgXDIVgmaMCzk04grJ9u1VA/yNYo27DZUI60fi15TyKsPuifxpmx/QU1kKUJarldsmUA5y9k282GPbCBSsY1bZ2908glPIYwgksJXkeoLHkVu/lidLHkBys2IlL031fp9WnS/UjitQle7NSnHsUvLS4RjvNDhX1IOmleVwIWwuP8Cc8EzvkSKq1kXN4dGk1rNFvLi3VM4h/enIFKfSCcQa5WeWxDabb44djhiUF44r8ZoqRLVqtXWN+fWR3sV1vN9C18VWYtff0x8eevgo3A2Q5Oh5JzqFsJvIkSeKLM/9V3eiQhiXSbjNKYmRRLqPpAEXI+9N5lOF+8fCUnnzbUJKayjBKzb9LiprVpEkxpsSSavTbFXGDGl3ADxIf7z7f/FrxMQKf4+M5Pp7j4y8dH+FLQLhdZO2luRM8N+UHSpVDgB84bu5wO9dPKOpPj6Kv8p6D6jmonoPqgeFhUB3aClFW3vDQpKHnryhfN+zZ/SPqNoOm4matLtzG/SN8H5YNhUnD8v1jdvB1LoxmYpHixNKaMNSv3rWtxs7ahJWoPlp8LaSxw8UfDcTZ7eK0dro1AiaocyPzZk234d2jRh/gd71fyTPIPj08zSD7N5uBcHF/68lq8pz/MYfrvbgUDp4RBOTCq9Qtmm/yZyCg9MQkyc4grbyi+RGAdL9FxLS0CYwFBNIcReZwz6DQEeNBmmobkxRV2NW+ebTfVpthzi/+DwAA//9UIqfH" } diff --git a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml new file mode 100644 index 000000000000..8571cd8dbfb0 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml @@ -0,0 +1,92 @@ +- name: ftd + type: group + description: > + Fields for Cisco Firepower Threat Defense Firewall. + fields: + - name: message_id + type: keyword + description: > + The Cisco FTD message identifier. + + - name: suffix + type: keyword + example: session + description: > + Optional suffix after %FTD identifier. + + - name: source_interface + type: keyword + description: > + Source interface for the flow or event. + + - name: destination_interface + type: keyword + description: > + Destination interface for the flow or event. + + - name: rule_name + type: keyword + description: > + Name of the Access Control List rule that matched this event. + + - name: source_username + type: keyword + description: > + Name of the user that is the source for this event. + + - name: destination_username + type: keyword + description: > + Name of the user that is the destination for this event. + + - name: mapped_source_ip + type: ip + description: > + The translated source IP address. Use ECS source.nat.ip. + + - name: mapped_source_port + type: long + description: > + The translated source port. Use ECS source.nat.port. + + - name: mapped_destination_ip + type: ip + description: > + The translated destination IP address. Use ECS destination.nat.ip. + + - name: mapped_destination_port + type: long + description: > + The translated destination port. Use ECS destination.nat.port. + + - name: threat_level + type: keyword + description: > + Threat level for malware / botnet traffic. One of very-low, low, + moderate, high or very-high. + + - name: threat_category + type: keyword + description: > + Category for the malware / botnet traffic. For example: virus, botnet, + trojan, etc. + + - name: connection_id + type: keyword + description: > + Unique identifier for a flow. + + - name: icmp_type + type: short + description: > + ICMP type. + + - name: icmp_code + type: short + description: > + ICMP code. + + - name: security + type: object + description: + Raw fields for Security Events. diff --git a/x-pack/filebeat/module/cisco/ftd/config/input.yml b/x-pack/filebeat/module/cisco/ftd/config/input.yml new file mode 100644 index 000000000000..9d23b77f2e41 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/config/input.yml @@ -0,0 +1,20 @@ +{{ if eq .input "syslog" }} + +type: udp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags}} + +processors: + - add_locale: ~ diff --git a/x-pack/filebeat/module/cisco/ftd/manifest.yml b/x-pack/filebeat/module/cisco/ftd/manifest.yml new file mode 100644 index 000000000000..dfcd093ac86e --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/manifest.yml @@ -0,0 +1,32 @@ +module_version: "1.0" + +var: + - name: paths + default: + - /var/log/cisco-ftd.log + - name: tags + default: [cisco-ftd] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9003 + - name: input + default: syslog + - name: log_level + default: 7 + # if ES < 6.1.0, this flag switches to false automatically when evaluating the + # pipeline + min_elasticsearch_version: + version: 6.1.0 + value: false + # These flags are used internally by the shared pipeline + - name: internal_prefix + default: ftd + - name: internal_PREFIX + default: FTD +ingest_pipeline: ../shared/ingest/asa-ftd-pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log b/x-pack/filebeat/module/cisco/ftd/test/asa.log new file mode 100644 index 000000000000..9f0a0b8b5984 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log @@ -0,0 +1,268 @@ +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json new file mode 100644 index 000000000000..15d0180a4f74 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -0,0 +1,2761 @@ +[ + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 150, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11749", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1758, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 67000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", + "event.severity": 6, + "event.start": "2018-10-10T12:33:49.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 345, + "network.bytes": 38110, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.211.242", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11748", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1757, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 67000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", + "event.severity": 6, + "event.start": "2018-10-10T12:33:49.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 535, + "network.bytes": 44010, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.211.242", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11745", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1755, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 67000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", + "event.severity": 6, + "event.start": "2018-10-10T12:33:49.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 725, + "network.bytes": 7652, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.185.90", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11744", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1754, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 67000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", + "event.severity": 6, + "event.start": "2018-10-10T12:33:49.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 913, + "network.bytes": 7062, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.185.90", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11742", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1752, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 68000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", + "event.severity": 6, + "event.start": "2018-10-10T12:33:48.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 1101, + "network.bytes": 5738, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.160.197", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11738", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1749, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 68000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", + "event.severity": 6, + "event.start": "2018-10-10T12:33:48.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 1290, + "network.bytes": 4176, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.205.14", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11739", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1750, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 68000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", + "event.severity": 6, + "event.start": "2018-10-10T12:33:48.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 1478, + "network.bytes": 1715, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.124.33", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11731", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1747, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 69000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", + "event.severity": 6, + "event.start": "2018-10-10T12:33:47.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 1666, + "network.bytes": 45595, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.35.9", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11723", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1742, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 69000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", + "event.severity": 6, + "event.start": "2018-10-10T12:33:47.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 1853, + "network.bytes": 27359, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.211.242", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11715", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1741, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 69000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", + "event.severity": 6, + "event.start": "2018-10-10T12:33:47.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 2043, + "network.bytes": 4457, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.218.21", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11711", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1739, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 69000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", + "event.severity": 6, + "event.start": "2018-10-10T12:33:47.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 2231, + "network.bytes": 26709, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.198.27", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11712", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1740, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 69000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", + "event.severity": 6, + "event.start": "2018-10-10T12:33:47.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 2420, + "network.bytes": 22097, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.198.27", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11708", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1738, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 70000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", + "event.severity": 6, + "event.start": "2018-10-10T12:33:46.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 2609, + "network.bytes": 2209, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.202.211", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11746", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1756, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 67000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", + "event.severity": 6, + "event.start": "2018-10-10T12:33:49.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 2798, + "network.bytes": 10404, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.124.15", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11706", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1737, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 70000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", + "event.severity": 6, + "event.start": "2018-10-10T12:33:46.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 2987, + "network.bytes": 123694, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.124.15", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11702", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1736, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 71000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", + "event.severity": 6, + "event.start": "2018-10-10T12:33:45.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 3177, + "network.bytes": 35835, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.209.247", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11753", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1765, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", + "event.severity": 6, + "event.start": "2018-10-10T12:34:26.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 3367, + "network.bytes": 0, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.35.162", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 3552, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.code": 302015, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 3703, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11758", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.code": 302016, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 3896, + "network.bytes": 148, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.80.32", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.code": 302015, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 4071, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11759", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.code": 302016, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 4264, + "network.bytes": 164, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.252.6", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 4439, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 4589, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 4784, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 4934, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.code": 302015, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 5129, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.code": 302015, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 5326, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11762", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.code": 302016, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 5519, + "network.bytes": 111, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.238.126", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11763", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.code": 302016, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 5696, + "network.bytes": 237, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.93.51", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 5871, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 6021, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 6218, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.code": 302015, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 6369, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.code": 302015, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 6566, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11772", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.code": 302016, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 6759, + "network.bytes": 87, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.240.126", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11773", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.code": 302016, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 6935, + "network.bytes": 221, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.44.45", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 7110, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 7260, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.code": 302015, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 7455, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.code": 302015, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 7652, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11775", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.code": 302016, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 7849, + "network.bytes": 101, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.157.232", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11776", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.code": 302016, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 8026, + "network.bytes": 126, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.178.133", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 8203, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 8353, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11777", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1453, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 8548, + "network.bytes": 862, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.133.112", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.code": 302015, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 8733, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11778", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.code": 302016, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 8930, + "network.bytes": 104, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.157.232", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11779", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.code": 302016, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 9107, + "network.bytes": 176, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.204.197", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 9284, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 9434, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 9625, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 9775, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 9966, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 10116, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.code": 302015, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 10307, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11783", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.code": 302016, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 10500, + "network.bytes": 104, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.100.4", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 10675, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 10825, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 11018, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 11168, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.code": 302015, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 11361, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11784", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1457, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 11554, + "network.bytes": 593, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.198.40", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 11738, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 11888, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11786", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.code": 302016, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 12081, + "network.bytes": 375, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.1.107", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 12256, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 12406, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305012", + "event.action": "firewall-rule", + "event.code": 305012, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 12599, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 12769, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 12920, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305012", + "event.action": "firewall-rule", + "event.code": 305012, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 13115, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305012", + "event.action": "firewall-rule", + "event.code": 305012, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 13285, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305012", + "event.action": "firewall-rule", + "event.code": 305012, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 13455, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305012", + "event.action": "firewall-rule", + "event.code": 305012, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 13625, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305012", + "event.action": "firewall-rule", + "event.code": 305012, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 13795, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305012", + "event.action": "firewall-rule", + "event.code": 305012, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 13965, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11564", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.156.80", + "destination.port": 1382, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 325000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", + "event.severity": 6, + "event.start": "2018-10-10T12:29:31.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 14135, + "network.bytes": 575, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.115.46", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11797", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.156.80", + "destination.port": 1385, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 14320, + "network.bytes": 5391, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 14509, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 14660, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "inbound", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 14855, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "inbound", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 15020, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "inbound", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 15185, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "inbound", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 15350, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "inbound", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 15515, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "inbound", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 15680, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "inbound", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 15845, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "inbound", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 16010, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "inbound", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 16175, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "inbound", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 16340, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "inbound", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 16505, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "inbound", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 16670, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "inbound", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 16835, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 17000, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 17150, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 17343, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.code": 302015, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 17494, + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log b/x-pack/filebeat/module/cisco/ftd/test/dns.log new file mode 100644 index 000000000000..ce15fb2bdfab --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log @@ -0,0 +1,21 @@ +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 205.251.196.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59 +2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299 diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json new file mode 100644 index 000000000000..c42504560aac --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -0,0 +1,1654 @@ +[ + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "elastic.co", + "cisco.ftd.security.dns_record_type": "a host address", + "cisco.ftd.security.dns_ttl": "70", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "93", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "145", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "57379", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 145, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "elastic.co", + "dns.question.type": "A", + "dns.response_code": "NOERROR", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 0, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 93, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 57379, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.access_control_rule_reason": "Intrusion Monitor", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "elastic.co", + "cisco.ftd.security.dns_record_type": "IP6 Address", + "cisco.ftd.security.dns_ttl": "299", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "93", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.ips_count": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "193", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "51389", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 193, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "elastic.co", + "dns.question.type": "AAAA", + "dns.response_code": "NOERROR", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 658, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 93, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 51389, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "elastic.co", + "cisco.ftd.security.dns_record_type": "the canonical name for an alias", + "cisco.ftd.security.dns_ttl": "899", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "93", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "166", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "53033", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 166, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "elastic.co", + "dns.question.type": "CNAME", + "dns.response_code": "NOERROR", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 1371, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 93, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 53033, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.access_control_rule_reason": "Intrusion Monitor", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "www.elastic.co", + "cisco.ftd.security.dns_record_type": "a host address", + "cisco.ftd.security.dns_ttl": "12", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "97", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.ips_count": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "200", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "55371", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 200, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "www.elastic.co", + "dns.question.type": "A", + "dns.response_code": "NOERROR", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 2047, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 97, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 55371, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "elastic.co", + "cisco.ftd.security.dns_record_type": "IP6 Address", + "cisco.ftd.security.dns_response_type": "No error", + "cisco.ftd.security.dns_ttl": "299", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "93", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "193", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "60441", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 193, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "elastic.co", + "dns.question.type": "AAAA", + "dns.response_code": "NOERROR", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 2766, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 93, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 60441, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "elastic.co", + "cisco.ftd.security.dns_record_type": "the canonical name for an alias", + "cisco.ftd.security.dns_ttl": "658", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "93", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "166", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "59714", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 166, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "elastic.co", + "dns.question.type": "CNAME", + "dns.response_code": "NOERROR", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 3449, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 93, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 59714, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.access_control_rule_reason": "Intrusion Monitor", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "elastic.co", + "cisco.ftd.security.dns_record_type": "mail exchange", + "cisco.ftd.security.dns_response_type": "Non-Existent Domain", + "cisco.ftd.security.dns_ttl": "299", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "93", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.ips_count": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "199", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "55105", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 199, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "elastic.co", + "dns.question.type": "MX", + "dns.response_code": "NXDOMAIN", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 4125, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 93, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 55105, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "elastic.co", + "cisco.ftd.security.dns_record_type": "an authoritative name server", + "cisco.ftd.security.dns_ttl": "21599", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "93", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "221", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "57141", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 221, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "elastic.co", + "dns.question.type": "NS", + "dns.response_code": "NOERROR", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 4878, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 93, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 57141, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "elastic.co", + "cisco.ftd.security.dns_record_type": "marks the start of a zone of authority", + "cisco.ftd.security.dns_response_type": "Server Failure", + "cisco.ftd.security.dns_ttl": "899", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "93", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "166", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "47260", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 166, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "elastic.co", + "dns.question.type": "SOA", + "dns.response_code": "SERVFAIL", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 5553, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 93, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 47260, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.access_control_rule_reason": "Intrusion Monitor", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "elastic.co", + "cisco.ftd.security.dns_record_type": "text strings", + "cisco.ftd.security.dns_ttl": "299", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "93", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.ips_count": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "722", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "58082", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 722, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "elastic.co", + "dns.question.type": "TXT", + "dns.response_code": "NOERROR", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 6269, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 93, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 58082, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "refusedthis.com", + "cisco.ftd.security.dns_record_type": "a host address", + "cisco.ftd.security.dns_response_type": "Query Refused", + "cisco.ftd.security.dst_ip": "205.251.196.144", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "98", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "75", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "33973", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.bytes": 75, + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6103, + "destination.geo.location.lon": -122.3341, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "205.251.196.144", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "refusedthis.com", + "dns.question.type": "A", + "dns.response_code": "REFUSED", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 205.251.196.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 6983, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 98, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 33973, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_response_type": "Server Failure", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "457", + "cisco.ftd.security.initiator_packets": "6", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.responder_bytes": "313", + "cisco.ftd.security.responder_packets": "4", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "39541", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 313, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 4, + "destination.port": 53, + "dns.response_code": "SERVFAIL", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 7672, + "network.application": "dns client", + "network.iana_number": 6, + "network.protocol": "dns", + "network.transport": "tcp", + "service.type": "cisco", + "source.bytes": 457, + "source.ip": "10.0.1.20", + "source.packets": 6, + "source.port": 39541, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "laskdfjlaksdf.elastic.co", + "cisco.ftd.security.dns_record_type": "a host address", + "cisco.ftd.security.dns_response_type": "Non-Existent Domain", + "cisco.ftd.security.dns_ttl": "900", + "cisco.ftd.security.dst_ip": "9.9.9.9", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "107", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "180", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "41672", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 19281, + "destination.as.organization.name": "Quad9", + "destination.bytes": 180, + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "FR", + "destination.geo.location.lat": 48.8582, + "destination.geo.location.lon": 2.3387000000000002, + "destination.ip": "9.9.9.9", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "laskdfjlaksdf.elastic.co", + "dns.question.type": "A", + "dns.response_code": "NXDOMAIN", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 8298, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 107, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 41672, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "ns-1168.awsdns-18.org", + "cisco.ftd.security.dns_record_type": "a host address", + "cisco.ftd.security.dns_ttl": "31694", + "cisco.ftd.security.dst_ip": "9.9.9.9", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "104", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "108", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "59577", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 19281, + "destination.as.organization.name": "Quad9", + "destination.bytes": 108, + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "FR", + "destination.geo.location.lat": 48.8582, + "destination.geo.location.lon": 2.3387000000000002, + "destination.ip": "9.9.9.9", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "ns-1168.awsdns-18.org", + "dns.question.type": "A", + "dns.response_code": "NOERROR", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 9010, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 104, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 59577, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "_http._tcp.security.ubuntu.com", + "cisco.ftd.security.dns_record_type": "Server Selection", + "cisco.ftd.security.dns_response_type": "Non-Existent Domain", + "cisco.ftd.security.dns_ttl": "946", + "cisco.ftd.security.dst_ip": "9.9.9.9", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "101", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "162", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "35998", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 19281, + "destination.as.organization.name": "Quad9", + "destination.bytes": 162, + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "FR", + "destination.geo.location.lat": 48.8582, + "destination.geo.location.lon": 2.3387000000000002, + "destination.ip": "9.9.9.9", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "_http._tcp.security.ubuntu.com", + "dns.question.type": "SRV", + "dns.response_code": "NXDOMAIN", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 9683, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 101, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 35998, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.access_control_rule_reason": "Intrusion Monitor", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "elastic.co", + "cisco.ftd.security.dns_record_type": "mail exchange", + "cisco.ftd.security.dns_ttl": "299", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "93", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.ips_count": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "199", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "55105", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 199, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "elastic.co", + "dns.question.type": "MX", + "dns.response_code": "NOERROR", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 10403, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 93, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 55105, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "elastic.co", + "cisco.ftd.security.dns_record_type": "marks the start of a zone of authority", + "cisco.ftd.security.dns_ttl": "899", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "93", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "166", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "47260", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 166, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "elastic.co", + "dns.question.type": "SOA", + "dns.response_code": "NOERROR", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 11118, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 93, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 47260, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "elastic.co", + "cisco.ftd.security.dns_record_type": "the canonical name for an alias", + "cisco.ftd.security.dns_ttl": "899", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "93", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "166", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "53033", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 166, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "elastic.co", + "dns.question.type": "CNAME", + "dns.response_code": "NOERROR", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 11801, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 93, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 53033, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "elastic.co", + "cisco.ftd.security.dns_record_type": "an authoritative name server", + "cisco.ftd.security.dns_ttl": "21599", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "93", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "221", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "57141", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 221, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "elastic.co", + "dns.question.type": "NS", + "dns.response_code": "NOERROR", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 12477, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 93, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 57141, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_record_type": "a domain name pointer", + "cisco.ftd.security.dns_ttl": "59", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "93", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "131", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "46093", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 131, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "dns.question.type": "PTR", + "dns.response_code": "NOERROR", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 13152, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 93, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 46093, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-26T23:11:03.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.access_control_rule_reason": "Intrusion Monitor", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "elastic.co", + "cisco.ftd.security.dns_record_type": "text strings", + "cisco.ftd.security.dns_ttl": "299", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "93", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.ips_count": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "722", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "58082", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 722, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "dns.question.name": "elastic.co", + "dns.question.type": "TXT", + "dns.response_code": "NOERROR", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-26T23:11:03.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-26T23:11:03.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 13795, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 93, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 58082, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/filtered.log b/x-pack/filebeat/module/cisco/ftd/test/filtered.log new file mode 100644 index 000000000000..aa78fd10d1b0 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/filtered.log @@ -0,0 +1,2 @@ +Jan 1 2019 01:00:27 beats asa[1234]: %FTD-7-999999: This message is not filtered. +Jan 1 2019 01:00:30 beats asa[1234]: %FTD-8-999999: This phony message is dropped due to log level. diff --git a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json new file mode 100644 index 000000000000..73bd76b3559a --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json @@ -0,0 +1,24 @@ +[ + { + "@timestamp": "2019-01-01T01:00:27.000Z", + "cisco.ftd.message_id": "999999", + "event.action": "firewall-rule", + "event.code": 999999, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-7-999999: This message is not filtered.", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "beats", + "input.type": "log", + "log.level": "debug", + "log.offset": 0, + "process.name": "asa", + "process.pid": 1234, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log new file mode 100644 index 0000000000000000000000000000000000000000..707bd4f4e54e9e032f2847086dd16122e3072ec1 GIT binary patch literal 5064 zcmd5=+fv&w5bZNxu^*5GUt$_GltL5AFaw>mF70DR*s@V8OCDRM;C8`t+>QGWbHJWQBeF-X8R?sZ7}q7AYBV!3~9P zT7qSO_EG!Y?PC2*>Y^&~=na+N(Rf&}q_oeb>x1CwwJt}h(xWWR-lPLe`|K_NvJJFH z91k+}M~zBW+_0jP3%f4u3suDs;*WU5ke9lxpeh6;TxeEc*F!n!{&Hovtv3Lg<+iY% z(?*wi6a)Eo z`t>(ptFR)W<{;RKY>x!Z&YeXxQ*Od4%V;sSCno5wyC`@3G>d4TxK7hj4W|BY}f*{-&{`rKv+ffdn=EyOMDlOquTj@uUN&xsGvDp>`vYjd$PX>6;W}mO5K8= zwEPPuWZYyXi6)f*UH>~$SuU8_W(c64Y{x7YY7D1BT~YC9-#KOI`HgRXj;P=riQ2Qp zUJFsvIXb@>;^H^iD^awcp(+R(P57DTn+JZhp;{RYqlUrWicVTd)O0)z%(To<^E*=>X6cMjLwBG{G~VfSB`^IA@t zSBvOY-DJGzF2>Z)@4YUA`+Z@N8$7Rt`|ieRj&oG++7B*&;bD(;y!m^u4Mc93tmo>? h;iK7x2Nr|L817#}nV9UTz$CpAEXKD7yflwH{{hFbO6C9n literal 0 HcmV?d00001 diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json new file mode 100644 index 000000000000..2cca4a8d380b --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json @@ -0,0 +1,615 @@ +[ + { + "@timestamp": "2019-08-14T13:56:30.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "platformSettingEdit.cgi", + "input.type": "log", + "log.level": "debug", + "log.offset": 0, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:57:19.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=Banner, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "platformSettingEdit.cgi", + "input.type": "log", + "log.level": "debug", + "log.offset": 194, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:57:26.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/ChangeReconciliation.cgi, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "ChangeReconciliation.cgi", + "input.type": "log", + "log.level": "debug", + "log.offset": 386, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:57:34.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=IntrusionPolicyPrefs, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "platformSettingEdit.cgi", + "input.type": "log", + "log.level": "debug", + "log.offset": 568, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:57:43.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /admin/lights_out_mgmt.cgi, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 774, + "process.name": "lights_out_mgmt.cgi", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:58:02.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, Cloud Services, View url filtering settings\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 943, + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:58:02.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, Cloud Services, View amp settings\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 1072, + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:58:20.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, System > Monitoring > Syslog, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 1191, + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:58:41.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, Devices > Device Management, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 1316, + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:58:47.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, Devices > Device Management > NGFW Interfaces, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 1440, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:58:52.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, Devices > Device Management > NGFW Device Summary, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 1575, + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:58:54.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, Devices > Device Management > NGFW Device Summary, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 1721, + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:59:10.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 1867, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:59:15.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 1984, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:00:37.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 2128, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:00:37.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 2285, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:00:37.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 2436, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:12.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 2580, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:12.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 2737, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:13.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 2888, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:20.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 3032, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:31.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "ActionQueueScrape.pl", + "input.type": "log", + "log.level": "debug", + "log.offset": 3143, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:31.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Global Configuration Generation\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "ActionQueueScrape.pl", + "input.type": "log", + "log.level": "debug", + "log.offset": 3267, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:35.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "ActionQueueScrape.pl", + "input.type": "log", + "log.level": "debug", + "log.offset": 3440, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:36.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Device Configuration for siem-ftd\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "ActionQueueScrape.pl", + "input.type": "log", + "log.level": "debug", + "log.offset": 3564, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:55.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 3739, + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:56.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@localhost, Task Queue, Policy Deployment to siem-ftd - SUCCESS\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 3874, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:57.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 4002, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:02:03.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, System > Monitoring > Syslog, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 4113, + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:02:11.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, System > Monitoring > Audit, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "index.cgi", + "input.type": "log", + "log.level": "debug", + "log.offset": 4238, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:02:19.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 4357, + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:02:31.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "platformSettingEdit.cgi", + "input.type": "log", + "log.level": "debug", + "log.offset": 4492, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:02:38.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Local System Configuration, Save Local System Configuration\u0000x0a\u0000x00", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "platformSettingEdit.cgi", + "input.type": "log", + "log.level": "debug", + "log.offset": 4686, + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:02:38.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "platformSettingEdit.cgi", + "input.type": "log", + "log.level": "debug", + "log.offset": 4870, + "service.type": "cisco", + "syslog.facility": 14, + "syslog.priority": 2, + "tags": [ + "cisco-ftd" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log new file mode 100644 index 000000000000..c92f6380b333 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log @@ -0,0 +1,4 @@ +2019-08-16T09:54:00Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55644, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity +2019-08-16T09:57:02Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55868, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity +2019-08-16T10:04:44Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 39114, Protocol: tcp, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity +2019-08-16T10:09:47Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 40740, Protocol: 6, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json new file mode 100644 index 000000000000..360d63a0784b --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -0,0 +1,222 @@ +[ + { + "@timestamp": "2019-08-16T09:54:00.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430001", + "cisco.ftd.rule_name": [ + "intrusion-policy", + "default" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.application_protocol": "HTTP", + "cisco.ftd.security.classification": "Attempted User Privilege Gain", + "cisco.ftd.security.client": "Firefox", + "cisco.ftd.security.dst_ip": "10.0.100.30", + "cisco.ftd.security.dst_port": "80", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.gid": "1", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.intrusion_policy": "intrusion-policy", + "cisco.ftd.security.message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.priority": "1", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.revision": "12", + "cisco.ftd.security.sid": "17279", + "cisco.ftd.security.src_port": "55644", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.ip": "10.0.100.30", + "destination.port": 80, + "event.action": "intrusion-detected", + "event.code": 430001, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55644, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "debug", + "log.offset": 0, + "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", + "network.application": "firefox", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.id": "1", + "service.type": "cisco", + "source.port": 55644, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-16T09:57:02.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430001", + "cisco.ftd.rule_name": [ + "intrusion-policy", + "default" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.application_protocol": "HTTP", + "cisco.ftd.security.classification": "Attempted User Privilege Gain", + "cisco.ftd.security.client": "Firefox", + "cisco.ftd.security.dst_ip": "10.0.100.30", + "cisco.ftd.security.dst_port": "80", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.gid": "1", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.intrusion_policy": "intrusion-policy", + "cisco.ftd.security.message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.priority": "1", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.revision": "12", + "cisco.ftd.security.sid": "17279", + "cisco.ftd.security.src_port": "55868", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.ip": "10.0.100.30", + "destination.port": 80, + "event.action": "intrusion-detected", + "event.code": 430001, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55868, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "debug", + "log.offset": 587, + "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", + "network.application": "firefox", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.id": "1", + "service.type": "cisco", + "source.port": 55868, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-16T10:04:44.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "430001", + "cisco.ftd.rule_name": [ + "intrusion-policy", + "default" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.classification": "Misc Activity", + "cisco.ftd.security.dst_ip": "10.0.1.20", + "cisco.ftd.security.dst_port": "39114", + "cisco.ftd.security.egress_interface": "inside", + "cisco.ftd.security.egress_zone": "input-zone", + "cisco.ftd.security.gid": "1", + "cisco.ftd.security.ingress_interface": "outside", + "cisco.ftd.security.ingress_zone": "output-zone", + "cisco.ftd.security.intrusion_policy": "intrusion-policy", + "cisco.ftd.security.message": "APP-DETECT failed FTP login attempt", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.priority": "3", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.revision": "6", + "cisco.ftd.security.sid": "13360", + "cisco.ftd.security.src_port": "21", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "outside", + "destination.ip": "10.0.1.20", + "destination.port": 39114, + "event.action": "intrusion-detected", + "event.code": 430001, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 39114, Protocol: tcp, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "debug", + "log.offset": 1174, + "message": "APP-DETECT failed FTP login attempt", + "network.iana_number": 6, + "network.transport": "tcp", + "service.id": "1", + "service.type": "cisco", + "source.port": 21, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-16T10:09:47.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "430001", + "cisco.ftd.rule_name": [ + "intrusion-policy", + "default" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.classification": "Misc Activity", + "cisco.ftd.security.dst_ip": "10.0.1.20", + "cisco.ftd.security.dst_port": "40740", + "cisco.ftd.security.egress_interface": "inside", + "cisco.ftd.security.egress_zone": "input-zone", + "cisco.ftd.security.gid": "1", + "cisco.ftd.security.ingress_interface": "outside", + "cisco.ftd.security.ingress_zone": "output-zone", + "cisco.ftd.security.intrusion_policy": "intrusion-policy", + "cisco.ftd.security.message": "APP-DETECT failed FTP login attempt", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.priority": "3", + "cisco.ftd.security.protocol": "6", + "cisco.ftd.security.revision": "6", + "cisco.ftd.security.sid": "13360", + "cisco.ftd.security.src_port": "21", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "outside", + "destination.ip": "10.0.1.20", + "destination.port": 40740, + "event.action": "intrusion-detected", + "event.code": 430001, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 40740, Protocol: 6, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "debug", + "log.offset": 1662, + "message": "APP-DETECT failed FTP login attempt", + "network.iana_number": 6, + "network.transport": "tcp", + "service.id": "1", + "service.type": "cisco", + "source.port": 21, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log new file mode 100644 index 000000000000..c8033fb069e0 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log @@ -0,0 +1,4 @@ +Jan 11 2018 01:00:27 beats ftd[1234]: ApplicationProtocol: http, Client: webserver, DstIP: 10.8.12.47, SrcIP: 10.1.123.45, Message: Intrusion attempt +Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2). +Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2), Empty: ,FileCount:, IngressZone: +Jan 11 2018 01:00:27 beats ftd[1234]: %ASA-3-430005 Message: This one has a type id, HTTPResponse: 404, Message: And two messages, SrcIP: 127.0.0.1, DstIP: 192.168.3.33, SrcPort: 512, DstPort: 64311 diff --git a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json new file mode 100644 index 000000000000..23ab6d455af5 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json @@ -0,0 +1,126 @@ +[ + { + "@timestamp": "2018-01-11T01:00:27.000Z", + "cisco.ftd.message_id": "430001", + "cisco.ftd.security.application_protocol": "http", + "cisco.ftd.security.client": "webserver", + "cisco.ftd.security.dst_ip": "10.8.12.47", + "cisco.ftd.security.message": "Intrusion attempt", + "cisco.ftd.security.src_ip": "10.1.123.45", + "destination.ip": "10.8.12.47", + "event.action": "intrusion-detected", + "event.code": 430001, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "ApplicationProtocol: http, Client: webserver, DstIP: 10.8.12.47, SrcIP: 10.1.123.45, Message: Intrusion attempt", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "beats", + "input.type": "log", + "log.level": "debug", + "log.offset": 0, + "message": "Intrusion attempt", + "network.application": "webserver", + "network.protocol": "http", + "process.name": "ftd", + "process.pid": 1234, + "service.type": "cisco", + "source.ip": "10.1.123.45", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-01-11T01:00:27.000Z", + "cisco.ftd.message_id": "430001", + "cisco.ftd.security.http_response": "404", + "cisco.ftd.security.message": "Some message here (1:36330:2).", + "event.action": "intrusion-detected", + "event.code": 430001, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "HTTPResponse: 404, Message: Some message here (1:36330:2).", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "beats", + "http.response.status_code": "404", + "input.type": "log", + "log.level": "debug", + "log.offset": 150, + "message": "Some message here (1:36330:2).", + "process.name": "ftd", + "process.pid": 1234, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-01-11T01:00:27.000Z", + "cisco.ftd.message_id": "430002", + "cisco.ftd.security.http_response": "404", + "cisco.ftd.security.message": "Some message here (1:36330:2)", + "event.action": "connection-started", + "event.code": 430002, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "HTTPResponse: 404, Message: Some message here (1:36330:2), Empty: ,FileCount:, IngressZone:", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "beats", + "http.response.status_code": "404", + "input.type": "log", + "log.level": "debug", + "log.offset": 247, + "message": "Some message here (1:36330:2)", + "process.name": "ftd", + "process.pid": 1234, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-01-11T01:00:27.000Z", + "cisco.ftd.message_id": "430005", + "cisco.ftd.security.dst_ip": "192.168.3.33", + "cisco.ftd.security.dst_port": "64311", + "cisco.ftd.security.http_response": "404", + "cisco.ftd.security.message": [ + "This one has a type id", + "And two messages" + ], + "cisco.ftd.security.src_ip": "127.0.0.1", + "cisco.ftd.security.src_port": "512", + "destination.ip": "192.168.3.33", + "destination.port": 64311, + "event.action": "malware-detected", + "event.code": 430005, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%ASA-3-430005 Message: This one has a type id, HTTPResponse: 404, Message: And two messages, SrcIP: 127.0.0.1, DstIP: 192.168.3.33, SrcPort: 512, DstPort: 64311", + "event.severity": 3, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "beats", + "http.response.status_code": "404", + "input.type": "log", + "log.level": "error", + "log.offset": 377, + "message": [ + "This one has a type id", + "And two messages" + ], + "process.name": "ftd", + "process.pid": 1234, + "service.type": "cisco", + "source.ip": "127.0.0.1", + "source.port": 512, + "tags": [ + "cisco-ftd" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log b/x-pack/filebeat/module/cisco/ftd/test/sample.log new file mode 100644 index 000000000000..d0a3a1649a94 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log @@ -0,0 +1,72 @@ +Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0] +Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group "acl_dmz" [0xe3aab522, 0x0] +Apr 15 2014 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 24 2013 16:00:28 INT-FW01 : %FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0] +Apr 24 2013 16:00:27 INT-FW01 : %FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0] +Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834 +Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42.130/12834) +Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882 +Apr 29 2013 12:59:50: %FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882) +Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392 +Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392) +Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140 +Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999 +Jun 04 2011 21:59:52 FJSG2NRFW01 : %FTD-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233 +Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879 +Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879) +Apr 30 2013 09:22:33: %FTD-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query +Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:40: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:41: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:47: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:48: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:56: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:02: %FTD-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside +Apr 30 2013 09:23:03: %FTD-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query +Apr 30 2013 09:23:06: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:08: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:15: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:24: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:34: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:40: %FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] +Apr 30 2013 09:23:41: %FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] +Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80) +Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80) +Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:39 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group "dmz" [0x123a465e, 0x8c20f21] +Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs +Aug 15 2012 23:30:09: %FTD-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416 +Sep 12 2014 06:50:53 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:01 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic +Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:06 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic +Sep 12 2014 06:51:17 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic +Sep 12 2014 06:52:48 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic +Sep 12 2014 06:53:00 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic +Sep 12 2014 06:53:01 GIFRCHN01 : %FTD-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group "PERMIT_IN" [0x0, 0x0]" +Sep 12 2014 06:53:02 GIFRCHN01 : %FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside +Jan 14 2015 13:16:13: %FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session +Jan 14 2015 13:16:14: %FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com +Jan 14 2015 13:16:14: %FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.225/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware +Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/8080), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware +Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app +Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com +Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json new file mode 100644 index 000000000000..1637aca30e72 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -0,0 +1,1949 @@ +[ + { + "@timestamp": "2013-04-15T09:36:50.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "acl_dmz", + "cisco.ftd.source_interface": "dmz", + "destination.ip": "192.0.0.8", + "destination.port": 53, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "warning", + "log.offset": 0, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.1.2.30", + "source.port": 63016, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-15T09:36:50.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "acl_dmz", + "cisco.ftd.source_interface": "dmz", + "destination.ip": "192.0.0.8", + "destination.port": 53, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "warning", + "log.offset": 139, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.1.2.30", + "source.port": 63016, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-04-15T13:34:34.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "cisco.ftd.suffix": "session", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 294, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.1.2.16", + "source.port": 2241, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-24T16:00:28.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "inside", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.2.10", + "destination.port": 53, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", + "event.outcome": "deny", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "INT-FW01", + "input.type": "log", + "log.level": "informational", + "log.offset": 465, + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "172.29.2.101", + "source.port": 1039, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-24T16:00:27.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "inside", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.2.57", + "destination.port": 53, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "INT-FW01", + "input.type": "log", + "log.level": "informational", + "log.offset": 632, + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "172.29.2.3", + "source.port": 1065, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 812, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42.130/12834)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 938, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 1110, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.code": 302015, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 1237, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 1405, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 1531, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.connection_id": "89743275", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "10.123.1.35", + "destination.port": 52925, + "event.action": "flow-expiration", + "event.code": 302016, + "event.dataset": "cisco.ftd", + "event.duration": 5025000000000, + "event.end": "2013-04-29T12:59:50.000Z", + "event.module": "cisco", + "event.original": "%FTD-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", + "event.severity": 6, + "event.start": "2013-04-29T11:36:05.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 1696, + "network.bytes": 140, + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.connection_id": "666", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.destination_username": "user2", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "cisco.ftd.source_username": "user1", + "destination.ip": "10.123.1.35", + "destination.port": 52925, + "event.action": "flow-expiration", + "event.code": 302016, + "event.dataset": "cisco.ftd", + "event.duration": 36000000000000, + "event.end": "2013-04-29T12:59:50.000Z", + "event.module": "cisco", + "event.original": "%FTD-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", + "event.severity": 6, + "event.start": "2013-04-29T02:59:50.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 1848, + "network.bytes": 9999999, + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2011-06-04T21:59:52.000Z", + "cisco.ftd.message_id": "302021", + "destination.ip": "192.168.132.46", + "destination.port": 17233, + "event.action": "flow-expiration", + "event.code": 302021, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "FJSG2NRFW01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2012, + "network.iana_number": 1, + "network.transport": "icmp", + "service.type": "cisco", + "source.ip": "172.24.177.29", + "source.port": 0, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.code": 305011, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 2167, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 2293, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:33.000Z", + "cisco.ftd.message_id": "106007", + "destination.ip": "10.1.2.60", + "destination.port": 53, + "event.action": "firewall-rule", + "event.code": 106007, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "critical", + "log.offset": 2458, + "network.direction": "inbound", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.0.0.66", + "source.port": 12981, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:38.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 2567, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2006, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:38.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 2726, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49734, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:39.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 2887, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49735, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:39.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 3048, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49736, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:39.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 3209, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49737, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:40.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 3370, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49738, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:41.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 3531, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49746, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:47.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 3692, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2007, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:48.000Z", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.168.33.31", + "destination.port": 25, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 3851, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.13", + "source.port": 43013, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:56.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 4008, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2008, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:02.000Z", + "cisco.ftd.message_id": "106006", + "cisco.ftd.source_interface": "inside", + "destination.ip": "10.1.2.42", + "destination.port": 137, + "event.action": "firewall-rule", + "event.code": 106006, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "critical", + "log.offset": 4167, + "network.direction": "inbound", + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.0.2.66", + "source.port": 137, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:03.000Z", + "cisco.ftd.message_id": "106007", + "destination.ip": "10.1.5.60", + "destination.port": 53, + "event.action": "firewall-rule", + "event.code": 106007, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "critical", + "log.offset": 4278, + "network.direction": "inbound", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.0.2.66", + "source.port": 12981, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:06.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 4387, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2009, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:08.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 4546, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49776, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:15.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 4707, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2010, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:24.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "deny", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 4866, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2011, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:34.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "deny", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 5022, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2012, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:40.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "acl_out", + "cisco.ftd.source_interface": "outside", + "destination.ip": "10.0.0.132", + "destination.port": 8111, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "warning", + "log.offset": 5178, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.126", + "source.port": 53638, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:41.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "acl_out", + "cisco.ftd.source_interface": "outside", + "destination.ip": "10.0.0.132", + "destination.port": 8111, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "warning", + "log.offset": 5325, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.126", + "source.port": 53638, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:43.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 5472, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49840, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:43.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 5635, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2013, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-04-15T13:34:34.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.rule_name": "acl_in", + "cisco.ftd.source_interface": "inside", + "cisco.ftd.suffix": "session", + "destination.ip": "192.0.0.99", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 5796, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2241, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:24.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.code": 302015, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 5967, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:24.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.code": 302015, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 6147, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:24.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "dmz", + "cisco.ftd.source_interface": "dmz", + "destination.ip": "192.0.0.12", + "destination.port": 53, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "warning", + "log.offset": 6332, + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.168.1.33", + "source.port": 5555, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:24.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "dmz", + "cisco.ftd.source_interface": "dmz", + "destination.ip": "192.0.0.12", + "destination.port": 53, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "warning", + "log.offset": 6487, + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.168.1.33", + "source.port": 5555, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:31.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 6642, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:31.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 6817, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:31.000Z", + "cisco.ftd.connection_id": "447236", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "192.168.1.34", + "destination.port": 5678, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-12-11T08:01:31.000Z", + "event.module": "cisco", + "event.original": "%FTD-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", + "event.severity": 6, + "event.start": "2018-12-11T08:01:31.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 6992, + "network.bytes": 14804, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco.ftd.connection_id": "447234", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "192.168.1.35", + "destination.port": 5678, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 68000000000, + "event.end": "2018-12-11T08:01:38.000Z", + "event.module": "cisco", + "event.original": "%FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "event.severity": 6, + "event.start": "2018-12-11T08:00:30.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 7162, + "network.bytes": 134781, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco.ftd.connection_id": "447234", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "192.168.1.35", + "destination.port": 5678, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 68000000000, + "event.end": "2018-12-11T08:01:38.000Z", + "event.module": "cisco", + "event.original": "%FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "event.severity": 6, + "event.start": "2018-12-11T08:00:30.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 7333, + "network.bytes": 134781, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco.ftd.message_id": "106015", + "cisco.ftd.source_interface": "outside", + "destination.ip": "192.168.1.34", + "destination.port": 5679, + "event.action": "firewall-rule", + "event.code": 106015, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "event.outcome": "deny", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 7504, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco.ftd.message_id": "106015", + "cisco.ftd.source_interface": "outside", + "destination.ip": "192.168.1.34", + "destination.port": 5679, + "event.action": "firewall-rule", + "event.code": 106015, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "event.outcome": "deny", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 7651, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:39.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "dmz", + "cisco.ftd.source_interface": "dmz", + "destination.ip": "192.0.0.12", + "destination.port": 5000, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "warning", + "log.offset": 7798, + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.168.1.34", + "source.port": 5679, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:53.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 7954, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:53.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.code": 302013, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 8133, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:53.000Z", + "cisco.ftd.connection_id": "447237", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "10.10.10.10", + "destination.port": 1235, + "event.action": "flow-expiration", + "event.code": 302014, + "event.dataset": "cisco.ftd", + "event.duration": 86399000000000, + "event.end": "2018-12-11T08:01:53.000Z", + "event.module": "cisco", + "event.original": "%FTD-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", + "event.severity": 6, + "event.start": "2018-12-10T08:01:54.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 8312, + "network.bytes": 11420, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2012-08-15T23:30:09.000Z", + "cisco.ftd.connection_id": "40", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "10.44.2.2", + "destination.port": 500, + "event.action": "flow-expiration", + "event.code": 302016, + "event.dataset": "cisco.ftd", + "event.duration": 122000000000, + "event.end": "2012-08-15T23:30:09.000Z", + "event.module": "cisco", + "event.original": "%FTD-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", + "event.severity": 6, + "event.start": "2012-08-15T23:28:07.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 8482, + "network.bytes": 1416, + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "10.44.4.4", + "source.port": 500, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:50:53.000Z", + "cisco.ftd.message_id": "106016", + "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.47", + "event.action": "firewall-rule", + "event.code": 106016, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "critical", + "log.offset": 8624, + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:51:01.000Z", + "cisco.ftd.message_id": "106016", + "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.57", + "event.action": "firewall-rule", + "event.code": 106016, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "critical", + "log.offset": 8745, + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:51:05.000Z", + "cisco.ftd.message_id": "106016", + "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.47", + "event.action": "firewall-rule", + "event.code": 106016, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "critical", + "log.offset": 8866, + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:51:05.000Z", + "cisco.ftd.message_id": "106016", + "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.47", + "event.action": "firewall-rule", + "event.code": 106016, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "critical", + "log.offset": 8987, + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:51:06.000Z", + "cisco.ftd.message_id": "106016", + "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.57", + "event.action": "firewall-rule", + "event.code": 106016, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "critical", + "log.offset": 9108, + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:51:17.000Z", + "cisco.ftd.message_id": "106016", + "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.57", + "event.action": "firewall-rule", + "event.code": 106016, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "critical", + "log.offset": 9229, + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:52:48.000Z", + "cisco.ftd.message_id": "106016", + "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.ip": "192.168.1.255", + "event.action": "firewall-rule", + "event.code": 106016, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "critical", + "log.offset": 9350, + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:53:00.000Z", + "cisco.ftd.message_id": "106016", + "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.ip": "192.168.1.255", + "event.action": "firewall-rule", + "event.code": 106016, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "critical", + "log.offset": 9472, + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:53:01.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "106023", + "cisco.ftd.rule_name": "PERMIT_IN", + "cisco.ftd.source_interface": "outside", + "destination.ip": "10.32.112.125", + "destination.port": 25, + "event.action": "firewall-rule", + "event.code": 106023, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "warning", + "log.offset": 9594, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.95", + "source.port": 24069, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:53:02.000Z", + "cisco.ftd.icmp_code": 3, + "cisco.ftd.icmp_type": 3, + "cisco.ftd.message_id": "313001", + "cisco.ftd.source_interface": "Outside", + "event.action": "firewall-rule", + "event.code": 313001, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", + "event.outcome": "deny", + "event.severity": 3, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "error", + "log.offset": 9748, + "network.iana_number": 1, + "network.transport": "icmp", + "service.type": "cisco", + "source.ip": "10.2.3.5", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2015-01-14T13:16:13.000Z", + "cisco.ftd.icmp_type": 0, + "cisco.ftd.message_id": "313004", + "cisco.ftd.source_interface": "inside", + "destination.ip": "172.16.1.10", + "event.action": "firewall-rule", + "event.code": 313004, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "warning", + "log.offset": 9858, + "network.iana_number": 1, + "network.transport": "icmp", + "service.type": "cisco", + "source.ip": "172.16.30.2", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2015-01-14T13:16:14.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.mapped_destination_ip": "192.88.99.129", + "cisco.ftd.mapped_destination_port": 80, + "cisco.ftd.mapped_source_ip": "192.88.99.1", + "cisco.ftd.mapped_source_port": 7890, + "cisco.ftd.message_id": "338002", + "cisco.ftd.rule_name": "dynamic", + "cisco.ftd.source_interface": "inside", + "destination.domain": "bad.example.com", + "destination.ip": "192.88.99.129", + "destination.port": 80, + "event.action": "firewall-rule", + "event.code": 338002, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", + "event.outcome": "allow", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "warning", + "log.offset": 9994, + "network.iana_number": 6, + "network.transport": "tcp", + "server.domain": "bad.example.com", + "service.type": "cisco", + "source.ip": "10.1.1.45", + "source.nat.ip": "192.88.99.1", + "source.nat.port": "7890", + "source.port": 6798, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2015-01-14T13:16:14.000Z", + "cisco.ftd.destination_interface": "outsidet", + "cisco.ftd.mapped_destination_ip": "192.0.2.225", + "cisco.ftd.mapped_destination_port": 80, + "cisco.ftd.mapped_source_ip": "10.2.1.1", + "cisco.ftd.mapped_source_port": 33340, + "cisco.ftd.message_id": "338004", + "cisco.ftd.rule_name": "dynamic", + "cisco.ftd.source_interface": "inside", + "cisco.ftd.threat_category": "Malware", + "cisco.ftd.threat_level": "very-high", + "destination.ip": "192.0.2.223", + "destination.nat.ip": "192.0.2.225", + "destination.nat.port": "80", + "destination.port": 80, + "event.action": "firewall-rule", + "event.code": 338004, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.225/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "event.outcome": "monitored", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "warning", + "log.offset": 10245, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.1.1.1", + "source.nat.ip": "10.2.1.1", + "source.nat.port": "33340", + "source.port": 33340, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2015-01-14T13:16:14.000Z", + "cisco.ftd.destination_interface": "outsidet", + "cisco.ftd.mapped_destination_ip": "192.0.2.223", + "cisco.ftd.mapped_destination_port": 8080, + "cisco.ftd.mapped_source_ip": "10.2.1.1", + "cisco.ftd.mapped_source_port": 33340, + "cisco.ftd.message_id": "338008", + "cisco.ftd.rule_name": "dynamic", + "cisco.ftd.source_interface": "inside", + "cisco.ftd.threat_category": "Malware", + "cisco.ftd.threat_level": "very-high", + "destination.ip": "192.0.2.223", + "destination.nat.ip": "192.0.2.223", + "destination.nat.port": "8080", + "destination.port": 80, + "event.action": "firewall-rule", + "event.code": 338008, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/8080), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "warning", + "log.offset": 10544, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.1.1.1", + "source.nat.ip": "10.2.1.1", + "source.nat.port": "33340", + "source.port": 33340, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2009-11-16T14:12:35.000Z", + "cisco.ftd.message_id": "304001", + "destination.ip": "192.0.2.1", + "event.action": "firewall-rule", + "event.code": 304001, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 10843, + "service.type": "cisco", + "source.ip": "10.30.30.30", + "tags": [ + "cisco-ftd" + ], + "url.original": "/app" + }, + { + "@timestamp": "2009-11-16T14:12:36.000Z", + "cisco.ftd.message_id": "304001", + "destination.ip": "192.0.2.32", + "event.action": "firewall-rule", + "event.code": 304001, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 10920, + "service.type": "cisco", + "source.ip": "10.5.111.32", + "tags": [ + "cisco-ftd" + ], + "url.original": "http://example.com" + }, + { + "@timestamp": "2009-11-16T14:12:37.000Z", + "cisco.ftd.message_id": "304002", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.19", + "event.action": "firewall-rule", + "event.code": 304002, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", + "event.outcome": "deny", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 11012, + "service.type": "cisco", + "source.ip": "10.69.6.39", + "tags": [ + "cisco-ftd" + ], + "url.original": "http://www.example.net/images/favicon.ico" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log new file mode 100644 index 000000000000..c81a41dfb1f7 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log @@ -0,0 +1,10 @@ +2019-08-15T16:03:31Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity +2019-08-15T16:05:33Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity +2019-08-15T16:05:37Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address +2019-08-15T16:07:00Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395 +2019-08-15T16:07:18Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity +2019-08-15T16:07:19Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb +2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity +2019-08-16T09:33:15Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip +2019-08-16T09:35:15Z firepower %FTD-1-430002: AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Block-inbound-ICMP, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity +Aug 14 2019 15:09:41 siem-ftd %FTD-1-430003: AccessControlRuleAction: Block, AccessControlRuleReason: File Block, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, IngressInterface: input, EgressInterface: output, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 1, FileCount: 1, InitiatorPackets: 4, ResponderPackets: 7, InitiatorBytes: 365, ResponderBytes: 1927, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: 10.0.100.30:8000, URL: http://10.0.100.30:8000/eicar_com.zip diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json new file mode 100644 index 000000000000..49ad59da74e7 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -0,0 +1,717 @@ +[ + { + "@timestamp": "2019-08-15T16:03:31.000Z", + "cisco.ftd.destination_interface": "input", + "cisco.ftd.message_id": "430002", + "cisco.ftd.rule_name": [ + "default", + "Rule-1" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Rule-1", + "cisco.ftd.security.application_protocol": "ICMP", + "cisco.ftd.security.client": "ICMP client", + "cisco.ftd.security.dst_ip": "10.0.1.20", + "cisco.ftd.security.egress_interface": "input", + "cisco.ftd.security.egress_zone": "input-zone", + "cisco.ftd.security.icmp_code": "No Code", + "cisco.ftd.security.icmp_type": "Echo Request", + "cisco.ftd.security.ingress_interface": "output", + "cisco.ftd.security.ingress_zone": "output-zone", + "cisco.ftd.security.initiator_bytes": "98", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "icmp", + "cisco.ftd.security.responder_bytes": "0", + "cisco.ftd.security.responder_packets": "0", + "cisco.ftd.security.src_ip": "10.0.100.30", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "output", + "destination.bytes": 0, + "destination.ip": "10.0.1.20", + "destination.packets": 0, + "event.action": "connection-started", + "event.code": 430002, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", + "event.outcome": "allow", + "event.severity": 1, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 0, + "network.application": "icmp client", + "network.iana_number": 1, + "network.protocol": "icmp", + "network.transport": "icmp", + "service.type": "cisco", + "source.bytes": 98, + "source.ip": "10.0.100.30", + "source.packets": 1, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-15T16:05:33.000Z", + "cisco.ftd.destination_interface": "input", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Rule-1" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Rule-1", + "cisco.ftd.security.application_protocol": "ICMP", + "cisco.ftd.security.client": "ICMP client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dst_ip": "10.0.1.20", + "cisco.ftd.security.egress_interface": "input", + "cisco.ftd.security.egress_zone": "input-zone", + "cisco.ftd.security.icmp_code": "No Code", + "cisco.ftd.security.icmp_type": "Echo Request", + "cisco.ftd.security.ingress_interface": "output", + "cisco.ftd.security.ingress_zone": "output-zone", + "cisco.ftd.security.initiator_bytes": "98", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "icmp", + "cisco.ftd.security.responder_bytes": "98", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.100.30", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "output", + "destination.bytes": 98, + "destination.ip": "10.0.1.20", + "destination.packets": 1, + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-15T16:05:33.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-15T16:05:33.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 579, + "network.application": "icmp client", + "network.iana_number": 1, + "network.protocol": "icmp", + "network.transport": "icmp", + "service.type": "cisco", + "source.bytes": 98, + "source.ip": "10.0.100.30", + "source.packets": 1, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-15T16:05:37.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430002", + "cisco.ftd.rule_name": [ + "default", + "Rule-1" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Rule-1", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.dns_query": "eu-central-1.ec2.archive.ubuntu.com", + "cisco.ftd.security.dns_record_type": "a host address", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "106", + "cisco.ftd.security.initiator_packets": "1", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "0", + "cisco.ftd.security.responder_packets": "0", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "50074", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 0, + "destination.port": 53, + "dns.question.name": "eu-central-1.ec2.archive.ubuntu.com", + "dns.question.type": "A", + "dns.response_code": "NOERROR", + "event.action": "connection-started", + "event.code": 430002, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address", + "event.outcome": "allow", + "event.severity": 1, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 1182, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 106, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 50074, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-15T16:07:00.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Rule-1" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Rule-1", + "cisco.ftd.security.application_protocol": "DNS", + "cisco.ftd.security.client": "DNS client", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dns_query": "siem-inside", + "cisco.ftd.security.dns_record_type": "a host address", + "cisco.ftd.security.dns_response_type": "Non-Existent Domain", + "cisco.ftd.security.dns_ttl": "86395", + "cisco.ftd.security.dst_ip": "8.8.8.8", + "cisco.ftd.security.dst_port": "53", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "164", + "cisco.ftd.security.initiator_packets": "2", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "udp", + "cisco.ftd.security.responder_bytes": "314", + "cisco.ftd.security.responder_packets": "2", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "49264", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 314, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 2, + "destination.port": 53, + "dns.question.name": "siem-inside", + "dns.question.type": "A", + "dns.response_code": "NXDOMAIN", + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-15T16:07:00.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-15T16:07:00.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 1821, + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 164, + "source.ip": "10.0.1.20", + "source.packets": 2, + "source.port": 49264, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-15T16:07:18.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430002", + "cisco.ftd.rule_name": [ + "default", + "Rule-1" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Rule-1", + "cisco.ftd.security.dst_ip": "52.59.244.233", + "cisco.ftd.security.dst_port": "80", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "140", + "cisco.ftd.security.initiator_packets": "2", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.responder_bytes": "74", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "43228", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.bytes": 74, + "destination.geo.city_name": "Frankfurt am Main", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 50.1155, + "destination.geo.location.lon": 8.6842, + "destination.geo.region_iso_code": "DE-HE", + "destination.geo.region_name": "Hesse", + "destination.ip": "52.59.244.233", + "destination.packets": 1, + "destination.port": 80, + "event.action": "connection-started", + "event.code": 430002, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", + "event.outcome": "allow", + "event.severity": 1, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 2515, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.bytes": 140, + "source.ip": "10.0.1.20", + "source.packets": 2, + "source.port": 43228, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-15T16:07:19.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Rule-1" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Rule-1", + "cisco.ftd.security.application_protocol": "HTTP", + "cisco.ftd.security.client": "Advanced Packaging Tool", + "cisco.ftd.security.client_version": "1.3", + "cisco.ftd.security.connection_duration": "1", + "cisco.ftd.security.dst_ip": "52.59.244.233", + "cisco.ftd.security.dst_port": "80", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.http_response": "200", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "97454", + "cisco.ftd.security.initiator_packets": "1359", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.referenced_host": "eu-central-1.ec2.archive.ubuntu.com", + "cisco.ftd.security.responder_bytes": "41319018", + "cisco.ftd.security.responder_packets": "29001", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "43228", + "cisco.ftd.security.url": "http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.security.user_agent": "Debian APT-HTTP/1.3 (1.6.11)", + "cisco.ftd.security.web_application": "Ubuntu", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.bytes": 41319018, + "destination.geo.city_name": "Frankfurt am Main", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 50.1155, + "destination.geo.location.lon": 8.6842, + "destination.geo.region_iso_code": "DE-HE", + "destination.geo.region_name": "Hesse", + "destination.ip": "52.59.244.233", + "destination.packets": 29001, + "destination.port": 80, + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 1000000000, + "event.end": "2019-08-15T16:07:19.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-15T16:07:18.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "http.response.status_code": "200", + "input.type": "log", + "log.level": "alert", + "log.offset": 3037, + "network.application": [ + "Advanced Packaging Tool", + "Ubuntu" + ], + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.bytes": 97454, + "source.ip": "10.0.1.20", + "source.packets": 1359, + "source.port": 43228, + "tags": [ + "cisco-ftd" + ], + "url.domain": "eu-central-1.ec2.archive.ubuntu.com", + "url.original": "http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required", + "user_agent.original": "Debian APT-HTTP/1.3 (1.6.11)" + }, + { + "@timestamp": "2019-08-16T09:33:15.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430002", + "cisco.ftd.rule_name": [ + "default", + "Rule-1" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Rule-1", + "cisco.ftd.security.dst_ip": "213.211.198.62", + "cisco.ftd.security.dst_port": "80", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "140", + "cisco.ftd.security.initiator_packets": "2", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.responder_bytes": "74", + "cisco.ftd.security.responder_packets": "1", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "46000", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 43341, + "destination.as.organization.name": "MDlink online service center GmbH", + "destination.bytes": 74, + "destination.geo.city_name": "Osterweddingen", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 52.0413, + "destination.geo.location.lon": 11.5794, + "destination.geo.region_iso_code": "DE-ST", + "destination.geo.region_name": "Saxony-Anhalt", + "destination.ip": "213.211.198.62", + "destination.packets": 1, + "destination.port": 80, + "event.action": "connection-started", + "event.code": 430002, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", + "event.outcome": "allow", + "event.severity": 1, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 3919, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.bytes": 140, + "source.ip": "10.0.1.20", + "source.packets": 2, + "source.port": 46000, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-16T09:33:15.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Rule-1" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Allow", + "cisco.ftd.security.access_control_rule_name": "Rule-1", + "cisco.ftd.security.application_protocol": "HTTP", + "cisco.ftd.security.client": "cURL", + "cisco.ftd.security.client_version": "7.58.0", + "cisco.ftd.security.connection_duration": "0", + "cisco.ftd.security.dst_ip": "213.211.198.62", + "cisco.ftd.security.dst_port": "80", + "cisco.ftd.security.egress_interface": "outside", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.http_response": "200", + "cisco.ftd.security.ingress_interface": "inside", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "503", + "cisco.ftd.security.initiator_packets": "6", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.referenced_host": "www.eicar.org", + "cisco.ftd.security.responder_bytes": "690", + "cisco.ftd.security.responder_packets": "4", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "46000", + "cisco.ftd.security.url": "http://www.eicar.org/download/eicar_com.zip", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.security.user_agent": "curl/7.58.0", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 43341, + "destination.as.organization.name": "MDlink online service center GmbH", + "destination.bytes": 690, + "destination.geo.city_name": "Osterweddingen", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 52.0413, + "destination.geo.location.lon": 11.5794, + "destination.geo.region_iso_code": "DE-ST", + "destination.geo.region_name": "Saxony-Anhalt", + "destination.ip": "213.211.198.62", + "destination.packets": 4, + "destination.port": 80, + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2019-08-16T09:33:15.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip", + "event.outcome": "allow", + "event.severity": 1, + "event.start": "2019-08-16T09:33:15.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "http.response.status_code": "200", + "input.type": "log", + "log.level": "alert", + "log.offset": 4442, + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.bytes": 503, + "source.ip": "10.0.1.20", + "source.packets": 6, + "source.port": 46000, + "tags": [ + "cisco-ftd" + ], + "url.domain": "www.eicar.org", + "url.original": "http://www.eicar.org/download/eicar_com.zip", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required", + "user_agent.original": "curl/7.58.0" + }, + { + "@timestamp": "2019-08-16T09:35:15.000Z", + "cisco.ftd.destination_interface": "input", + "cisco.ftd.message_id": "430002", + "cisco.ftd.rule_name": [ + "default", + "Block-inbound-ICMP" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Block", + "cisco.ftd.security.access_control_rule_name": "Block-inbound-ICMP", + "cisco.ftd.security.dst_ip": "10.0.1.20", + "cisco.ftd.security.egress_interface": "input", + "cisco.ftd.security.egress_zone": "input-zone", + "cisco.ftd.security.icmp_code": "No Code", + "cisco.ftd.security.icmp_type": "Echo Request", + "cisco.ftd.security.ingress_interface": "output", + "cisco.ftd.security.ingress_zone": "output-zone", + "cisco.ftd.security.initiator_bytes": "0", + "cisco.ftd.security.initiator_packets": "0", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "icmp", + "cisco.ftd.security.responder_bytes": "0", + "cisco.ftd.security.responder_packets": "0", + "cisco.ftd.security.src_ip": "10.0.100.30", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.source_interface": "output", + "destination.bytes": 0, + "destination.ip": "10.0.1.20", + "destination.packets": 0, + "event.action": "connection-started", + "event.code": 430002, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-1-430002: AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Block-inbound-ICMP, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", + "event.outcome": "block", + "event.severity": 1, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 5177, + "network.iana_number": 1, + "network.transport": "icmp", + "service.type": "cisco", + "source.bytes": 0, + "source.ip": "10.0.100.30", + "source.packets": 0, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-14T15:09:41.000Z", + "cisco.ftd.destination_interface": "output", + "cisco.ftd.message_id": "430003", + "cisco.ftd.rule_name": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.security.ac_policy": "default", + "cisco.ftd.security.access_control_rule_action": "Block", + "cisco.ftd.security.access_control_rule_name": "Intrusion-Rule", + "cisco.ftd.security.access_control_rule_reason": "File Block", + "cisco.ftd.security.application_protocol": "HTTP", + "cisco.ftd.security.client": "cURL", + "cisco.ftd.security.client_version": "7.58.0", + "cisco.ftd.security.connection_duration": "1", + "cisco.ftd.security.dst_ip": "10.0.100.30", + "cisco.ftd.security.dst_port": "8000", + "cisco.ftd.security.egress_interface": "output", + "cisco.ftd.security.egress_zone": "output-zone", + "cisco.ftd.security.file_count": "1", + "cisco.ftd.security.http_response": "200", + "cisco.ftd.security.ingress_interface": "input", + "cisco.ftd.security.ingress_zone": "input-zone", + "cisco.ftd.security.initiator_bytes": "365", + "cisco.ftd.security.initiator_packets": "4", + "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity", + "cisco.ftd.security.prefilter_policy": "Default Prefilter Policy", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.referenced_host": "10.0.100.30:8000", + "cisco.ftd.security.responder_bytes": "1927", + "cisco.ftd.security.responder_packets": "7", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "41544", + "cisco.ftd.security.url": "http://10.0.100.30:8000/eicar_com.zip", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.security.user_agent": "curl/7.58.0", + "cisco.ftd.source_interface": "input", + "destination.bytes": 1927, + "destination.ip": "10.0.100.30", + "destination.packets": 7, + "destination.port": 8000, + "event.action": "connection-finished", + "event.code": 430003, + "event.dataset": "cisco.ftd", + "event.duration": 1000000000, + "event.end": "2019-08-14T15:09:41.000Z", + "event.module": "cisco", + "event.original": "%FTD-1-430003: AccessControlRuleAction: Block, AccessControlRuleReason: File Block, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, IngressInterface: input, EgressInterface: output, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 1, FileCount: 1, InitiatorPackets: 4, ResponderPackets: 7, InitiatorBytes: 365, ResponderBytes: 1927, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: 10.0.100.30:8000, URL: http://10.0.100.30:8000/eicar_com.zip", + "event.outcome": "block", + "event.severity": 1, + "event.start": "2019-08-14T15:09:40.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "http.response.status_code": "200", + "input.type": "log", + "log.level": "alert", + "log.offset": 5719, + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.bytes": 365, + "source.ip": "10.0.1.20", + "source.packets": 4, + "source.port": 41544, + "tags": [ + "cisco-ftd" + ], + "url.domain": "10.0.100.30:8000", + "url.original": "http://10.0.100.30:8000/eicar_com.zip", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required", + "user_agent.original": "curl/7.58.0" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log new file mode 100644 index 000000000000..5a6fe1852f71 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log @@ -0,0 +1,10 @@ +Aug 14 2019 14:54:25 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41522, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:54:24Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe +Aug 14 2019 14:55:02 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41526, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:55:01Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe +Aug 14 2019 15:00:29 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41530, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:00:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com +Aug 14 2019 15:01:41 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41534, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com.txt, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:01:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com.txt +Aug 14 2019 15:03:28 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41540, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip +Aug 14 2019 15:03:33 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41542, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:31Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip +Aug 14 2019 15:09:43 siem-ftd %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Malware Block, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, ThreatScore: 76, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:09:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip +2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip +2019-08-16T09:40:45Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d +2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 18.197.225.123, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json new file mode 100644 index 000000000000..4409892917e7 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -0,0 +1,570 @@ +[ + { + "@timestamp": "2019-08-14T14:54:25.000Z", + "cisco.ftd.message_id": "430004", + "cisco.ftd.rule_name": "malware-and-file-policy", + "cisco.ftd.security.application_protocol": "HTTP", + "cisco.ftd.security.client": "cURL", + "cisco.ftd.security.dst_ip": "10.0.100.30", + "cisco.ftd.security.dst_port": "8000", + "cisco.ftd.security.file_action": "Detect", + "cisco.ftd.security.file_direction": "Download", + "cisco.ftd.security.file_name": "exploit.exe", + "cisco.ftd.security.file_policy": "malware-and-file-policy", + "cisco.ftd.security.file_sandbox_status": "File Size Is Too Small", + "cisco.ftd.security.file_type": "ELF", + "cisco.ftd.security.first_packet_second": "2019-08-14T14:54:24Z", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "41522", + "cisco.ftd.security.uri": "http://10.0.100.30:8000/exploit.exe", + "cisco.ftd.security.user": "No Authentication Required", + "destination.ip": "10.0.100.30", + "destination.port": 8000, + "event.action": "file-detected", + "event.code": 430004, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41522, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:54:24Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", + "event.severity": 1, + "event.start": "2019-08-14T14:54:24Z", + "event.timezone": "+00:00", + "file.name": "exploit.exe", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 0, + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 41522, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://10.0.100.30:8000/exploit.exe", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-14T14:55:02.000Z", + "cisco.ftd.message_id": "430004", + "cisco.ftd.rule_name": "malware-and-file-policy", + "cisco.ftd.security.application_protocol": "HTTP", + "cisco.ftd.security.client": "cURL", + "cisco.ftd.security.dst_ip": "10.0.100.30", + "cisco.ftd.security.dst_port": "8000", + "cisco.ftd.security.file_action": "Detect", + "cisco.ftd.security.file_direction": "Download", + "cisco.ftd.security.file_name": "exploit.exe", + "cisco.ftd.security.file_policy": "malware-and-file-policy", + "cisco.ftd.security.file_sandbox_status": "File Size Is Too Small", + "cisco.ftd.security.file_type": "ELF", + "cisco.ftd.security.first_packet_second": "2019-08-14T14:55:01Z", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "41526", + "cisco.ftd.security.uri": "http://10.0.100.30:8000/exploit.exe", + "cisco.ftd.security.user": "No Authentication Required", + "destination.ip": "10.0.100.30", + "destination.port": 8000, + "event.action": "file-detected", + "event.code": 430004, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41526, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:55:01Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", + "event.severity": 1, + "event.start": "2019-08-14T14:55:01Z", + "event.timezone": "+00:00", + "file.name": "exploit.exe", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 450, + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 41526, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://10.0.100.30:8000/exploit.exe", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-14T15:00:29.000Z", + "cisco.ftd.message_id": "430004", + "cisco.ftd.rule_name": "malware-and-file-policy", + "cisco.ftd.security.application_protocol": "HTTP", + "cisco.ftd.security.client": "cURL", + "cisco.ftd.security.dst_ip": "10.0.100.30", + "cisco.ftd.security.dst_port": "8000", + "cisco.ftd.security.file_action": "Detect", + "cisco.ftd.security.file_direction": "Download", + "cisco.ftd.security.file_name": "eicar.com", + "cisco.ftd.security.file_policy": "malware-and-file-policy", + "cisco.ftd.security.file_sandbox_status": "File Size Is Too Small", + "cisco.ftd.security.file_type": "EICAR", + "cisco.ftd.security.first_packet_second": "2019-08-14T15:00:27Z", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "41530", + "cisco.ftd.security.uri": "http://10.0.100.30:8000/eicar.com", + "cisco.ftd.security.user": "No Authentication Required", + "destination.ip": "10.0.100.30", + "destination.port": 8000, + "event.action": "file-detected", + "event.code": 430004, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41530, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:00:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com", + "event.severity": 1, + "event.start": "2019-08-14T15:00:27Z", + "event.timezone": "+00:00", + "file.name": "eicar.com", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 900, + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 41530, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://10.0.100.30:8000/eicar.com", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-14T15:01:41.000Z", + "cisco.ftd.message_id": "430004", + "cisco.ftd.rule_name": "malware-and-file-policy", + "cisco.ftd.security.application_protocol": "HTTP", + "cisco.ftd.security.client": "cURL", + "cisco.ftd.security.dst_ip": "10.0.100.30", + "cisco.ftd.security.dst_port": "8000", + "cisco.ftd.security.file_action": "Detect", + "cisco.ftd.security.file_direction": "Download", + "cisco.ftd.security.file_name": "eicar.com.txt", + "cisco.ftd.security.file_policy": "malware-and-file-policy", + "cisco.ftd.security.file_sandbox_status": "File Size Is Too Small", + "cisco.ftd.security.file_type": "EICAR", + "cisco.ftd.security.first_packet_second": "2019-08-14T15:01:40Z", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "41534", + "cisco.ftd.security.uri": "http://10.0.100.30:8000/eicar.com.txt", + "cisco.ftd.security.user": "No Authentication Required", + "destination.ip": "10.0.100.30", + "destination.port": 8000, + "event.action": "file-detected", + "event.code": 430004, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41534, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com.txt, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:01:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com.txt", + "event.severity": 1, + "event.start": "2019-08-14T15:01:40Z", + "event.timezone": "+00:00", + "file.name": "eicar.com.txt", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 1348, + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 41534, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://10.0.100.30:8000/eicar.com.txt", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-14T15:03:28.000Z", + "cisco.ftd.message_id": "430004", + "cisco.ftd.rule_name": "malware-and-file-policy", + "cisco.ftd.security.application_protocol": "HTTP", + "cisco.ftd.security.client": "cURL", + "cisco.ftd.security.dst_ip": "10.0.100.30", + "cisco.ftd.security.dst_port": "8000", + "cisco.ftd.security.file_action": "Detect", + "cisco.ftd.security.file_direction": "Download", + "cisco.ftd.security.file_name": "eicar_com.zip", + "cisco.ftd.security.file_policy": "malware-and-file-policy", + "cisco.ftd.security.file_sandbox_status": "File Size Is Too Small", + "cisco.ftd.security.file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "cisco.ftd.security.file_size": "184", + "cisco.ftd.security.file_type": "ZIP", + "cisco.ftd.security.first_packet_second": "2019-08-14T15:03:27Z", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "41540", + "cisco.ftd.security.threat_name": "Unknown", + "cisco.ftd.security.uri": "http://10.0.100.30:8000/eicar_com.zip", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.threat_category": "Unknown", + "destination.ip": "10.0.100.30", + "destination.port": 8000, + "event.action": "file-detected", + "event.code": 430004, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41540, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", + "event.severity": 1, + "event.start": "2019-08-14T15:03:27Z", + "event.timezone": "+00:00", + "file.hash.sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "file.name": "eicar_com.zip", + "file.size": "184", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 1804, + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 41540, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://10.0.100.30:8000/eicar_com.zip", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-14T15:03:33.000Z", + "cisco.ftd.message_id": "430004", + "cisco.ftd.rule_name": "malware-and-file-policy", + "cisco.ftd.security.application_protocol": "HTTP", + "cisco.ftd.security.client": "cURL", + "cisco.ftd.security.dst_ip": "10.0.100.30", + "cisco.ftd.security.dst_port": "8000", + "cisco.ftd.security.file_action": "Detect", + "cisco.ftd.security.file_direction": "Download", + "cisco.ftd.security.file_name": "eicar_com.zip", + "cisco.ftd.security.file_policy": "malware-and-file-policy", + "cisco.ftd.security.file_sandbox_status": "File Size Is Too Small", + "cisco.ftd.security.file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "cisco.ftd.security.file_size": "184", + "cisco.ftd.security.file_type": "ZIP", + "cisco.ftd.security.first_packet_second": "2019-08-14T15:03:31Z", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "41542", + "cisco.ftd.security.threat_name": "Unknown", + "cisco.ftd.security.uri": "http://10.0.100.30:8000/eicar_com.zip", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.threat_category": "Unknown", + "destination.ip": "10.0.100.30", + "destination.port": 8000, + "event.action": "file-detected", + "event.code": 430004, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41542, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:31Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", + "event.severity": 1, + "event.start": "2019-08-14T15:03:31Z", + "event.timezone": "+00:00", + "file.hash.sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "file.name": "eicar_com.zip", + "file.size": "184", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 2372, + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 41542, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://10.0.100.30:8000/eicar_com.zip", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-14T15:09:43.000Z", + "cisco.ftd.message_id": "430005", + "cisco.ftd.rule_name": "malware-and-file-policy", + "cisco.ftd.security.application_protocol": "HTTP", + "cisco.ftd.security.client": "cURL", + "cisco.ftd.security.dst_ip": "10.0.100.30", + "cisco.ftd.security.dst_port": "8000", + "cisco.ftd.security.file_action": "Malware Block", + "cisco.ftd.security.file_direction": "Download", + "cisco.ftd.security.file_name": "eicar_com.zip", + "cisco.ftd.security.file_policy": "malware-and-file-policy", + "cisco.ftd.security.file_sandbox_status": "File Size Is Too Small", + "cisco.ftd.security.file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "cisco.ftd.security.file_size": "184", + "cisco.ftd.security.file_type": "ZIP", + "cisco.ftd.security.first_packet_second": "2019-08-14T15:09:40Z", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.sha_disposition": "Malware", + "cisco.ftd.security.spero_disposition": "Spero detection not performed on file", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "41544", + "cisco.ftd.security.threat_name": "Win.Ransomware.Eicar::95.sbx.tg", + "cisco.ftd.security.threat_score": "76", + "cisco.ftd.security.uri": "http://10.0.100.30:8000/eicar_com.zip", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.threat_category": "Win.Ransomware.Eicar::95.sbx.tg", + "cisco.ftd.threat_level": "76", + "destination.ip": "10.0.100.30", + "destination.port": 8000, + "event.action": "malware-detected", + "event.code": 430005, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Malware Block, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, ThreatScore: 76, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:09:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", + "event.severity": 1, + "event.start": "2019-08-14T15:09:40Z", + "event.timezone": "+00:00", + "file.hash.sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "file.name": "eicar_com.zip", + "file.size": "184", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 2940, + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 41544, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://10.0.100.30:8000/eicar_com.zip", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-16T09:39:03.000Z", + "cisco.ftd.message_id": "430005", + "cisco.ftd.rule_name": "malware-and-file-policy", + "cisco.ftd.security.application_protocol": "HTTP", + "cisco.ftd.security.client": "cURL", + "cisco.ftd.security.dst_ip": "213.211.198.62", + "cisco.ftd.security.dst_port": "80", + "cisco.ftd.security.file_action": "Malware Cloud Lookup", + "cisco.ftd.security.file_direction": "Download", + "cisco.ftd.security.file_name": "eicar_com.zip", + "cisco.ftd.security.file_policy": "malware-and-file-policy", + "cisco.ftd.security.file_sandbox_status": "File Size Is Too Small", + "cisco.ftd.security.file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "cisco.ftd.security.file_size": "184", + "cisco.ftd.security.file_storage_status": "Not Stored (Disposition Was Pending)", + "cisco.ftd.security.file_type": "ZIP", + "cisco.ftd.security.first_packet_second": "2019-08-16T09:39:02Z", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.sha_disposition": "Unavailable", + "cisco.ftd.security.spero_disposition": "Spero detection not performed on file", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "46004", + "cisco.ftd.security.threat_name": "Win.Ransomware.Eicar::95.sbx.tg", + "cisco.ftd.security.uri": "http://www.eicar.org/download/eicar_com.zip", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.threat_category": "Win.Ransomware.Eicar::95.sbx.tg", + "destination.as.number": 43341, + "destination.as.organization.name": "MDlink online service center GmbH", + "destination.geo.city_name": "Osterweddingen", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 52.0413, + "destination.geo.location.lon": 11.5794, + "destination.geo.region_iso_code": "DE-ST", + "destination.geo.region_name": "Saxony-Anhalt", + "destination.ip": "213.211.198.62", + "destination.port": 80, + "event.action": "malware-detected", + "event.code": 430005, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", + "event.severity": 1, + "event.start": "2019-08-16T09:39:02Z", + "event.timezone": "+00:00", + "file.hash.sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "file.name": "eicar_com.zip", + "file.size": "184", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 3639, + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 46004, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://www.eicar.org/download/eicar_com.zip", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-16T09:40:45.000Z", + "cisco.ftd.message_id": "430005", + "cisco.ftd.rule_name": "malware-and-file-policy", + "cisco.ftd.security.application_protocol": "HTTP", + "cisco.ftd.security.client": "cURL", + "cisco.ftd.security.dst_ip": "10.0.100.30", + "cisco.ftd.security.dst_port": "80", + "cisco.ftd.security.file_action": "Malware Cloud Lookup", + "cisco.ftd.security.file_direction": "Download", + "cisco.ftd.security.file_name": "dd3dee576d0cb4abfed00f97f0c71c1d", + "cisco.ftd.security.file_policy": "malware-and-file-policy", + "cisco.ftd.security.file_sandbox_status": "Sent for Analysis", + "cisco.ftd.security.file_sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7", + "cisco.ftd.security.file_size": "278987", + "cisco.ftd.security.file_storage_status": "Not Stored (Disposition Was Pending)", + "cisco.ftd.security.file_type": "PDF", + "cisco.ftd.security.first_packet_second": "2019-08-16T09:40:45Z", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.sha_disposition": "Unavailable", + "cisco.ftd.security.spero_disposition": "Spero detection not performed on file", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "55378", + "cisco.ftd.security.threat_name": "Unknown", + "cisco.ftd.security.uri": "http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.threat_category": "Unknown", + "destination.ip": "10.0.100.30", + "destination.port": 80, + "event.action": "malware-detected", + "event.code": 430005, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "event.severity": 1, + "event.start": "2019-08-16T09:40:45Z", + "event.timezone": "+00:00", + "file.hash.sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7", + "file.name": "dd3dee576d0cb4abfed00f97f0c71c1d", + "file.size": "278987", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 4397, + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 55378, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-16T09:42:07.000Z", + "cisco.ftd.message_id": "430005", + "cisco.ftd.rule_name": "malware-and-file-policy", + "cisco.ftd.security.application_protocol": "HTTP", + "cisco.ftd.security.client": "cURL", + "cisco.ftd.security.dst_ip": "18.197.225.123", + "cisco.ftd.security.dst_port": "80", + "cisco.ftd.security.file_action": "Malware Cloud Lookup", + "cisco.ftd.security.file_direction": "Download", + "cisco.ftd.security.file_name": "dd3dee576d0cb4abfed00f97f0c71c1d", + "cisco.ftd.security.file_policy": "malware-and-file-policy", + "cisco.ftd.security.file_sandbox_status": "Failed to Send", + "cisco.ftd.security.file_sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7", + "cisco.ftd.security.file_size": "278987", + "cisco.ftd.security.file_type": "PDF", + "cisco.ftd.security.first_packet_second": "2019-08-16T09:42:06Z", + "cisco.ftd.security.protocol": "tcp", + "cisco.ftd.security.sha_disposition": "Malware", + "cisco.ftd.security.spero_disposition": "Spero detection not performed on file", + "cisco.ftd.security.src_ip": "10.0.1.20", + "cisco.ftd.security.src_port": "47926", + "cisco.ftd.security.threat_name": "Pdf.Exploit.Pdfka::100.sbx.tg", + "cisco.ftd.security.threat_score": "100", + "cisco.ftd.security.uri": "http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "cisco.ftd.security.user": "No Authentication Required", + "cisco.ftd.threat_category": "Pdf.Exploit.Pdfka::100.sbx.tg", + "cisco.ftd.threat_level": "100", + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.geo.city_name": "Frankfurt am Main", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 50.1155, + "destination.geo.location.lon": 8.6842, + "destination.geo.region_iso_code": "DE-HE", + "destination.geo.region_name": "Hesse", + "destination.ip": "18.197.225.123", + "destination.port": 80, + "event.action": "malware-detected", + "event.code": 430005, + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.original": "%FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 18.197.225.123, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "event.severity": 1, + "event.start": "2019-08-16T09:42:06Z", + "event.timezone": "+00:00", + "file.hash.sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7", + "file.name": "dd3dee576d0cb4abfed00f97f0c71c1d", + "file.size": "278987", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 5211, + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 47926, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/shared/gen-ecs-mapping-docs.go b/x-pack/filebeat/module/cisco/shared/gen-ecs-mapping-docs.go new file mode 100644 index 000000000000..62fc5f419145 --- /dev/null +++ b/x-pack/filebeat/module/cisco/shared/gen-ecs-mapping-docs.go @@ -0,0 +1,143 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build ignore + +package main + +import ( + "encoding/csv" + "flag" + "fmt" + "io" + "os" + "sort" + + "github.com/pkg/errors" +) + +var outputFile = flag.String("output", "ftd-ecs-mappings.asciidoc", "Output file") + +var outputTables = []struct { + Name string + IDs []string +}{ + { + Name: "Intrusion events", + IDs: []string{"430001"}, + }, + { + Name: "Connection and Security Intelligence events", + IDs: []string{"430002", "430003"}, + }, + { + Name: "File and Malware events", + IDs: []string{"430004", "430004"}, + }, +} + +type idMappings map[string]fieldMappings + +type fieldMappings map[string]stringSet + +func main() { + if err := generate(); err != nil { + fmt.Fprintf(os.Stderr, "Error: %v\n", err) + os.Exit(2) + } +} + +func usage() { + fmt.Fprintf(os.Stderr, "Usage: %s [-output file.yml] \n", os.Args[0]) + flag.PrintDefaults() + os.Exit(1) +} + +func generate() error { + flag.Usage = usage + flag.Parse() + if len(flag.Args()) == 0 || len(flag.Args()[0]) == 0 { + return errors.New("no csv file provided") + } + csvFile := flag.Args()[0] + fHandle, err := os.Open(csvFile) + if err != nil { + return fmt.Errorf("failed to open %s: %v", csvFile, err) + } + defer fHandle.Close() + + outHandle, err := os.Create(*outputFile) + if err != nil { + return fmt.Errorf("failed to create %s: %v", *outputFile, err) + } + defer outHandle.Close() + + mappings, err := loadMappings(fHandle) + if err != nil { + return fmt.Errorf("failed to load mappings from '%s': %v", csvFile, err) + } + + for _, table := range outputTables { + fieldMap := make(fieldMappings) + for _, id := range table.IDs { + fieldMap.merge(mappings[id]) + } + var fields []string + for k, v := range fieldMap { + if len(v) > 0 { + fields = append(fields, k) + } + } + sort.Strings(fields) + fmt.Fprintf(outHandle, "Mappings for %s fields:\n", table.Name) + fmt.Fprintln(outHandle, "[options=\"header\"]") + fmt.Fprintln(outHandle, "|====================================") + fmt.Fprintln(outHandle, "| FTD Field | Mapped fields") + for _, field := range fields { + fmt.Fprintln(outHandle, "|", field, "|", fieldMap[field].String()) + } + fmt.Fprintln(outHandle, "|====================================") + fmt.Fprintln(outHandle) + } + + return nil +} + +func loadMappings(reader io.Reader) (m idMappings, err error) { + csvReader := csv.NewReader(reader) + csvReader.FieldsPerRecord = -1 + m = make(idMappings) + for lineNum := 1; ; lineNum++ { + record, err := csvReader.Read() + if err == io.EOF { + break + } + if err != nil { + return m, errors.Wrapf(err, "failed reading line %d", lineNum) + } + if len(record) < 3 { + return m, fmt.Errorf("line %d has unexpected number of columns: %d", lineNum, len(record)) + } + id := record[1] + ftdField := record[2] + if _, found := m[id]; !found { + m[id] = make(fieldMappings) + } + if _, found := m[id][ftdField]; !found { + m[id][ftdField] = newStringSet(nil) + } + m[id][ftdField].merge(newStringSet(record[3:])) + } + return m, nil +} + +func (m fieldMappings) merge(other fieldMappings) { + for ftdField, newECS := range other { + if curECS, found := m[ftdField]; found { + curECS.merge(newECS) + } else { + m[ftdField] = newECS + } + } +} diff --git a/x-pack/filebeat/module/cisco/shared/gen-ftd-ecs-mapping.go b/x-pack/filebeat/module/cisco/shared/gen-ftd-ecs-mapping.go new file mode 100644 index 000000000000..0de448f23ce2 --- /dev/null +++ b/x-pack/filebeat/module/cisco/shared/gen-ftd-ecs-mapping.go @@ -0,0 +1,249 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build ignore + +package main + +import ( + "encoding/csv" + "flag" + "fmt" + "io" + "os" + "strings" + "unicode" + + "gopkg.in/yaml.v2" + + "github.com/pkg/errors" +) + +var ( + outputFile = flag.String("output", "ftd-processor.yml", "Output file") + filesetFieldsBase = "cisco.ftd" + tmpFieldsFieldsBase = "_temp_.cisco" +) + +const begin = `#******************************************************************************* +# Code generated by go generate. DO NOT EDIT. +#******************************************************************************* +` + +const end = `#******************************************************************************* +# End of generated code. +#******************************************************************************* +` + +const painless = `boolean isEmpty(def value) { + return (value instanceof AbstractList? value.size() : value.length()) == 0; +} +def appendOrCreate(Map dest, String[] path, def value) { + for (int i=0; i new HashMap()); + } + String key = path[path.length - 1]; + def existing = dest.get(key); + return existing == null? + dest.put(key, value) + : existing instanceof AbstractList? + existing.add(value) + : dest.put(key, new ArrayList([existing, value])); +} +def msg = ctx._temp_.orig_security; +def counters = new HashMap(); +def dest = new HashMap(); +ctx._temp_.cisco['security'] = dest; +for (entry in msg.entrySet()) { + def param = params.get(entry.getKey()); + if (param == null) { + continue; + } + param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) ); + if (!isEmpty(entry.getValue())) { + param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) ); + dest[param.target] = entry.getValue(); + } +} +if (ctx._temp_.cisco.message_id != "") return; +def best; +for (entry in counters.entrySet()) { + if (best == null || best.getValue() < entry.getValue()) best = entry; +} +if (best != null) ctx._temp_.cisco.message_id = best.getKey(); +` + +type mappings struct { + If string + Params map[string]*fieldMapping + Lang string + Source string +} + +type fieldMapping struct { + name string + Target string + ID stringSet `yaml:",flow,omitempty"` + ECS stringSet `yaml:",flow,omitempty"` +} + +func main() { + if err := generate(); err != nil { + fmt.Fprintf(os.Stderr, "Error: %v\n", err) + os.Exit(2) + } +} + +func usage() { + fmt.Fprint(os.Stderr, "Usage: gen [-output file.yml] \n") + flag.PrintDefaults() + os.Exit(1) +} + +func generate() error { + flag.Usage = usage + flag.Parse() + if len(flag.Args()) == 0 || len(flag.Args()[0]) == 0 { + return errors.New("no csv file provided") + } + csvFile := flag.Args()[0] + fHandle, err := os.Open(csvFile) + if err != nil { + return fmt.Errorf("failed to open %s: %v", csvFile, err) + } + defer fHandle.Close() + + outHandle, err := os.Create(*outputFile) + if err != nil { + return fmt.Errorf("failed to create %s: %v", *outputFile, err) + } + defer outHandle.Close() + + mappings, err := loadMappings(fHandle) + if err != nil { + return fmt.Errorf("failed to load mappings from '%s': %v", csvFile, err) + } + mappings.If = "ctx._temp_?.orig_security != null" + mappings.Lang = "painless" + mappings.Source = painless + processors := []map[string]interface{}{ + { + "script": mappings, + }, + } + body, err := yaml.Marshal(processors) + if err != nil { + return fmt.Errorf("error marshalling output yaml: %v", err) + } + var content []byte + content = append(content, begin...) + content = append(content, body...) + content = append(content, end...) + n, err := outHandle.Write(content) + if err != nil { + return errors.Wrap(err, "failed writing output file") + } + if n != len(content) { + return fmt.Errorf("short write on output file. expected=%d, written=%d", len(content), n) + } + return nil +} + +func loadMappings(reader io.Reader) (m mappings, err error) { + csvReader := csv.NewReader(reader) + csvReader.FieldsPerRecord = -1 + allIDs := newStringSet(nil) + for lineNum := 1; ; lineNum++ { + record, err := csvReader.Read() + if err == io.EOF { + break + } + if err != nil { + return m, errors.Wrapf(err, "failed reading line %d", lineNum) + } + if len(record) < 3 { + return m, fmt.Errorf("line %d has unexpected number of columns: %d", lineNum, len(record)) + } + ids := newStringSet(record[1:2]) + m.merge(&fieldMapping{ + name: record[2], + ID: ids, + ECS: newStringSet(makeTempFields(record[3:])), + Target: snakeCase(record[2]), + }) + allIDs.merge(ids) + } + + // fields that are used by all IDs are equivalent to an empty ID list + for k := range m.Params { + if m.Params[k].ID.equal(allIDs) { + m.Params[k].ID = newStringSet(nil) + } + } + return m, nil +} + +func (m *mappings) merge(f *fieldMapping) { + if other, found := m.Params[f.name]; found { + other.ID.merge(f.ID) + other.ECS.merge(f.ECS) + return + } + if m.Params == nil { + m.Params = make(map[string]*fieldMapping) + } + m.Params[f.name] = f +} + +func makeTempFields(fields []string) []string { + for idx, field := range fields { + if strings.Index(field, filesetFieldsBase) == 0 { + fields[idx] = tmpFieldsFieldsBase + field[len(filesetFieldsBase):] + } + } + return fields +} + +func snakeCase(in string) string { + // This is copied from the netflow input with two changes: + // - handle spaces + // - treat digits as uppercase + if strings.ContainsRune(in, ' ') { + in = strings.ReplaceAll(in, " ", "_") + } + if strings.ContainsRune(in, '_') { + return strings.ToLower(in) + } + + out := make([]rune, 0, len(in)+4) + runes := []rune(in) + upperCount := 1 + for _, r := range runes { + lr := unicode.ToLower(r) + isUpper := lr != r || (r >= '0' && r <= '9') + if isUpper { + if upperCount == 0 { + out = append(out, '_') + } + upperCount++ + } else { + if upperCount > 2 { + // Some magic here: + // NetFlow usually lowercases all but the first letter of an + // acronym (Icmp) Except when it is 2 characters long: (IP). + // In other cases, it keeps all caps, but if we have a run of + // more than 2 uppercase chars, then the last char belongs to + // the next word: + // postNATSourceIPv4Address : post_nat_source_ipv4_address + // selectorIDTotalFlowsObserved : selector_id_total_flows_... + out = append(out, '_') + n := len(out) - 1 + out[n], out[n-1] = out[n-1], out[n] + } + upperCount = 0 + } + out = append(out, lr) + } + return string(out) +} diff --git a/x-pack/filebeat/module/cisco/shared/gen.go b/x-pack/filebeat/module/cisco/shared/gen.go new file mode 100644 index 000000000000..92f3231ca58e --- /dev/null +++ b/x-pack/filebeat/module/cisco/shared/gen.go @@ -0,0 +1,8 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package shared + +//go:generate go run gen-ftd-ecs-mapping.go stringset.go -output ecs-mapping-processor.yml security-mappings.csv +//go:generate go run gen-ecs-mapping-docs.go stringset.go -output ecs-mapping-docs.asciidoc security-mappings.csv diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml new file mode 100644 index 000000000000..a6ece4608b5d --- /dev/null +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -0,0 +1,1202 @@ +description: "Pipeline for Cisco {< .internal_PREFIX >} logs" +processors: + +# +# Parse the syslog header +# +# This populates the host.hostname, process.name, timestamp and other fields +# from the header and stores the message contents in log.original. + - grok: + field: message + patterns: + - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:log.original}" + pattern_definitions: + SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date})?(?:\\s+%{SYSLOGHOST:host.hostname})?(?: %{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?(?:{DATA})?%{SYSLOG_END}" + SYSLOGFACILITY: "<%{NONNEGINT:syslog.facility:int}(?:.%{NONNEGINT:syslog.priority:int})?>" + # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. + FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" + ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" + PROCESS: "(?:[^\\s:\\[]+)" + SYSLOG_END: "(?::|\\s\\s+)" + +# +# Parse FTD/ASA style message +# +# This parses the header of an EMBLEM-style message for FTD and ASA prefixes. + - grok: + field: log.original + patterns: + - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{POSINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" + # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. + - "%{GREEDYDATA:message}" + pattern_definitions: + FTD_SUFFIX: "[^0-9-]+" + # Before version 6.3, FTD used ASA prefix in syslog messages + FTD_PREFIX: "%{DATA}%(?:FTD|ASA)" + +# +# Create missing fields when no %FTD label is present +# +# message_id is needed in order for some processors below to work. + - set: + field: _temp_.cisco.message_id + value: '' + if: "ctx?._temp_?.cisco?.message_id == null" + +# +# set default event.severity to 7 (debug): +# +# This value is read from the EMBLEM header and won't be present if this is not +# an emblem message (firewalls can be configured to report other kinds of events) +# This has no effect unless var.log_level is above 7 (default) to filter some +# messages. + - set: + field: event.severity + value: 7 + if: "ctx?.event?.severity == null" + +# +# Drop messages above configured log_level +# + - drop: + if: "ctx.event.severity > {< .log_level >}" + +# +# Parse the date included in FTD logs +# + - date: + field: "_temp_.raw_date" + ignore_failure: true + formats: + - "ISO8601" + - "MMM d HH:mm:ss" + - "MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "EEE MMM dd HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + - date: + if: "ctx.event.timezone != null" + field: "@timestamp" + formats: ["ISO8601"] + timezone: "{{ event.timezone }}" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + +# +# Set log.level +# + - set: + field: "log.level" + if: "ctx.event.severity == 0" + value: unknown + - set: + field: "log.level" + if: "ctx.event.severity == 1" + value: alert + - set: + field: "log.level" + if: "ctx.event.severity == 2" + value: critical + - set: + field: "log.level" + if: "ctx.event.severity == 3" + value: error + - set: + field: "log.level" + if: "ctx.event.severity == 4" + value: warning + - set: + field: "log.level" + if: "ctx.event.severity == 5" + value: notification + - set: + field: "log.level" + if: "ctx.event.severity == 6" + value: informational + - set: + field: "log.level" + if: "ctx.event.severity == 7" + value: debug + +# +# Firewall messages +# +# This set of messages is shared between FTD and ASA. + - set: + if: 'ctx._temp_.cisco.message_id != ""' + field: "event.action" + value: "firewall-rule" + - dissect: + if: "ctx._temp_.cisco.message_id == '106001'" + field: "message" + pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106002'" + field: "message" + pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.ip} dest %{destination.ip}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106006'" + field: "message" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106007'" + field: "message" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} due to %{network.protocol} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106010'" + field: "message" + pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} %{} dst %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "message" + pattern: "Dropping echo request from %{source.ip} to PAT address %{destination.ip}" + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.transport" + value: icmp + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.direction" + value: inbound + - dissect: + if: "ctx._temp_.cisco.message_id == '106014'" + field: "message" + pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.ip} %{}dst %{_temp_.cisco.destination_interface}:%{destination.ip} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106015'" + field: "message" + pattern: "%{event.outcome} %{network.transport} (no connection) from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106016'" + field: "message" + pattern: "%{event.outcome} IP spoof from (%{source.ip}) to %{destination.ip} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106017'" + field: "message" + pattern: "%{event.outcome} IP due to Land Attack from %{source.ip} to %{destination.ip}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106018'" + field: "message" + pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.ip} dest %{destination.ip}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106020'" + field: "message" + pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.ip} to %{destination.ip}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106021'" + field: "message" + pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.ip} to %{destination.ip} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106022'" + field: "message" + pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.ip} to %{destination.ip} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106023'" + field: "message" + pattern: "%{event.outcome} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} dst %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} %{} access%{}group \"%{_temp_.cisco.list_id}\"%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106027'" + field: "message" + pattern: "%{} %{event.outcome} src %{source.ip} dst %{destination.ip} by access-group \"%{_temp_.cisco.list_id}\"" + - dissect: + if: "ctx._temp_.cisco.message_id == '106100'" + field: "message" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.ip}(%{source.port}) -> %{_temp_.cisco.destination_interface}/%{destination.ip}(%{destination.port}) %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106102'" + field: "message" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.ip} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.ip} %{destination.port} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106103'" + field: "message" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.ip} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.ip} %{destination.port} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "message" + pattern: "%{source.ip} %{}ccessed URL %{destination.ip}:%{url.original}" + - set: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "event.outcome" + value: allow + - dissect: + if: "ctx._temp_.cisco.message_id == '304002'" + field: "message" + pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.ip} %{}EST %{destination.ip} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313001'" + field: "message" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.ip} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313004'" + field: "message" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.ip} on interface %{_temp_.cisco.source_interface} to %{destination.ip}: no matching session" + - dissect: + if: "ctx._temp_.cisco.message_id == '313005'" + field: "message" + pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313008'" + field: "message" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type} , code=%{_temp_.cisco.icmp_code} from %{source.ip} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313009'" + field: "message" + pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code} , for %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '322001'" + field: "message" + pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "message" + pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338003'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338004'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338007'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338008'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338103'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338104'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "message" + pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port}, matched %{_temp_.cisco.list_id}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.ip" + value: "{{destination.ip}}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.port" + value: "{{destination.port}}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.ip" + value: "{{source.ip}}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.port" + value: "{{source.port}}" + +# +# Handle 302xxx messages (Flow expiration a.k.a "Teardown") +# + - set: + if: "[\"302014\", \"302016\", \"302018\", \"302021\", \"302036\", \"302304\", \"302306\"].contains(ctx._temp_.cisco.message_id)" + field: "event.action" + value: "flow-expiration" + - grok: + field: "message" + if: "[\"302014\", \"302016\", \"302018\", \"302021\", \"302036\", \"302304\", \"302306\"].contains(ctx._temp_.cisco.message_id)" + patterns: + - "Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.ip}/%{NUMBER:source.port:int} (?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.ip}/%{NUMBER:destination.port:int} (?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA}" + - "Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{IP:source.ip}/%{NUMBER:source.port:int} (?:%{NOTSPACE:_temp_.cisco.source_username} )?gaddr (?:%{NOTCOLON}:)?%{IP}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.destination_interface}:)?%{IP:destination.ip}/%{NUMBER:destination.port:int}(?: %{NOTSPACE:_temp_.cisco.destination_username})?%{GREEDYDATA}" + pattern_definitions: + NOTCOLON: "[^:]*" + +# +# Decode FTD's Security Event Syslog Messages +# +# 43000x messages are security event syslog messages specific to FTD. +# Format is a comma-separated sequence of key: value pairs. +# +# The result of this decoding is saved as _temp_.orig_security.{Key}: {Value} + - kv: + if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)' + field: "message" + field_split: "," + value_split: ":" + target_field: "_temp_.orig_security" + trim_key: " " + trim_value: " " + ignore_failure: true + +# +# Remove message. +# +# The field has been used as temporary buffer while decoding. The full message +# is kept log.original. Processors below can still add a message field, as some +# security events contain an explanatory Message field. + - remove: + field: + - message + ignore_missing: true + +# +# Populate ECS fields from Security Events +# +# This script uses the key-value pairs from Security Events to populate +# the appropriate ECS fields. +# +# A single key can be mapped to multiple ECS fields, and more than one key can +# map to the same ECS field, which results in an array being created. +# +# This script performs an additional job: +# +# Before FTD version 6.3, the message_id was not included in Security Events. +# As this field encodes the kind of event (intrusion, connection, malware...) +# the script below will guess the right message_id from the keys present in +# the event. +# +# The reason for overloading this script with different behaviors is +# that this pipeline is already reaching the limit on script compilations. +# +#******************************************************************************* +# Code generated by go generate. DO NOT EDIT. +#******************************************************************************* + - script: + if: ctx._temp_?.orig_security != null + params: + ACPolicy: + target: ac_policy + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.rule_name] + AccessControlRuleAction: + target: access_control_rule_action + id: ["430002", "430003"] + ecs: [event.outcome] + AccessControlRuleName: + target: access_control_rule_name + id: ["430002", "430003"] + ecs: [_temp_.cisco.rule_name] + AccessControlRuleReason: + target: access_control_rule_reason + id: ["430002", "430003"] + ApplicationProtocol: + target: application_protocol + ecs: [network.protocol] + ArchiveDepth: + target: archive_depth + id: ["430004", "430005"] + ArchiveFileName: + target: archive_file_name + id: ["430004", "430005"] + ecs: [file.name] + ArchiveFileStatus: + target: archive_file_status + id: ["430004", "430005"] + ArchiveSHA256: + target: archive_sha256 + id: ["430004", "430005"] + ecs: [file.hash.sha256] + Classification: + target: classification + id: ["430001"] + Client: + target: client + ecs: [network.application] + ClientVersion: + target: client_version + id: ["430002", "430003"] + ConnectionDuration: + target: connection_duration + id: ["430003"] + ecs: [event.duration] + DNS_Sinkhole: + target: dns_sinkhole + id: ["430002", "430003"] + DNS_TTL: + target: dns_ttl + id: ["430002", "430003"] + DNSQuery: + target: dns_query + id: ["430002", "430003"] + ecs: [dns.question.name] + DNSRecordType: + target: dns_record_type + id: ["430002", "430003"] + ecs: [dns.question.type] + DNSResponseType: + target: dns_response_type + id: ["430002", "430003"] + ecs: [dns.response_code] + DNSSICategory: + target: dnssi_category + id: ["430002", "430003"] + DstIP: + target: dst_ip + ecs: [destination.ip] + DstPort: + target: dst_port + ecs: [destination.port] + EgressInterface: + target: egress_interface + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.destination_interface] + EgressZone: + target: egress_zone + id: ["430001", "430002", "430003"] + Endpoint Profile: + target: endpoint_profile + id: ["430002", "430003"] + FileAction: + target: file_action + id: ["430004", "430005"] + FileCount: + target: file_count + id: ["430002", "430003"] + FileDirection: + target: file_direction + id: ["430004", "430005"] + FileName: + target: file_name + id: ["430004", "430005"] + ecs: [file.name] + FilePolicy: + target: file_policy + id: ["430004", "430005"] + ecs: [_temp_.cisco.rule_name] + FileSHA256: + target: file_sha256 + id: ["430004", "430005"] + ecs: [file.hash.sha256] + FileSandboxStatus: + target: file_sandbox_status + id: ["430004", "430005"] + FileSize: + target: file_size + id: ["430004", "430005"] + ecs: [file.size] + FileStorageStatus: + target: file_storage_status + id: ["430004", "430005"] + FileType: + target: file_type + id: ["430004", "430005"] + FirstPacketSecond: + target: first_packet_second + id: ["430004", "430005"] + ecs: [event.start] + GID: + target: gid + id: ["430001"] + ecs: [service.id] + HTTPReferer: + target: http_referer + id: ["430002", "430003"] + ecs: [http.request.referrer] + HTTPResponse: + target: http_response + id: ["430001", "430002", "430003"] + ecs: [http.response.status_code] + ICMPCode: + target: icmp_code + id: ["430001", "430002", "430003"] + ICMPType: + target: icmp_type + id: ["430001", "430002", "430003"] + IPReputationSICategory: + target: ip_reputation_si_category + id: ["430002", "430003"] + IPSCount: + target: ips_count + id: ["430002", "430003"] + IngressInterface: + target: ingress_interface + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.source_interface] + IngressZone: + target: ingress_zone + id: ["430001", "430002", "430003"] + InitiatorBytes: + target: initiator_bytes + id: ["430003"] + ecs: [source.bytes] + InitiatorPackets: + target: initiator_packets + id: ["430003"] + ecs: [source.packets] + InlineResult: + target: inline_result + id: ["430001"] + ecs: [event.outcome] + IntrusionPolicy: + target: intrusion_policy + id: ["430001"] + ecs: [_temp_.cisco.rule_name] + MPLS_Label: + target: mpls_label + id: ["430001"] + Message: + target: message + id: ["430001"] + ecs: [message] + NAPPolicy: + target: nap_policy + id: ["430001", "430002", "430003"] + NetBIOSDomain: + target: net_bios_domain + id: ["430002", "430003"] + ecs: [host.hostname] + NumIOC: + target: num_ioc + id: ["430001"] + Prefilter Policy: + target: prefilter_policy + id: ["430002", "430003"] + Priority: + target: priority + id: ["430001"] + Protocol: + target: protocol + ecs: [network.transport] + ReferencedHost: + target: referenced_host + id: ["430002", "430003"] + ecs: [url.domain] + ResponderBytes: + target: responder_bytes + id: ["430003"] + ecs: [destination.bytes] + ResponderPackets: + target: responder_packets + id: ["430003"] + ecs: [destination.packets] + Revision: + target: revision + id: ["430001"] + SHA_Disposition: + target: sha_disposition + id: ["430004", "430005"] + SID: + target: sid + id: ["430001"] + SSLActualAction: + target: ssl_actual_action + ecs: [event.outcome] + SSLCertificate: + target: ssl_certificate + id: ["430002", "430003", "430004", "430005"] + SSLExpectedAction: + target: ssl_expected_action + id: ["430002", "430003"] + SSLFlowStatus: + target: ssl_flow_status + id: ["430002", "430003", "430004", "430005"] + SSLPolicy: + target: ssl_policy + id: ["430002", "430003"] + SSLRuleName: + target: ssl_rule_name + id: ["430002", "430003"] + SSLServerCertStatus: + target: ssl_server_cert_status + id: ["430002", "430003"] + SSLServerName: + target: ssl_server_name + id: ["430002", "430003"] + ecs: [server.domain] + SSLSessionID: + target: ssl_session_id + id: ["430002", "430003"] + SSLTicketID: + target: ssl_ticket_id + id: ["430002", "430003"] + SSLURLCategory: + target: sslurl_category + id: ["430002", "430003"] + SSLVersion: + target: ssl_version + id: ["430002", "430003"] + SSSLCipherSuite: + target: sssl_cipher_suite + id: ["430002", "430003"] + SecIntMatchingIP: + target: sec_int_matching_ip + id: ["430002", "430003"] + Security Group: + target: security_group + id: ["430002", "430003"] + SperoDisposition: + target: spero_disposition + id: ["430004", "430005"] + SrcIP: + target: src_ip + ecs: [source.ip] + SrcPort: + target: src_port + ecs: [source.port] + TCPFlags: + target: tcp_flags + id: ["430002", "430003"] + ThreatName: + target: threat_name + id: ["430005"] + ecs: [_temp_.cisco.threat_category] + ThreatScore: + target: threat_score + id: ["430005"] + ecs: [_temp_.cisco.threat_level] + Tunnel or Prefilter Rule: + target: tunnel_or_prefilter_rule + id: ["430002", "430003"] + URI: + target: uri + id: ["430004", "430005"] + ecs: [url.original] + URL: + target: url + id: ["430002", "430003"] + ecs: [url.original] + URLCategory: + target: url_category + id: ["430002", "430003"] + URLReputation: + target: url_reputation + id: ["430002", "430003"] + URLSICategory: + target: urlsi_category + id: ["430002", "430003"] + User: + target: user + ecs: [user.id, user.name] + UserAgent: + target: user_agent + id: ["430002", "430003"] + ecs: [user_agent.original] + VLAN_ID: + target: vlan_id + id: ["430001", "430002", "430003"] + WebApplication: + target: web_application + ecs: [network.application] + originalClientSrcIP: + target: original_client_src_ip + id: ["430002", "430003"] + ecs: [client.ip] + lang: painless + source: | + boolean isEmpty(def value) { + return (value instanceof AbstractList? value.size() : value.length()) == 0; + } + def appendOrCreate(Map dest, String[] path, def value) { + for (int i=0; i new HashMap()); + } + String key = path[path.length - 1]; + def existing = dest.get(key); + return existing == null? + dest.put(key, value) + : existing instanceof AbstractList? + existing.add(value) + : dest.put(key, new ArrayList([existing, value])); + } + def msg = ctx._temp_.orig_security; + def counters = new HashMap(); + def dest = new HashMap(); + ctx._temp_.cisco['security'] = dest; + for (entry in msg.entrySet()) { + def param = params.get(entry.getKey()); + if (param == null) { + continue; + } + param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) ); + if (!isEmpty(entry.getValue())) { + param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) ); + dest[param.target] = entry.getValue(); + } + } + if (ctx._temp_.cisco.message_id != "") return; + def best; + for (entry in counters.entrySet()) { + if (best == null || best.getValue() < entry.getValue()) best = entry; + } + if (best != null) ctx._temp_.cisco.message_id = best.getKey(); +#******************************************************************************* +# End of generated code. +#******************************************************************************* + + +# +# Normalize ECS field values +# + - script: + lang: painless + params: + 'ctx._temp_.cisco.message_id': + target: event.action + map: + '430001': intrusion-detected + '430002': connection-started + '430003': connection-finished + '430004': file-detected + '430005': malware-detected + + 'dns.question.type': + map: + 'a host address': A + 'ip6 address': AAAA + 'text strings': TXT + 'a domain name pointer': PTR + 'an authoritative name server': NS + 'the canonical name for an alias': CNAME + 'marks the start of a zone of authority': SOA + 'mail exchange': MX + 'server selection': SRV + + 'dns.response_code': + map: + 'non-existent domain': NXDOMAIN + 'server failure': SERVFAIL + 'query refused': REFUSED + 'no error': NOERROR + + source: | + def getField(Map src, String[] path) { + for (int i=0; i new HashMap()); + } + dest[path[path.length-1]] = value; + } + for (entry in params.entrySet()) { + def srcField = entry.getKey(); + def param = entry.getValue(); + String oldVal = getField(ctx, srcField.splitOnToken('.')); + if (oldVal == null) continue; + def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null); + if (newVal != null) { + def dstField = param.getOrDefault('target', srcField); + setField(ctx, dstField.splitOnToken('.'), newVal); + } + } + + - set: + if: 'ctx.dns?.question?.type != null && ctx.dns?.response_code == null' + field: dns.response_code + value: NOERROR + + - set: + if: 'ctx._temp_.cisco.message_id == "430001"' + field: event.action + value: intrusion-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430002"' + field: event.action + value: connection-started + - set: + if: 'ctx._temp_.cisco.message_id == "430003"' + field: event.action + value: connection-finished + - set: + if: 'ctx._temp_.cisco.message_id == "430004"' + field: event.action + value: file-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430005"' + field: event.action + value: malware-detected + +# +# Handle event.duration +# +# It can be set from ConnectionDuration FTD field above. This field holds +# seconds as a string. Copy it to _temp_.duration_hms so that the following +# processor converts it to the right value and populates start and end. + - set: + field: '_temp_.duration_hms' + value: '{{event.duration}}' + if: 'ctx.event?.duration != null' + +# +# Process the flow duration "hh:mm:ss" present in some messages +# This will fill event.start, event.end and event.duration +# + - script: + lang: painless + if: "ctx?._temp_?.duration_hms != null" + source: > + long parse_hms(String s) { + long cur = 0, total = 0; + for (char c: s.toCharArray()) { + if (c >= (char)'0' && c <= (char)'9') { + cur = (cur*10) + (long)c - (char)'0'; + } else if (c == (char)':') { + total = (total + cur) * 60; + cur = 0; + } else { + return 0; + } + } + return total + cur; + } + if (ctx?.event == null) { + ctx['event'] = new HashMap(); + } + String end = ctx['@timestamp']; + ctx.event['end'] = end; + long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; + ctx.event['duration'] = nanos; + ctx.event['start'] = ZonedDateTime.ofInstant( + Instant.parse(end).minusNanos(nanos), + ZoneOffset.UTC); + +# +# Normalize protocol names +# + - lowercase: + field: "network.transport" + ignore_failure: true + - lowercase: + field: "network.protocol" + ignore_failure: true + - lowercase: + field: "network.application" + ignore_failure: true + - lowercase: + field: "file.type" + ignore_failure: true + +# +# Populate network.iana_number from network.transport. Also does reverse +# mapping in case network.transport contains the iana_number. +# + - script: + if: 'ctx?.network?.transport != null' + lang: painless + params: + icmp: 1 + igmp: 2 + ipv4: 4 + tcp: 6 + egp: 8 + igp: 9 + pup: 12 + udp: 17 + rdp: 27 + irtp: 28 + dccp: 33 + idpr: 35 + ipv6: 41 + ipv6-route: 43 + ipv6-frag: 44 + rsvp: 46 + gre: 47 + esp: 50 + ipv6-icmp: 58 + ipv6-nonxt: 59 + ipv6-opts: 60 + source: > + def net = ctx.network; + def iana = params[net.transport]; + if (iana != null) { + net['iana_number'] = iana; + return; + } + def reverse = new HashMap(); + def[] arr = new def[] { null }; + for (entry in params.entrySet()) { + arr[0] = entry.getValue(); + reverse.put(String.format("%d", arr), entry.getKey()); + } + def trans = reverse[net.transport]; + if (trans != null) { + net['iana_number'] = net.transport; + net['transport'] = trans; + } + +# +# Normalize event.outcome +# + - lowercase: + field: "event.outcome" + ignore_missing: true + - set: + field: "event.outcome" + if: "ctx.event?.outcome == \"est-allowed\"" + value: allow + - set: + field: "event.outcome" + if: "ctx.event?.outcome == \"permitted\"" + value: allow + - set: + field: "event.outcome" + if: "ctx.event?.outcome == \"denied\"" + value: deny + - set: + field: "event.outcome" + if: "ctx.event?.outcome == \"dropped\"" + value: deny + + - set: + field: "network.transport" + if: "ctx.network?.transport == \"icmpv6\"" + value: "ipv6-icmp" + +# +# Convert integer fields, as output of dissect and kv processors is always a string +# + - convert: + field: "source.port" + type: integer + ignore_failure: true + - convert: + field: "destination.port" + type: integer + ignore_failure: true + - convert: + field: "source.bytes" + type: integer + ignore_failure: true + - convert: + field: "destination.bytes" + type: integer + ignore_failure: true + - convert: + field: "source.packets" + type: integer + ignore_failure: true + - convert: + field: "destination.packets" + type: integer + ignore_failure: true + - convert: + field: "_temp_.cisco.mapped_source_port" + type: integer + ignore_failure: true + - convert: + field: "_temp_.cisco.mapped_destination_port" + type: integer + ignore_failure: true + - convert: + field: "_temp_.cisco.icmp_code" + type: integer + ignore_failure: true + - convert: + field: "_temp_.cisco.icmp_type" + type: integer + ignore_failure: true + - convert: + field: "network.iana_number" + type: integer + ignore_failure: true + +# +# Geolocation for source and destination addresses +# + - geoip: + field: "source.ip" + target_field: "source.geo" + ignore_missing: true + - geoip: + field: "destination.ip" + target_field: "destination.geo" + ignore_missing: true + +# +# IP Autonomous System (AS) Lookup +# + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +# +# NAT fields +# +# The firewall always populates mapped ip and port even if there was no NAT. +# This populates both nat.ip and nat.port only when some translation is done. +# Fills nat.ip and nat.port even when only the ip or port changed. + - set: + field: source.nat.ip + value: "{{_temp_.cisco.mapped_source_ip}}" + if: "ctx._temp_.cisco.mapped_source_ip != null && (ctx._temp_.cisco.mapped_source_ip != ctx.source.ip || ctx._temp_.cisco.mapped_source_port != ctx.source.port)" + - set: + field: source.nat.port + value: "{{_temp_.cisco.mapped_source_port}}" + if: "ctx._temp_.cisco.mapped_source_port != null && (ctx._temp_.cisco.mapped_source_ip != ctx.source.ip || ctx._temp_.cisco.mapped_source_port != ctx.source.port)" + - set: + field: destination.nat.ip + value: "{{_temp_.cisco.mapped_destination_ip}}" + if: "ctx._temp_.cisco.mapped_destination_ip != null && (ctx._temp_.cisco.mapped_destination_ip != ctx.destination.ip || ctx._temp_.cisco.mapped_destination_port != ctx.destination.port)" + - set: + field: destination.nat.port + value: "{{_temp_.cisco.mapped_destination_port}}" + if: "ctx._temp_.cisco.mapped_destination_port != null && (ctx._temp_.cisco.mapped_destination_ip != ctx.destination.ip || ctx._temp_.cisco.mapped_destination_port != ctx.destination.port)" + +# +# Populate ECS event.code +# + - convert: + field: _temp_.cisco.message_id + target_field: event.code + type: integer + ignore_failure: true + + - remove: + field: + - _temp_.cisco.message_id + - event.code + if: 'ctx._temp_.cisco.message_id == ""' + ignore_failure: true + +# +# Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd. +# + - rename: + field: _temp_.cisco + target_field: 'cisco.{< .internal_prefix >}' + ignore_failure: true + +# +# Remove temporary fields +# + - remove: + field: _temp_ + ignore_missing: true + +# +# Rename some 7.x fields +# + - rename: + field: log.original + target_field: event.original + ignore_missing: true + - rename: + field: cisco.{< .internal_prefix >}.list_id + target_field: cisco.{< .internal_prefix >}.rule_name + ignore_missing: true + +on_failure: + - append: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/cisco/shared/security-mappings.csv b/x-pack/filebeat/module/cisco/shared/security-mappings.csv new file mode 100644 index 000000000000..9e3d42d0aebb --- /dev/null +++ b/x-pack/filebeat/module/cisco/shared/security-mappings.csv @@ -0,0 +1,215 @@ +intrusion,430001,ACPolicy, +intrusion,430001,ApplicationProtocol,network.protocol +intrusion,430001,Classification, +intrusion,430001,Client, +intrusion,430001,DstIP,destination.ip +intrusion,430001,DstPort,destination.port +intrusion,430001,EgressInterface,cisco.ftd.destination_interface +intrusion,430001,EgressZone, +intrusion,430001,GID,service.id +intrusion,430001,HTTPResponse,http.response.status_code +intrusion,430001,ICMPCode, +intrusion,430001,ICMPType, +intrusion,430001,IngressInterface,cisco.ftd.source_interface +intrusion,430001,IngressZone, +intrusion,430001,InlineResult,event.outcome +intrusion,430001,IntrusionPolicy,cisco.ftd.rule_name +intrusion,430001,MPLS_Label, +intrusion,430001,Message,message +intrusion,430001,NAPPolicy, +intrusion,430001,NumIOC, +intrusion,430001,Priority, +intrusion,430001,Protocol,network.transport +intrusion,430001,Revision, +intrusion,430001,SID, +intrusion,430001,SSLActualAction, +intrusion,430001,SrcIP,source.ip +intrusion,430001,SrcPort,source.port +intrusion,430001,User,user.id,user.name +intrusion,430001,VLAN_ID, +intrusion,430001,WebApplication,network.application +flow_start,430002,AccessControlRuleAction,event.outcome +flow_start,430002,AccessControlRuleName,cisco.ftd.rule_name +flow_start,430002,AccessControlRuleReason, +flow_start,430002,ACPolicy,cisco.ftd.rule_name +flow_start,430002,ApplicationProtocol,network.protocol +flow_start,430002,Client, +flow_start,430002,ClientVersion, +flow_start,430002,DNS_Sinkhole, +flow_start,430002,DNS_TTL, +flow_start,430002,DNSQuery,dns.question.name +flow_start,430002,DNSRecordType,dns.question.type +flow_start,430002,DNSResponseType,dns.response_code +flow_start,430002,DNSSICategory, +flow_start,430002,DstIP,destination.ip +flow_start,430002,DstPort,destination.port +flow_start,430002,EgressInterface,cisco.ftd.destination_interface +flow_start,430002,EgressZone, +flow_start,430002,Endpoint Profile, +flow_start,430002,FileCount, +flow_start,430002,HTTPReferer,http.request.referrer +flow_start,430002,HTTPResponse,http.response.status_code +flow_start,430002,ICMPCode, +flow_start,430002,ICMPType, +flow_start,430002,IngressInterface,cisco.ftd.source_interface +flow_start,430002,IngressZone, +flow_start,430002,IPReputationSICategory, +flow_start,430002,IPSCount, +flow_start,430002,NAPPolicy, +flow_start,430002,NetBIOSDomain,host.hostname +flow_start,430002,originalClientSrcIP,client.ip +flow_start,430002,Prefilter Policy, +flow_start,430002,Protocol,network.transport +flow_start,430002,ReferencedHost,url.domain +flow_start,430002,SecIntMatchingIP, +flow_start,430002,Security Group, +flow_start,430002,SrcIP,source.ip +flow_start,430002,SrcPort,source.port +flow_start,430002,SSLActualAction,event.outcome +flow_start,430002,SSLCertificate, +flow_start,430002,SSLExpectedAction, +flow_start,430002,SSLFlowStatus, +flow_start,430002,SSLPolicy, +flow_start,430002,SSLRuleName, +flow_start,430002,SSLServerCertStatus, +flow_start,430002,SSLServerName,server.domain +flow_start,430002,SSLSessionID, +flow_start,430002,SSLTicketID, +flow_start,430002,SSLURLCategory, +flow_start,430002,SSLVersion, +flow_start,430002,SSSLCipherSuite, +flow_start,430002,TCPFlags, +flow_start,430002,Tunnel or Prefilter Rule, +flow_start,430002,URL,url.original +flow_start,430002,URLCategory, +flow_start,430002,URLReputation, +flow_start,430002,URLSICategory, +flow_start,430002,User,user.name +flow_start,430002,UserAgent,user_agent.original +flow_start,430002,VLAN_ID, +flow_start,430002,WebApplication,network.application +flow_end,430003,AccessControlRuleAction,event.outcome +flow_end,430003,AccessControlRuleName,cisco.ftd.rule_name +flow_end,430003,AccessControlRuleReason, +flow_end,430003,ACPolicy,cisco.ftd.rule_name +flow_end,430003,ApplicationProtocol,network.protocol +flow_end,430003,Client, +flow_end,430003,ClientVersion, +flow_end,430003,ConnectionDuration,event.duration +flow_end,430003,DNS_Sinkhole, +flow_end,430003,DNS_TTL, +flow_end,430003,DNSQuery,dns.question.name +flow_end,430003,DNSRecordType,dns.question.type +flow_end,430003,DNSResponseType,dns.response_code +flow_end,430003,DNSSICategory, +flow_end,430003,DstIP,destination.ip +flow_end,430003,DstPort,destination.port +flow_end,430003,EgressInterface,cisco.ftd.destination_interface +flow_end,430003,EgressZone, +flow_end,430003,Endpoint Profile, +flow_end,430003,FileCount, +flow_end,430003,HTTPReferer,http.request.referrer +flow_end,430003,HTTPResponse,http.response.status_code +flow_end,430003,ICMPCode, +flow_end,430003,ICMPType, +flow_end,430003,IngressInterface,cisco.ftd.source_interface +flow_end,430003,IngressZone, +flow_end,430003,InitiatorBytes,source.bytes +flow_end,430003,InitiatorPackets,source.packets +flow_end,430003,IPReputationSICategory, +flow_end,430003,IPSCount, +flow_end,430003,NAPPolicy, +flow_end,430003,NetBIOSDomain,host.hostname +flow_end,430003,originalClientSrcIP,client.ip +flow_end,430003,Prefilter Policy, +flow_end,430003,Protocol,network.transport +flow_end,430003,ReferencedHost,url.domain +flow_end,430003,ResponderBytes,destination.bytes +flow_end,430003,ResponderPackets,destination.packets +flow_end,430003,SecIntMatchingIP, +flow_end,430003,Security Group, +flow_end,430003,SrcIP,source.ip +flow_end,430003,SrcPort,source.port +flow_end,430003,SSLActualAction,event.outcome +flow_end,430003,SSLCertificate, +flow_end,430003,SSLExpectedAction, +flow_end,430003,SSLFlowStatus, +flow_end,430003,SSLPolicy, +flow_end,430003,SSLRuleName, +flow_end,430003,SSLServerCertStatus, +flow_end,430003,SSLServerName,server.domain +flow_end,430003,SSLSessionID, +flow_end,430003,SSLTicketID, +flow_end,430003,SSLURLCategory, +flow_end,430003,SSLVersion, +flow_end,430003,SSSLCipherSuite, +flow_end,430003,TCPFlags, +flow_end,430003,Tunnel or Prefilter Rule, +flow_end,430003,URL,url.original +flow_end,430003,URLCategory, +flow_end,430003,URLReputation, +flow_end,430003,URLSICategory, +flow_end,430003,User,user.name +flow_end,430003,UserAgent,user_agent.original +flow_end,430003,VLAN_ID, +flow_end,430003,WebApplication,network.application +file,430004,ApplicationProtocol,network.protocol +file,430004,ArchiveDepth, +file,430004,ArchiveFileName,file.name +file,430004,ArchiveFileStatus, +file,430004,ArchiveSHA256,file.hash.sha256 +file,430004,Client,network.application +file,430004,DstIP,destination.ip +file,430004,DstPort,destination.port +file,430004,FileAction, +file,430004,FileDirection, +file,430004,FileName,file.name +file,430004,FilePolicy,cisco.ftd.rule_name +file,430004,FileSandboxStatus, +file,430004,FileSHA256,file.hash.sha256 +file,430004,FileSize,file.size +file,430004,FileStorageStatus, +file,430004,FileType, +file,430004,FirstPacketSecond,event.start +file,430004,Protocol,network.transport +file,430004,SHA_Disposition, +file,430004,SperoDisposition, +file,430004,SrcIP,source.ip +file,430004,SrcPort,source.port +file,430004,SSLActualAction, +file,430004,SSLCertificate, +file,430004,SSLFlowStatus, +file,430004,URI,url.original +file,430004,User,user.name +file,430004,WebApplication,network.application +malware,430005,ApplicationProtocol,network.protocol +malware,430005,ArchiveDepth, +malware,430005,ArchiveFileName,file.name +malware,430005,ArchiveFileStatus, +malware,430005,ArchiveSHA256,file.hash.sha256 +malware,430005,Client,network.application +malware,430005,DstIP,destination.ip +malware,430005,DstPort,destination.port +malware,430005,FileAction, +malware,430005,FileDirection, +malware,430005,FileName,file.name +malware,430005,FilePolicy,cisco.ftd.rule_name +malware,430005,FileSandboxStatus, +malware,430005,FileSHA256,file.hash.sha256 +malware,430005,FileSize,file.size +malware,430005,FileStorageStatus, +malware,430005,FileType, +malware,430005,FirstPacketSecond,event.start +malware,430005,Protocol,network.transport +malware,430005,SHA_Disposition, +malware,430005,SperoDisposition, +malware,430005,SrcIP,source.ip +malware,430005,SrcPort,source.port +malware,430005,SSLActualAction, +malware,430005,SSLCertificate, +malware,430005,SSLFlowStatus, +malware,430005,ThreatName,cisco.ftd.threat_category +malware,430005,ThreatScore,cisco.ftd.threat_level +malware,430005,URI,url.original +malware,430005,User,user.name +malware,430005,WebApplication,network.application diff --git a/x-pack/filebeat/module/cisco/shared/stringset.go b/x-pack/filebeat/module/cisco/shared/stringset.go new file mode 100644 index 000000000000..8e1ecf3cdc00 --- /dev/null +++ b/x-pack/filebeat/module/cisco/shared/stringset.go @@ -0,0 +1,56 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build ignore + +package main + +import ( + "sort" + "strings" +) + +type stringSet map[string]struct{} + +func newStringSet(list []string) stringSet { + r := stringSet{} + for _, value := range list { + if len(value) != 0 { + r[value] = struct{}{} + } + } + return r +} + +func (set stringSet) merge(o stringSet) { + for key := range o { + set[key] = struct{}{} + } +} + +func (set stringSet) equal(other stringSet) bool { + if len(set) != len(other) { + return false + } + for k := range set { + if _, found := other[k]; !found { + return false + } + } + return true +} + +func (set stringSet) MarshalYAML() (interface{}, error) { + keys := make([]string, 0, len(set)) + for key := range set { + keys = append(keys, key) + } + sort.Strings(keys) + return keys, nil +} + +func (set stringSet) String() string { + yaml, _ := set.MarshalYAML() + return strings.Join(yaml.([]string), ", ") +} diff --git a/x-pack/filebeat/modules.d/cisco.yml.disabled b/x-pack/filebeat/modules.d/cisco.yml.disabled index 43548b44d434..2b2ea2461cc8 100644 --- a/x-pack/filebeat/modules.d/cisco.yml.disabled +++ b/x-pack/filebeat/modules.d/cisco.yml.disabled @@ -20,6 +20,24 @@ # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html #var.log_level: 7 + ftd: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9003. + #var.syslog_port: 9003 + + # Set the log level from 1 (alerts only) to 7 (include all messages). + # Messages with a log level higher than the specified will be dropped. + # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html + #var.log_level: 7 + ios: enabled: true