Fix Cisco ASA and FTD parsing of unexpected domain names (#14035)

This patch makes the Cisco ASA and FTD ingest pipeline handle the case where a domain name is found for a field where an IP is expected according to the documentation. To do so it follows ECS guidelines, setting .address to be the raw value and .ip or .domain from it, depending if it's a valid IP address or not. Fixes #14034
elastic · Oct 14, 2019 · a678bc9 · a678bc9
1 parent f20aee7
commit a678bc9
Show file tree

Hide file tree

Showing 17 changed files with 646 additions and 79 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -166,6 +166,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix merging of fields specified in global scope with fields specified under an input's scope. {issue}3628[3628] {pull}13909[13909]
 - Fix delay in enforcing close_renamed and close_removed options. {issue}13488[13488] {pull}13907[13907]
 - Fix missing netflow fields in index template. {issue}13768[13768] {pull}13914[13914]
+- Fix cisco module's asa and ftd filesets parsing of domain names where an IP address is expected. {issue}14034[14034]
 
 *Heartbeat*
 

diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc
@@ -124,7 +124,7 @@ Mappings for Intrusion events fields:
 |====================================
 | FTD Field | Mapped fields
 | ApplicationProtocol | network.protocol
-| DstIP | destination.ip
+| DstIP | destination.address
 | DstPort | destination.port
 | EgressInterface | cisco.ftd.destination_interface
 | GID | service.id
@@ -134,7 +134,7 @@ Mappings for Intrusion events fields:
 | IntrusionPolicy | cisco.ftd.rule_name
 | Message | message
 | Protocol | network.transport
-| SrcIP | source.ip
+| SrcIP | source.address
 | SrcPort | source.port
 | User | user.id, user.name
 | WebApplication | network.application
@@ -152,7 +152,7 @@ Mappings for Connection and Security Intelligence events fields:
 | DNSQuery | dns.question.name
 | DNSRecordType | dns.question.type
 | DNSResponseType | dns.response_code
-| DstIP | destination.ip
+| DstIP | destination.address
 | DstPort | destination.port
 | EgressInterface | cisco.ftd.destination_interface
 | HTTPReferer | http.request.referrer
@@ -167,13 +167,13 @@ Mappings for Connection and Security Intelligence events fields:
 | ResponderPackets | destination.packets
 | SSLActualAction | event.outcome
 | SSLServerName | server.domain
-| SrcIP | source.ip
+| SrcIP | source.address
 | SrcPort | source.port
 | URL | url.original
 | User | user.name
 | UserAgent | user_agent.original
 | WebApplication | network.application
-| originalClientSrcIP | client.ip
+| originalClientSrcIP | client.address
 |====================================
 
 Mappings for File and Malware events fields:
@@ -184,15 +184,15 @@ Mappings for File and Malware events fields:
 | ArchiveFileName | file.name
 | ArchiveSHA256 | file.hash.sha256
 | Client | network.application
-| DstIP | destination.ip
+| DstIP | destination.address
 | DstPort | destination.port
 | FileName | file.name
 | FilePolicy | cisco.ftd.rule_name
 | FileSHA256 | file.hash.sha256
 | FileSize | file.size
 | FirstPacketSecond | event.start
 | Protocol | network.transport
-| SrcIP | source.ip
+| SrcIP | source.address
 | SrcPort | source.port
 | URI | url.original
 | User | user.name

diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc
@@ -119,7 +119,7 @@ Mappings for Intrusion events fields:
 |====================================
 | FTD Field | Mapped fields
 | ApplicationProtocol | network.protocol
-| DstIP | destination.ip
+| DstIP | destination.address
 | DstPort | destination.port
 | EgressInterface | cisco.ftd.destination_interface
 | GID | service.id
@@ -129,7 +129,7 @@ Mappings for Intrusion events fields:
 | IntrusionPolicy | cisco.ftd.rule_name
 | Message | message
 | Protocol | network.transport
-| SrcIP | source.ip
+| SrcIP | source.address
 | SrcPort | source.port
 | User | user.id, user.name
 | WebApplication | network.application
@@ -147,7 +147,7 @@ Mappings for Connection and Security Intelligence events fields:
 | DNSQuery | dns.question.name
 | DNSRecordType | dns.question.type
 | DNSResponseType | dns.response_code
-| DstIP | destination.ip
+| DstIP | destination.address
 | DstPort | destination.port
 | EgressInterface | cisco.ftd.destination_interface
 | HTTPReferer | http.request.referrer
@@ -162,13 +162,13 @@ Mappings for Connection and Security Intelligence events fields:
 | ResponderPackets | destination.packets
 | SSLActualAction | event.outcome
 | SSLServerName | server.domain
-| SrcIP | source.ip
+| SrcIP | source.address
 | SrcPort | source.port
 | URL | url.original
 | User | user.name
 | UserAgent | user_agent.original
 | WebApplication | network.application
-| originalClientSrcIP | client.ip
+| originalClientSrcIP | client.address
 |====================================
 
 Mappings for File and Malware events fields:
@@ -179,15 +179,15 @@ Mappings for File and Malware events fields:
 | ArchiveFileName | file.name
 | ArchiveSHA256 | file.hash.sha256
 | Client | network.application
-| DstIP | destination.ip
+| DstIP | destination.address
 | DstPort | destination.port
 | FileName | file.name
 | FilePolicy | cisco.ftd.rule_name
 | FileSHA256 | file.hash.sha256
 | FileSize | file.size
 | FirstPacketSecond | event.start
 | Protocol | network.transport
-| SrcIP | source.ip
+| SrcIP | source.address
 | SrcPort | source.port
 | URI | url.original
 | User | user.name