From a678bc9f4c4357df4d96dbbd62b15a89d2614093 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 14 Oct 2019 19:26:12 +0200 Subject: [PATCH] Fix Cisco ASA and FTD parsing of unexpected domain names (#14035) This patch makes the Cisco ASA and FTD ingest pipeline handle the case where a domain name is found for a field where an IP is expected according to the documentation. To do so it follows ECS guidelines, setting .address to be the raw value and .ip or .domain from it, depending if it's a valid IP address or not. Fixes #14034 --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/modules/cisco.asciidoc | 14 +- .../filebeat/module/cisco/_meta/docs.asciidoc | 14 +- .../cisco/asa/test/asa.log-expected.json | 92 ++++++++++++ .../cisco/asa/test/filtered.log-expected.json | 2 + .../filebeat/module/cisco/asa/test/not-ip.log | 1 + .../cisco/asa/test/not-ip.log-expected.json | 34 +++++ .../cisco/asa/test/sample.log-expected.json | 115 +++++++++++++++ .../cisco/ftd/test/asa.log-expected.json | 92 ++++++++++++ .../cisco/ftd/test/dns.log-expected.json | 42 ++++++ .../ftd/test/intrusion.log-expected.json | 4 + .../ftd/test/no-type-id.log-expected.json | 4 + .../cisco/ftd/test/sample.log-expected.json | 115 +++++++++++++++ .../security-connection.log-expected.json | 20 +++ .../security-file-malware.log-expected.json | 20 +++ .../cisco/shared/ingest/asa-ftd-pipeline.yml | 131 +++++++++++------- .../module/cisco/shared/security-mappings.csv | 24 ++-- 17 files changed, 646 insertions(+), 79 deletions(-) create mode 100644 x-pack/filebeat/module/cisco/asa/test/not-ip.log create mode 100644 x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 5a511af1ac0..b737561b1d4 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -166,6 +166,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix merging of fields specified in global scope with fields specified under an input's scope. {issue}3628[3628] {pull}13909[13909] - Fix delay in enforcing close_renamed and close_removed options. {issue}13488[13488] {pull}13907[13907] - Fix missing netflow fields in index template. {issue}13768[13768] {pull}13914[13914] +- Fix cisco module's asa and ftd filesets parsing of domain names where an IP address is expected. {issue}14034[14034] *Heartbeat* diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc index c94a5fa04b2..fed8f254566 100644 --- a/filebeat/docs/modules/cisco.asciidoc +++ b/filebeat/docs/modules/cisco.asciidoc @@ -124,7 +124,7 @@ Mappings for Intrusion events fields: |==================================== | FTD Field | Mapped fields | ApplicationProtocol | network.protocol -| DstIP | destination.ip +| DstIP | destination.address | DstPort | destination.port | EgressInterface | cisco.ftd.destination_interface | GID | service.id @@ -134,7 +134,7 @@ Mappings for Intrusion events fields: | IntrusionPolicy | cisco.ftd.rule_name | Message | message | Protocol | network.transport -| SrcIP | source.ip +| SrcIP | source.address | SrcPort | source.port | User | user.id, user.name | WebApplication | network.application @@ -152,7 +152,7 @@ Mappings for Connection and Security Intelligence events fields: | DNSQuery | dns.question.name | DNSRecordType | dns.question.type | DNSResponseType | dns.response_code -| DstIP | destination.ip +| DstIP | destination.address | DstPort | destination.port | EgressInterface | cisco.ftd.destination_interface | HTTPReferer | http.request.referrer @@ -167,13 +167,13 @@ Mappings for Connection and Security Intelligence events fields: | ResponderPackets | destination.packets | SSLActualAction | event.outcome | SSLServerName | server.domain -| SrcIP | source.ip +| SrcIP | source.address | SrcPort | source.port | URL | url.original | User | user.name | UserAgent | user_agent.original | WebApplication | network.application -| originalClientSrcIP | client.ip +| originalClientSrcIP | client.address |==================================== Mappings for File and Malware events fields: @@ -184,7 +184,7 @@ Mappings for File and Malware events fields: | ArchiveFileName | file.name | ArchiveSHA256 | file.hash.sha256 | Client | network.application -| DstIP | destination.ip +| DstIP | destination.address | DstPort | destination.port | FileName | file.name | FilePolicy | cisco.ftd.rule_name @@ -192,7 +192,7 @@ Mappings for File and Malware events fields: | FileSize | file.size | FirstPacketSecond | event.start | Protocol | network.transport -| SrcIP | source.ip +| SrcIP | source.address | SrcPort | source.port | URI | url.original | User | user.name diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc index 6ad8a85d628..09325a93f22 100644 --- a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc @@ -119,7 +119,7 @@ Mappings for Intrusion events fields: |==================================== | FTD Field | Mapped fields | ApplicationProtocol | network.protocol -| DstIP | destination.ip +| DstIP | destination.address | DstPort | destination.port | EgressInterface | cisco.ftd.destination_interface | GID | service.id @@ -129,7 +129,7 @@ Mappings for Intrusion events fields: | IntrusionPolicy | cisco.ftd.rule_name | Message | message | Protocol | network.transport -| SrcIP | source.ip +| SrcIP | source.address | SrcPort | source.port | User | user.id, user.name | WebApplication | network.application @@ -147,7 +147,7 @@ Mappings for Connection and Security Intelligence events fields: | DNSQuery | dns.question.name | DNSRecordType | dns.question.type | DNSResponseType | dns.response_code -| DstIP | destination.ip +| DstIP | destination.address | DstPort | destination.port | EgressInterface | cisco.ftd.destination_interface | HTTPReferer | http.request.referrer @@ -162,13 +162,13 @@ Mappings for Connection and Security Intelligence events fields: | ResponderPackets | destination.packets | SSLActualAction | event.outcome | SSLServerName | server.domain -| SrcIP | source.ip +| SrcIP | source.address | SrcPort | source.port | URL | url.original | User | user.name | UserAgent | user_agent.original | WebApplication | network.application -| originalClientSrcIP | client.ip +| originalClientSrcIP | client.address |==================================== Mappings for File and Malware events fields: @@ -179,7 +179,7 @@ Mappings for File and Malware events fields: | ArchiveFileName | file.name | ArchiveSHA256 | file.hash.sha256 | Client | network.application -| DstIP | destination.ip +| DstIP | destination.address | DstPort | destination.port | FileName | file.name | FilePolicy | cisco.ftd.rule_name @@ -187,7 +187,7 @@ Mappings for File and Malware events fields: | FileSize | file.size | FirstPacketSecond | event.start | Protocol | network.transport -| SrcIP | source.ip +| SrcIP | source.address | SrcPort | source.port | URI | url.original | User | user.name diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index 92fd39b1dcd..4ffbd8c4845 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -49,6 +49,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1758, "event.action": "flow-expiration", @@ -72,6 +73,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.211.242", "source.ip": "100.66.211.242", "source.port": 80, "tags": [ @@ -84,6 +86,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1757, "event.action": "flow-expiration", @@ -107,6 +110,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.211.242", "source.ip": "100.66.211.242", "source.port": 80, "tags": [ @@ -119,6 +123,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1755, "event.action": "flow-expiration", @@ -142,6 +147,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.185.90", "source.ip": "100.66.185.90", "source.port": 80, "tags": [ @@ -154,6 +160,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1754, "event.action": "flow-expiration", @@ -177,6 +184,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.185.90", "source.ip": "100.66.185.90", "source.port": 80, "tags": [ @@ -189,6 +197,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1752, "event.action": "flow-expiration", @@ -212,6 +221,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.160.197", "source.ip": "100.66.160.197", "source.port": 80, "tags": [ @@ -224,6 +234,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1749, "event.action": "flow-expiration", @@ -247,6 +258,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.205.14", "source.ip": "100.66.205.14", "source.port": 80, "tags": [ @@ -259,6 +271,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1750, "event.action": "flow-expiration", @@ -282,6 +295,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.124.33", "source.ip": "100.66.124.33", "source.port": 80, "tags": [ @@ -294,6 +308,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1747, "event.action": "flow-expiration", @@ -317,6 +332,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.35.9", "source.ip": "100.66.35.9", "source.port": 80, "tags": [ @@ -329,6 +345,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1742, "event.action": "flow-expiration", @@ -352,6 +369,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.211.242", "source.ip": "100.66.211.242", "source.port": 80, "tags": [ @@ -364,6 +382,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1741, "event.action": "flow-expiration", @@ -387,6 +406,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.218.21", "source.ip": "100.66.218.21", "source.port": 80, "tags": [ @@ -399,6 +419,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1739, "event.action": "flow-expiration", @@ -422,6 +443,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.198.27", "source.ip": "100.66.198.27", "source.port": 80, "tags": [ @@ -434,6 +456,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1740, "event.action": "flow-expiration", @@ -457,6 +480,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.198.27", "source.ip": "100.66.198.27", "source.port": 80, "tags": [ @@ -469,6 +493,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1738, "event.action": "flow-expiration", @@ -492,6 +517,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.202.211", "source.ip": "100.66.202.211", "source.port": 80, "tags": [ @@ -504,6 +530,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1756, "event.action": "flow-expiration", @@ -527,6 +554,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.124.15", "source.ip": "100.66.124.15", "source.port": 80, "tags": [ @@ -539,6 +567,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1737, "event.action": "flow-expiration", @@ -562,6 +591,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.124.15", "source.ip": "100.66.124.15", "source.port": 80, "tags": [ @@ -574,6 +604,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1736, "event.action": "flow-expiration", @@ -597,6 +628,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.209.247", "source.ip": "100.66.209.247", "source.port": 80, "tags": [ @@ -609,6 +641,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1765, "event.action": "flow-expiration", @@ -632,6 +665,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.35.162", "source.ip": "100.66.35.162", "source.port": 80, "tags": [ @@ -688,6 +722,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -711,6 +746,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.80.32", "source.ip": "100.66.80.32", "source.port": 53, "tags": [ @@ -745,6 +781,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -768,6 +805,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.252.6", "source.ip": "100.66.252.6", "source.port": 53, "tags": [ @@ -912,6 +950,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -935,6 +974,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.238.126", "source.ip": "100.66.238.126", "source.port": 53, "tags": [ @@ -947,6 +987,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -970,6 +1011,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.93.51", "source.ip": "100.66.93.51", "source.port": 53, "tags": [ @@ -1092,6 +1134,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -1115,6 +1158,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.240.126", "source.ip": "100.66.240.126", "source.port": 53, "tags": [ @@ -1127,6 +1171,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -1150,6 +1195,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.44.45", "source.ip": "100.66.44.45", "source.port": 53, "tags": [ @@ -1250,6 +1296,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -1273,6 +1320,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.157.232", "source.ip": "100.66.157.232", "source.port": 53, "tags": [ @@ -1285,6 +1333,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -1308,6 +1357,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.178.133", "source.ip": "100.66.178.133", "source.port": 53, "tags": [ @@ -1364,6 +1414,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1453, "event.action": "flow-expiration", @@ -1387,6 +1438,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.133.112", "source.ip": "100.66.133.112", "source.port": 80, "tags": [ @@ -1421,6 +1473,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -1444,6 +1497,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.157.232", "source.ip": "100.66.157.232", "source.port": 53, "tags": [ @@ -1456,6 +1510,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -1479,6 +1534,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.204.197", "source.ip": "100.66.204.197", "source.port": 53, "tags": [ @@ -1645,6 +1701,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -1668,6 +1725,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.100.4", "source.ip": "100.66.100.4", "source.port": 53, "tags": [ @@ -1790,6 +1848,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1457, "event.action": "flow-expiration", @@ -1813,6 +1872,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.198.40", "source.ip": "100.66.198.40", "source.port": 80, "tags": [ @@ -1869,6 +1929,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -1892,6 +1953,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.1.107", "source.ip": "100.66.1.107", "source.port": 53, "tags": [ @@ -2146,6 +2208,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.156.80", "destination.ip": "172.31.156.80", "destination.port": 1382, "event.action": "flow-expiration", @@ -2169,6 +2232,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.115.46", "source.ip": "100.66.115.46", "source.port": 80, "tags": [ @@ -2181,6 +2245,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.156.80", "destination.ip": "172.31.156.80", "destination.port": 1385, "event.action": "flow-expiration", @@ -2204,6 +2269,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2260,6 +2326,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2280,6 +2347,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2292,6 +2360,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2312,6 +2381,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2324,6 +2394,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2344,6 +2415,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2356,6 +2428,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2376,6 +2449,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2388,6 +2462,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2408,6 +2483,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2420,6 +2496,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2440,6 +2517,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2452,6 +2530,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2472,6 +2551,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2484,6 +2564,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2504,6 +2585,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2516,6 +2598,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2536,6 +2619,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2548,6 +2632,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2568,6 +2653,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2580,6 +2666,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2600,6 +2687,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2612,6 +2700,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2632,6 +2721,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2644,6 +2734,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2664,6 +2755,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index 398db8fdaa9..9b6a32dda04 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -25,6 +25,7 @@ "@timestamp": "2019-01-01T01:02:12.000-02:00", "cisco.asa.message_id": "106001", "cisco.asa.source_interface": "eth0", + "destination.address": "192.168.33.12", "destination.ip": "192.168.33.12", "destination.port": 443, "event.action": "firewall-rule", @@ -46,6 +47,7 @@ "process.name": "asa", "process.pid": 1234, "service.type": "cisco", + "source.address": "10.13.12.11", "source.ip": "10.13.12.11", "source.port": 45321, "tags": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log b/x-pack/filebeat/module/cisco/asa/test/not-ip.log new file mode 100644 index 00000000000..bf8f114e6c3 --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log @@ -0,0 +1 @@ +<165>Oct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000] diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json new file mode 100644 index 00000000000..968de46345b --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -0,0 +1,34 @@ +[ + { + "@timestamp": "2019-10-04T15:27:55.000-02:00", + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "AL-DMZ-LB-IN", + "cisco.asa.source_interface": "LB-DMZ", + "destination.address": "203.0.113.42", + "destination.ip": "203.0.113.42", + "destination.port": 53, + "event.action": "firewall-rule", + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "event.outcome": "deny", + "event.severity": 5, + "event.timezone": "-02:00", + "fileset.name": "asa", + "input.type": "log", + "log.level": "notification", + "log.offset": 0, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.address": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", + "source.domain": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", + "source.port": 27218, + "syslog.facility": 165, + "tags": [ + "cisco-asa" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index b6012e2532f..0d25224ad29 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -5,6 +5,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "acl_dmz", "cisco.asa.source_interface": "dmz", + "destination.address": "192.0.0.8", "destination.ip": "192.0.0.8", "destination.port": 53, "event.action": "firewall-rule", @@ -22,6 +23,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.1.2.30", "source.ip": "10.1.2.30", "source.port": 63016, "tags": [ @@ -34,6 +36,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "acl_dmz", "cisco.asa.source_interface": "dmz", + "destination.address": "192.0.0.8", "destination.ip": "192.0.0.8", "destination.port": 53, "event.action": "firewall-rule", @@ -51,6 +54,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.1.2.30", "source.ip": "10.1.2.30", "source.port": 63016, "tags": [ @@ -64,6 +68,7 @@ "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "cisco.asa.suffix": "session", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -81,6 +86,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.1.2.16", "source.ip": "10.1.2.16", "source.port": 2241, "tags": [ @@ -93,6 +99,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "inside", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.2.10", "destination.ip": "192.0.2.10", "destination.port": 53, "event.action": "firewall-rule", @@ -111,6 +118,7 @@ "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", + "source.address": "172.29.2.101", "source.ip": "172.29.2.101", "source.port": 1039, "tags": [ @@ -123,6 +131,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "inside", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.2.57", "destination.ip": "192.0.2.57", "destination.port": 53, "event.action": "firewall-rule", @@ -141,6 +150,7 @@ "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", + "source.address": "172.29.2.3", "source.ip": "172.29.2.3", "source.port": 1065, "tags": [ @@ -267,6 +277,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "outside", + "destination.address": "10.123.1.35", "destination.ip": "10.123.1.35", "destination.port": 52925, "event.action": "flow-expiration", @@ -287,6 +298,7 @@ "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", + "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 53, "tags": [ @@ -301,6 +313,7 @@ "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "outside", "cisco.asa.source_username": "user1", + "destination.address": "10.123.1.35", "destination.ip": "10.123.1.35", "destination.port": 52925, "event.action": "flow-expiration", @@ -321,6 +334,7 @@ "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", + "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 53, "tags": [ @@ -332,6 +346,7 @@ "cisco.asa.icmp_code": 17233, "cisco.asa.mapped_source_ip": "192.168.132.46", "cisco.asa.message_id": "302021", + "destination.address": "172.24.177.29", "destination.ip": "172.24.177.29", "event.action": "flow-expiration", "event.code": 302021, @@ -348,6 +363,7 @@ "network.iana_number": 1, "network.transport": "icmp", "service.type": "cisco", + "source.address": "192.168.132.46", "source.ip": "192.168.132.46", "tags": [ "cisco-asa" @@ -394,6 +410,7 @@ { "@timestamp": "2013-04-30T09:22:33.000-02:00", "cisco.asa.message_id": "106007", + "destination.address": "10.1.2.60", "destination.ip": "10.1.2.60", "destination.port": 53, "event.action": "firewall-rule", @@ -413,6 +430,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "192.0.0.66", "source.ip": "192.0.0.66", "source.port": 12981, "tags": [ @@ -425,6 +443,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -442,6 +461,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2006, "tags": [ @@ -454,6 +474,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.88", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", @@ -471,6 +492,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.46", "source.ip": "10.0.0.46", "source.port": 49734, "tags": [ @@ -483,6 +505,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.88", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", @@ -500,6 +523,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.46", "source.ip": "10.0.0.46", "source.port": 49735, "tags": [ @@ -512,6 +536,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.88", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", @@ -529,6 +554,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.46", "source.ip": "10.0.0.46", "source.port": 49736, "tags": [ @@ -541,6 +567,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.88", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", @@ -558,6 +585,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.46", "source.ip": "10.0.0.46", "source.port": 49737, "tags": [ @@ -570,6 +598,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.88", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", @@ -587,6 +616,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.46", "source.ip": "10.0.0.46", "source.port": 49738, "tags": [ @@ -599,6 +629,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.88", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", @@ -616,6 +647,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.46", "source.ip": "10.0.0.46", "source.port": 49746, "tags": [ @@ -628,6 +660,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -645,6 +678,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2007, "tags": [ @@ -657,6 +691,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", + "destination.address": "192.168.33.31", "destination.ip": "192.168.33.31", "destination.port": 25, "event.action": "firewall-rule", @@ -674,6 +709,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.13", "source.ip": "10.0.0.13", "source.port": 43013, "tags": [ @@ -686,6 +722,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -703,6 +740,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2008, "tags": [ @@ -713,6 +751,7 @@ "@timestamp": "2013-04-30T09:23:02.000-02:00", "cisco.asa.message_id": "106006", "cisco.asa.source_interface": "inside", + "destination.address": "10.1.2.42", "destination.ip": "10.1.2.42", "destination.port": 137, "event.action": "firewall-rule", @@ -731,6 +770,7 @@ "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", + "source.address": "192.0.2.66", "source.ip": "192.0.2.66", "source.port": 137, "tags": [ @@ -740,6 +780,7 @@ { "@timestamp": "2013-04-30T09:23:03.000-02:00", "cisco.asa.message_id": "106007", + "destination.address": "10.1.5.60", "destination.ip": "10.1.5.60", "destination.port": 53, "event.action": "firewall-rule", @@ -759,6 +800,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "192.0.2.66", "source.ip": "192.0.2.66", "source.port": 12981, "tags": [ @@ -771,6 +813,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -788,6 +831,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2009, "tags": [ @@ -800,6 +844,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.88", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", @@ -817,6 +862,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.46", "source.ip": "10.0.0.46", "source.port": 49776, "tags": [ @@ -829,6 +875,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -846,6 +893,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2010, "tags": [ @@ -858,6 +906,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -875,6 +924,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2011, "tags": [ @@ -887,6 +937,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -904,6 +955,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2012, "tags": [ @@ -916,6 +968,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "acl_out", "cisco.asa.source_interface": "outside", + "destination.address": "10.0.0.132", "destination.ip": "10.0.0.132", "destination.port": 8111, "event.action": "firewall-rule", @@ -933,6 +986,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "192.0.2.126", "source.ip": "192.0.2.126", "source.port": 53638, "tags": [ @@ -945,6 +999,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "acl_out", "cisco.asa.source_interface": "outside", + "destination.address": "10.0.0.132", "destination.ip": "10.0.0.132", "destination.port": 8111, "event.action": "firewall-rule", @@ -962,6 +1017,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "192.0.2.126", "source.ip": "192.0.2.126", "source.port": 53638, "tags": [ @@ -974,6 +1030,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.88", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", @@ -991,6 +1048,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.46", "source.ip": "10.0.0.46", "source.port": 49840, "tags": [ @@ -1003,6 +1061,7 @@ "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -1020,6 +1079,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2013, "tags": [ @@ -1033,6 +1093,7 @@ "cisco.asa.rule_name": "acl_in", "cisco.asa.source_interface": "inside", "cisco.asa.suffix": "session", + "destination.address": "192.0.0.99", "destination.ip": "192.0.0.99", "destination.port": 2000, "event.action": "firewall-rule", @@ -1050,6 +1111,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2241, "tags": [ @@ -1102,6 +1164,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "dmz", "cisco.asa.source_interface": "dmz", + "destination.address": "192.0.0.12", "destination.ip": "192.0.0.12", "destination.port": 53, "event.action": "firewall-rule", @@ -1120,6 +1183,7 @@ "network.transport": "udp", "process.name": "", "service.type": "cisco", + "source.address": "192.168.1.33", "source.ip": "192.168.1.33", "source.port": 5555, "tags": [ @@ -1132,6 +1196,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "dmz", "cisco.asa.source_interface": "dmz", + "destination.address": "192.0.0.12", "destination.ip": "192.0.0.12", "destination.port": 53, "event.action": "firewall-rule", @@ -1150,6 +1215,7 @@ "network.transport": "udp", "process.name": "", "service.type": "cisco", + "source.address": "192.168.1.33", "source.ip": "192.168.1.33", "source.port": 5555, "tags": [ @@ -1202,6 +1268,7 @@ "cisco.asa.destination_interface": "dmz", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "192.168.1.34", "destination.ip": "192.168.1.34", "destination.port": 5678, "event.action": "flow-expiration", @@ -1223,6 +1290,7 @@ "network.transport": "tcp", "process.name": "", "service.type": "cisco", + "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ @@ -1235,6 +1303,7 @@ "cisco.asa.destination_interface": "dmz", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "192.168.1.35", "destination.ip": "192.168.1.35", "destination.port": 5678, "event.action": "flow-expiration", @@ -1256,6 +1325,7 @@ "network.transport": "tcp", "process.name": "", "service.type": "cisco", + "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ @@ -1268,6 +1338,7 @@ "cisco.asa.destination_interface": "dmz", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "192.168.1.35", "destination.ip": "192.168.1.35", "destination.port": 5678, "event.action": "flow-expiration", @@ -1289,6 +1360,7 @@ "network.transport": "tcp", "process.name": "", "service.type": "cisco", + "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ @@ -1299,6 +1371,7 @@ "@timestamp": "2018-12-11T08:01:38.000-02:00", "cisco.asa.message_id": "106015", "cisco.asa.source_interface": "outside", + "destination.address": "192.168.1.34", "destination.ip": "192.168.1.34", "destination.port": 5679, "event.action": "firewall-rule", @@ -1317,6 +1390,7 @@ "network.transport": "tcp", "process.name": "", "service.type": "cisco", + "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ @@ -1327,6 +1401,7 @@ "@timestamp": "2018-12-11T08:01:38.000-02:00", "cisco.asa.message_id": "106015", "cisco.asa.source_interface": "outside", + "destination.address": "192.168.1.34", "destination.ip": "192.168.1.34", "destination.port": 5679, "event.action": "firewall-rule", @@ -1345,6 +1420,7 @@ "network.transport": "tcp", "process.name": "", "service.type": "cisco", + "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ @@ -1357,6 +1433,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "dmz", "cisco.asa.source_interface": "dmz", + "destination.address": "192.0.0.12", "destination.ip": "192.0.0.12", "destination.port": 5000, "event.action": "firewall-rule", @@ -1375,6 +1452,7 @@ "network.transport": "udp", "process.name": "", "service.type": "cisco", + "source.address": "192.168.1.34", "source.ip": "192.168.1.34", "source.port": 5679, "tags": [ @@ -1427,6 +1505,7 @@ "cisco.asa.destination_interface": "dmz", "cisco.asa.message_id": "302014", "cisco.asa.source_interface": "outside", + "destination.address": "10.10.10.10", "destination.ip": "10.10.10.10", "destination.port": 1235, "event.action": "flow-expiration", @@ -1448,6 +1527,7 @@ "network.transport": "tcp", "process.name": "", "service.type": "cisco", + "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ @@ -1460,6 +1540,7 @@ "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "outside", + "destination.address": "10.44.2.2", "destination.ip": "10.44.2.2", "destination.port": 500, "event.action": "flow-expiration", @@ -1480,6 +1561,7 @@ "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", + "source.address": "10.44.4.4", "source.ip": "10.44.4.4", "source.port": 500, "tags": [ @@ -1490,6 +1572,7 @@ "@timestamp": "2014-09-12T06:50:53.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", + "destination.address": "192.88.99.47", "destination.ip": "192.88.99.47", "event.action": "firewall-rule", "event.code": 106016, @@ -1505,6 +1588,7 @@ "log.level": "critical", "log.offset": 8549, "service.type": "cisco", + "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ "cisco-asa" @@ -1514,6 +1598,7 @@ "@timestamp": "2014-09-12T06:51:01.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", + "destination.address": "192.88.99.57", "destination.ip": "192.88.99.57", "event.action": "firewall-rule", "event.code": 106016, @@ -1529,6 +1614,7 @@ "log.level": "critical", "log.offset": 8670, "service.type": "cisco", + "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ "cisco-asa" @@ -1538,6 +1624,7 @@ "@timestamp": "2014-09-12T06:51:05.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", + "destination.address": "192.88.99.47", "destination.ip": "192.88.99.47", "event.action": "firewall-rule", "event.code": 106016, @@ -1553,6 +1640,7 @@ "log.level": "critical", "log.offset": 8791, "service.type": "cisco", + "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ "cisco-asa" @@ -1562,6 +1650,7 @@ "@timestamp": "2014-09-12T06:51:05.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", + "destination.address": "192.88.99.47", "destination.ip": "192.88.99.47", "event.action": "firewall-rule", "event.code": 106016, @@ -1577,6 +1666,7 @@ "log.level": "critical", "log.offset": 8912, "service.type": "cisco", + "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ "cisco-asa" @@ -1586,6 +1676,7 @@ "@timestamp": "2014-09-12T06:51:06.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", + "destination.address": "192.88.99.57", "destination.ip": "192.88.99.57", "event.action": "firewall-rule", "event.code": 106016, @@ -1601,6 +1692,7 @@ "log.level": "critical", "log.offset": 9033, "service.type": "cisco", + "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ "cisco-asa" @@ -1610,6 +1702,7 @@ "@timestamp": "2014-09-12T06:51:17.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", + "destination.address": "192.88.99.57", "destination.ip": "192.88.99.57", "event.action": "firewall-rule", "event.code": 106016, @@ -1625,6 +1718,7 @@ "log.level": "critical", "log.offset": 9154, "service.type": "cisco", + "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ "cisco-asa" @@ -1634,6 +1728,7 @@ "@timestamp": "2014-09-12T06:52:48.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", + "destination.address": "192.168.1.255", "destination.ip": "192.168.1.255", "event.action": "firewall-rule", "event.code": 106016, @@ -1649,6 +1744,7 @@ "log.level": "critical", "log.offset": 9275, "service.type": "cisco", + "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ "cisco-asa" @@ -1658,6 +1754,7 @@ "@timestamp": "2014-09-12T06:53:00.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", + "destination.address": "192.168.1.255", "destination.ip": "192.168.1.255", "event.action": "firewall-rule", "event.code": 106016, @@ -1673,6 +1770,7 @@ "log.level": "critical", "log.offset": 9397, "service.type": "cisco", + "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ "cisco-asa" @@ -1684,6 +1782,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "PERMIT_IN", "cisco.asa.source_interface": "outside", + "destination.address": "10.32.112.125", "destination.ip": "10.32.112.125", "destination.port": 25, "event.action": "firewall-rule", @@ -1702,6 +1801,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "192.0.2.95", "source.ip": "192.0.2.95", "source.port": 24069, "tags": [ @@ -1730,6 +1830,7 @@ "network.iana_number": 1, "network.transport": "icmp", "service.type": "cisco", + "source.address": "10.2.3.5", "source.ip": "10.2.3.5", "tags": [ "cisco-asa" @@ -1740,6 +1841,7 @@ "cisco.asa.icmp_type": 0, "cisco.asa.message_id": "313004", "cisco.asa.source_interface": "inside", + "destination.address": "172.16.1.10", "destination.ip": "172.16.1.10", "event.action": "firewall-rule", "event.code": 313004, @@ -1756,6 +1858,7 @@ "network.iana_number": 1, "network.transport": "icmp", "service.type": "cisco", + "source.address": "172.16.30.2", "source.ip": "172.16.30.2", "tags": [ "cisco-asa" @@ -1771,6 +1874,7 @@ "cisco.asa.message_id": "338002", "cisco.asa.rule_name": "dynamic", "cisco.asa.source_interface": "inside", + "destination.address": "192.88.99.129", "destination.domain": "bad.example.com", "destination.ip": "192.88.99.129", "destination.port": 80, @@ -1790,6 +1894,7 @@ "network.transport": "tcp", "server.domain": "bad.example.com", "service.type": "cisco", + "source.address": "10.1.1.45", "source.ip": "10.1.1.45", "source.nat.ip": "192.88.99.1", "source.nat.port": "7890", @@ -1810,6 +1915,7 @@ "cisco.asa.source_interface": "inside", "cisco.asa.threat_category": "Malware", "cisco.asa.threat_level": "very-high", + "destination.address": "192.0.2.223", "destination.ip": "192.0.2.223", "destination.port": 80, "event.action": "firewall-rule", @@ -1827,6 +1933,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", "source.nat.port": "33340", @@ -1847,6 +1954,7 @@ "cisco.asa.source_interface": "inside", "cisco.asa.threat_category": "Malware", "cisco.asa.threat_level": "very-high", + "destination.address": "192.0.2.223", "destination.ip": "192.0.2.223", "destination.port": 80, "event.action": "firewall-rule", @@ -1864,6 +1972,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", "source.nat.port": "33340", @@ -1875,6 +1984,7 @@ { "@timestamp": "2009-11-16T14:12:35.000-02:00", "cisco.asa.message_id": "304001", + "destination.address": "192.0.2.1", "destination.ip": "192.0.2.1", "event.action": "firewall-rule", "event.code": 304001, @@ -1889,6 +1999,7 @@ "log.level": "notification", "log.offset": 10766, "service.type": "cisco", + "source.address": "10.30.30.30", "source.ip": "10.30.30.30", "tags": [ "cisco-asa" @@ -1898,6 +2009,7 @@ { "@timestamp": "2009-11-16T14:12:36.000-02:00", "cisco.asa.message_id": "304001", + "destination.address": "192.0.2.32", "destination.ip": "192.0.2.32", "event.action": "firewall-rule", "event.code": 304001, @@ -1912,6 +2024,7 @@ "log.level": "notification", "log.offset": 10843, "service.type": "cisco", + "source.address": "10.5.111.32", "source.ip": "10.5.111.32", "tags": [ "cisco-asa" @@ -1922,6 +2035,7 @@ "@timestamp": "2009-11-16T14:12:37.000-02:00", "cisco.asa.message_id": "304002", "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.19", "destination.ip": "192.0.0.19", "event.action": "firewall-rule", "event.code": 304002, @@ -1936,6 +2050,7 @@ "log.level": "notification", "log.offset": 10935, "service.type": "cisco", + "source.address": "10.69.6.39", "source.ip": "10.69.6.39", "tags": [ "cisco-asa" diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index e2604ce0e7f..297696b3a01 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -49,6 +49,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1758, "event.action": "flow-expiration", @@ -72,6 +73,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.211.242", "source.ip": "100.66.211.242", "source.port": 80, "tags": [ @@ -84,6 +86,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1757, "event.action": "flow-expiration", @@ -107,6 +110,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.211.242", "source.ip": "100.66.211.242", "source.port": 80, "tags": [ @@ -119,6 +123,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1755, "event.action": "flow-expiration", @@ -142,6 +147,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.185.90", "source.ip": "100.66.185.90", "source.port": 80, "tags": [ @@ -154,6 +160,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1754, "event.action": "flow-expiration", @@ -177,6 +184,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.185.90", "source.ip": "100.66.185.90", "source.port": 80, "tags": [ @@ -189,6 +197,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1752, "event.action": "flow-expiration", @@ -212,6 +221,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.160.197", "source.ip": "100.66.160.197", "source.port": 80, "tags": [ @@ -224,6 +234,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1749, "event.action": "flow-expiration", @@ -247,6 +258,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.205.14", "source.ip": "100.66.205.14", "source.port": 80, "tags": [ @@ -259,6 +271,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1750, "event.action": "flow-expiration", @@ -282,6 +295,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.124.33", "source.ip": "100.66.124.33", "source.port": 80, "tags": [ @@ -294,6 +308,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1747, "event.action": "flow-expiration", @@ -317,6 +332,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.35.9", "source.ip": "100.66.35.9", "source.port": 80, "tags": [ @@ -329,6 +345,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1742, "event.action": "flow-expiration", @@ -352,6 +369,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.211.242", "source.ip": "100.66.211.242", "source.port": 80, "tags": [ @@ -364,6 +382,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1741, "event.action": "flow-expiration", @@ -387,6 +406,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.218.21", "source.ip": "100.66.218.21", "source.port": 80, "tags": [ @@ -399,6 +419,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1739, "event.action": "flow-expiration", @@ -422,6 +443,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.198.27", "source.ip": "100.66.198.27", "source.port": 80, "tags": [ @@ -434,6 +456,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1740, "event.action": "flow-expiration", @@ -457,6 +480,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.198.27", "source.ip": "100.66.198.27", "source.port": 80, "tags": [ @@ -469,6 +493,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1738, "event.action": "flow-expiration", @@ -492,6 +517,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.202.211", "source.ip": "100.66.202.211", "source.port": 80, "tags": [ @@ -504,6 +530,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1756, "event.action": "flow-expiration", @@ -527,6 +554,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.124.15", "source.ip": "100.66.124.15", "source.port": 80, "tags": [ @@ -539,6 +567,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1737, "event.action": "flow-expiration", @@ -562,6 +591,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.124.15", "source.ip": "100.66.124.15", "source.port": 80, "tags": [ @@ -574,6 +604,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1736, "event.action": "flow-expiration", @@ -597,6 +628,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.209.247", "source.ip": "100.66.209.247", "source.port": 80, "tags": [ @@ -609,6 +641,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1765, "event.action": "flow-expiration", @@ -632,6 +665,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.35.162", "source.ip": "100.66.35.162", "source.port": 80, "tags": [ @@ -688,6 +722,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -711,6 +746,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.80.32", "source.ip": "100.66.80.32", "source.port": 53, "tags": [ @@ -745,6 +781,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -768,6 +805,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.252.6", "source.ip": "100.66.252.6", "source.port": 53, "tags": [ @@ -912,6 +950,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -935,6 +974,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.238.126", "source.ip": "100.66.238.126", "source.port": 53, "tags": [ @@ -947,6 +987,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -970,6 +1011,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.93.51", "source.ip": "100.66.93.51", "source.port": 53, "tags": [ @@ -1092,6 +1134,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -1115,6 +1158,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.240.126", "source.ip": "100.66.240.126", "source.port": 53, "tags": [ @@ -1127,6 +1171,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -1150,6 +1195,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.44.45", "source.ip": "100.66.44.45", "source.port": 53, "tags": [ @@ -1250,6 +1296,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -1273,6 +1320,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.157.232", "source.ip": "100.66.157.232", "source.port": 53, "tags": [ @@ -1285,6 +1333,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -1308,6 +1357,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.178.133", "source.ip": "100.66.178.133", "source.port": 53, "tags": [ @@ -1364,6 +1414,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1453, "event.action": "flow-expiration", @@ -1387,6 +1438,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.133.112", "source.ip": "100.66.133.112", "source.port": 80, "tags": [ @@ -1421,6 +1473,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -1444,6 +1497,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.157.232", "source.ip": "100.66.157.232", "source.port": 53, "tags": [ @@ -1456,6 +1510,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -1479,6 +1534,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.204.197", "source.ip": "100.66.204.197", "source.port": 53, "tags": [ @@ -1645,6 +1701,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -1668,6 +1725,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.100.4", "source.ip": "100.66.100.4", "source.port": 53, "tags": [ @@ -1790,6 +1848,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 1457, "event.action": "flow-expiration", @@ -1813,6 +1872,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.198.40", "source.ip": "100.66.198.40", "source.port": 80, "tags": [ @@ -1869,6 +1929,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", @@ -1892,6 +1953,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.1.107", "source.ip": "100.66.1.107", "source.port": 53, "tags": [ @@ -2146,6 +2208,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.156.80", "destination.ip": "172.31.156.80", "destination.port": 1382, "event.action": "flow-expiration", @@ -2169,6 +2232,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.115.46", "source.ip": "100.66.115.46", "source.port": 80, "tags": [ @@ -2181,6 +2245,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.156.80", "destination.ip": "172.31.156.80", "destination.port": 1385, "event.action": "flow-expiration", @@ -2204,6 +2269,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2260,6 +2326,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "inbound", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2280,6 +2347,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2292,6 +2360,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "inbound", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2312,6 +2381,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2324,6 +2394,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "inbound", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2344,6 +2415,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2356,6 +2428,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "inbound", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2376,6 +2449,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2388,6 +2462,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "inbound", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2408,6 +2483,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2420,6 +2496,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "inbound", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2440,6 +2517,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2452,6 +2530,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "inbound", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2472,6 +2551,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2484,6 +2564,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "inbound", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2504,6 +2585,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2516,6 +2598,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "inbound", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2536,6 +2619,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2548,6 +2632,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "inbound", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2568,6 +2653,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2580,6 +2666,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "inbound", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2600,6 +2687,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2612,6 +2700,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "inbound", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2632,6 +2721,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ @@ -2644,6 +2734,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "inbound", "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", @@ -2664,6 +2755,7 @@ "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", + "source.address": "100.66.19.254", "source.ip": "100.66.19.254", "source.port": 80, "tags": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index 2b37f4bc54c..98522d06457 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -33,6 +33,7 @@ "cisco.ftd.security.src_port": "57379", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 145, @@ -67,6 +68,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 93, "source.ip": "10.0.1.20", "source.packets": 1, @@ -113,6 +115,7 @@ "cisco.ftd.security.src_port": "51389", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 193, @@ -147,6 +150,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 93, "source.ip": "10.0.1.20", "source.packets": 1, @@ -191,6 +195,7 @@ "cisco.ftd.security.src_port": "53033", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 166, @@ -225,6 +230,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 93, "source.ip": "10.0.1.20", "source.packets": 1, @@ -271,6 +277,7 @@ "cisco.ftd.security.src_port": "55371", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 200, @@ -305,6 +312,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 97, "source.ip": "10.0.1.20", "source.packets": 1, @@ -350,6 +358,7 @@ "cisco.ftd.security.src_port": "60441", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 193, @@ -384,6 +393,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 93, "source.ip": "10.0.1.20", "source.packets": 1, @@ -428,6 +438,7 @@ "cisco.ftd.security.src_port": "59714", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 166, @@ -462,6 +473,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 93, "source.ip": "10.0.1.20", "source.packets": 1, @@ -509,6 +521,7 @@ "cisco.ftd.security.src_port": "55105", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 199, @@ -543,6 +556,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 93, "source.ip": "10.0.1.20", "source.packets": 1, @@ -587,6 +601,7 @@ "cisco.ftd.security.src_port": "57141", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 221, @@ -621,6 +636,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 93, "source.ip": "10.0.1.20", "source.packets": 1, @@ -666,6 +682,7 @@ "cisco.ftd.security.src_port": "47260", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 166, @@ -700,6 +717,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 93, "source.ip": "10.0.1.20", "source.packets": 1, @@ -746,6 +764,7 @@ "cisco.ftd.security.src_port": "58082", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 722, @@ -780,6 +799,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 93, "source.ip": "10.0.1.20", "source.packets": 1, @@ -824,6 +844,7 @@ "cisco.ftd.security.src_port": "33973", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "205.251.196.144", "destination.as.number": 16509, "destination.as.organization.name": "Amazon.com, Inc.", "destination.bytes": 75, @@ -861,6 +882,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 98, "source.ip": "10.0.1.20", "source.packets": 1, @@ -903,6 +925,7 @@ "cisco.ftd.security.src_port": "39541", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 313, @@ -935,6 +958,7 @@ "network.protocol": "dns", "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 457, "source.ip": "10.0.1.20", "source.packets": 6, @@ -980,6 +1004,7 @@ "cisco.ftd.security.src_port": "41672", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "9.9.9.9", "destination.as.number": 19281, "destination.as.organization.name": "Quad9", "destination.bytes": 180, @@ -1014,6 +1039,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 107, "source.ip": "10.0.1.20", "source.packets": 1, @@ -1058,6 +1084,7 @@ "cisco.ftd.security.src_port": "59577", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "9.9.9.9", "destination.as.number": 19281, "destination.as.organization.name": "Quad9", "destination.bytes": 108, @@ -1092,6 +1119,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 104, "source.ip": "10.0.1.20", "source.packets": 1, @@ -1137,6 +1165,7 @@ "cisco.ftd.security.src_port": "35998", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "9.9.9.9", "destination.as.number": 19281, "destination.as.organization.name": "Quad9", "destination.bytes": 162, @@ -1171,6 +1200,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 101, "source.ip": "10.0.1.20", "source.packets": 1, @@ -1217,6 +1247,7 @@ "cisco.ftd.security.src_port": "55105", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 199, @@ -1251,6 +1282,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 93, "source.ip": "10.0.1.20", "source.packets": 1, @@ -1295,6 +1327,7 @@ "cisco.ftd.security.src_port": "47260", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 166, @@ -1329,6 +1362,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 93, "source.ip": "10.0.1.20", "source.packets": 1, @@ -1373,6 +1407,7 @@ "cisco.ftd.security.src_port": "53033", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 166, @@ -1407,6 +1442,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 93, "source.ip": "10.0.1.20", "source.packets": 1, @@ -1451,6 +1487,7 @@ "cisco.ftd.security.src_port": "57141", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 221, @@ -1485,6 +1522,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 93, "source.ip": "10.0.1.20", "source.packets": 1, @@ -1528,6 +1566,7 @@ "cisco.ftd.security.src_port": "46093", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 131, @@ -1561,6 +1600,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 93, "source.ip": "10.0.1.20", "source.packets": 1, @@ -1607,6 +1647,7 @@ "cisco.ftd.security.src_port": "58082", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 722, @@ -1641,6 +1682,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 93, "source.ip": "10.0.1.20", "source.packets": 1, diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index 4af66567a24..c91abb64be9 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -28,6 +28,7 @@ "cisco.ftd.security.src_port": "55644", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "10.0.100.30", "destination.ip": "10.0.100.30", "destination.port": 80, "event.action": "intrusion-detected", @@ -85,6 +86,7 @@ "cisco.ftd.security.src_port": "55868", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "10.0.100.30", "destination.ip": "10.0.100.30", "destination.port": 80, "event.action": "intrusion-detected", @@ -140,6 +142,7 @@ "cisco.ftd.security.src_port": "21", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "outside", + "destination.address": "10.0.1.20", "destination.ip": "10.0.1.20", "destination.port": 39114, "event.action": "intrusion-detected", @@ -193,6 +196,7 @@ "cisco.ftd.security.src_port": "21", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "outside", + "destination.address": "10.0.1.20", "destination.ip": "10.0.1.20", "destination.port": 40740, "event.action": "intrusion-detected", diff --git a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json index 2e354fd2ff0..6355040fe6d 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json @@ -7,6 +7,7 @@ "cisco.ftd.security.dst_ip": "10.8.12.47", "cisco.ftd.security.message": "Intrusion attempt", "cisco.ftd.security.src_ip": "10.1.123.45", + "destination.address": "10.8.12.47", "destination.ip": "10.8.12.47", "event.action": "intrusion-detected", "event.code": 430001, @@ -26,6 +27,7 @@ "process.name": "ftd", "process.pid": 1234, "service.type": "cisco", + "source.address": "10.1.123.45", "source.ip": "10.1.123.45", "tags": [ "cisco-ftd" @@ -95,6 +97,7 @@ ], "cisco.ftd.security.src_ip": "127.0.0.1", "cisco.ftd.security.src_port": "512", + "destination.address": "192.168.3.33", "destination.ip": "192.168.3.33", "destination.port": 64311, "event.action": "malware-detected", @@ -117,6 +120,7 @@ "process.name": "ftd", "process.pid": 1234, "service.type": "cisco", + "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "source.port": 512, "tags": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 1ea4f907667..4ae3f03c34b 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -5,6 +5,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "acl_dmz", "cisco.ftd.source_interface": "dmz", + "destination.address": "192.0.0.8", "destination.ip": "192.0.0.8", "destination.port": 53, "event.action": "firewall-rule", @@ -22,6 +23,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.1.2.30", "source.ip": "10.1.2.30", "source.port": 63016, "tags": [ @@ -34,6 +36,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "acl_dmz", "cisco.ftd.source_interface": "dmz", + "destination.address": "192.0.0.8", "destination.ip": "192.0.0.8", "destination.port": 53, "event.action": "firewall-rule", @@ -51,6 +54,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.1.2.30", "source.ip": "10.1.2.30", "source.port": 63016, "tags": [ @@ -64,6 +68,7 @@ "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", "cisco.ftd.suffix": "session", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -81,6 +86,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.1.2.16", "source.ip": "10.1.2.16", "source.port": 2241, "tags": [ @@ -93,6 +99,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "inside", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.2.10", "destination.ip": "192.0.2.10", "destination.port": 53, "event.action": "firewall-rule", @@ -111,6 +118,7 @@ "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", + "source.address": "172.29.2.101", "source.ip": "172.29.2.101", "source.port": 1039, "tags": [ @@ -123,6 +131,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "inside", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.2.57", "destination.ip": "192.0.2.57", "destination.port": 53, "event.action": "firewall-rule", @@ -141,6 +150,7 @@ "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", + "source.address": "172.29.2.3", "source.ip": "172.29.2.3", "source.port": 1065, "tags": [ @@ -267,6 +277,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "outside", + "destination.address": "10.123.1.35", "destination.ip": "10.123.1.35", "destination.port": 52925, "event.action": "flow-expiration", @@ -287,6 +298,7 @@ "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", + "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 53, "tags": [ @@ -301,6 +313,7 @@ "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "outside", "cisco.ftd.source_username": "user1", + "destination.address": "10.123.1.35", "destination.ip": "10.123.1.35", "destination.port": 52925, "event.action": "flow-expiration", @@ -321,6 +334,7 @@ "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", + "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 53, "tags": [ @@ -332,6 +346,7 @@ "cisco.ftd.icmp_code": 17233, "cisco.ftd.mapped_source_ip": "192.168.132.46", "cisco.ftd.message_id": "302021", + "destination.address": "172.24.177.29", "destination.ip": "172.24.177.29", "event.action": "flow-expiration", "event.code": 302021, @@ -348,6 +363,7 @@ "network.iana_number": 1, "network.transport": "icmp", "service.type": "cisco", + "source.address": "192.168.132.46", "source.ip": "192.168.132.46", "tags": [ "cisco-ftd" @@ -394,6 +410,7 @@ { "@timestamp": "2013-04-30T09:22:33.000-02:00", "cisco.ftd.message_id": "106007", + "destination.address": "10.1.2.60", "destination.ip": "10.1.2.60", "destination.port": 53, "event.action": "firewall-rule", @@ -413,6 +430,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "192.0.0.66", "source.ip": "192.0.0.66", "source.port": 12981, "tags": [ @@ -425,6 +443,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -442,6 +461,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2006, "tags": [ @@ -454,6 +474,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.88", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", @@ -471,6 +492,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.46", "source.ip": "10.0.0.46", "source.port": 49734, "tags": [ @@ -483,6 +505,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.88", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", @@ -500,6 +523,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.46", "source.ip": "10.0.0.46", "source.port": 49735, "tags": [ @@ -512,6 +536,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.88", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", @@ -529,6 +554,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.46", "source.ip": "10.0.0.46", "source.port": 49736, "tags": [ @@ -541,6 +567,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.88", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", @@ -558,6 +585,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.46", "source.ip": "10.0.0.46", "source.port": 49737, "tags": [ @@ -570,6 +598,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.88", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", @@ -587,6 +616,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.46", "source.ip": "10.0.0.46", "source.port": 49738, "tags": [ @@ -599,6 +629,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.88", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", @@ -616,6 +647,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.46", "source.ip": "10.0.0.46", "source.port": 49746, "tags": [ @@ -628,6 +660,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -645,6 +678,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2007, "tags": [ @@ -657,6 +691,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", + "destination.address": "192.168.33.31", "destination.ip": "192.168.33.31", "destination.port": 25, "event.action": "firewall-rule", @@ -674,6 +709,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.13", "source.ip": "10.0.0.13", "source.port": 43013, "tags": [ @@ -686,6 +722,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -703,6 +740,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2008, "tags": [ @@ -713,6 +751,7 @@ "@timestamp": "2013-04-30T09:23:02.000-02:00", "cisco.ftd.message_id": "106006", "cisco.ftd.source_interface": "inside", + "destination.address": "10.1.2.42", "destination.ip": "10.1.2.42", "destination.port": 137, "event.action": "firewall-rule", @@ -731,6 +770,7 @@ "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", + "source.address": "192.0.2.66", "source.ip": "192.0.2.66", "source.port": 137, "tags": [ @@ -740,6 +780,7 @@ { "@timestamp": "2013-04-30T09:23:03.000-02:00", "cisco.ftd.message_id": "106007", + "destination.address": "10.1.5.60", "destination.ip": "10.1.5.60", "destination.port": 53, "event.action": "firewall-rule", @@ -759,6 +800,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "192.0.2.66", "source.ip": "192.0.2.66", "source.port": 12981, "tags": [ @@ -771,6 +813,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -788,6 +831,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2009, "tags": [ @@ -800,6 +844,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.88", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", @@ -817,6 +862,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.46", "source.ip": "10.0.0.46", "source.port": 49776, "tags": [ @@ -829,6 +875,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -846,6 +893,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2010, "tags": [ @@ -858,6 +906,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -875,6 +924,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2011, "tags": [ @@ -887,6 +937,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -904,6 +955,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2012, "tags": [ @@ -916,6 +968,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "acl_out", "cisco.ftd.source_interface": "outside", + "destination.address": "10.0.0.132", "destination.ip": "10.0.0.132", "destination.port": 8111, "event.action": "firewall-rule", @@ -933,6 +986,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "192.0.2.126", "source.ip": "192.0.2.126", "source.port": 53638, "tags": [ @@ -945,6 +999,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "acl_out", "cisco.ftd.source_interface": "outside", + "destination.address": "10.0.0.132", "destination.ip": "10.0.0.132", "destination.port": 8111, "event.action": "firewall-rule", @@ -962,6 +1017,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "192.0.2.126", "source.ip": "192.0.2.126", "source.port": 53638, "tags": [ @@ -974,6 +1030,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.88", "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", @@ -991,6 +1048,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.46", "source.ip": "10.0.0.46", "source.port": 49840, "tags": [ @@ -1003,6 +1061,7 @@ "cisco.ftd.message_id": "106100", "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.89", "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", @@ -1020,6 +1079,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2013, "tags": [ @@ -1033,6 +1093,7 @@ "cisco.ftd.rule_name": "acl_in", "cisco.ftd.source_interface": "inside", "cisco.ftd.suffix": "session", + "destination.address": "192.0.0.99", "destination.ip": "192.0.0.99", "destination.port": 2000, "event.action": "firewall-rule", @@ -1050,6 +1111,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.0.16", "source.ip": "10.0.0.16", "source.port": 2241, "tags": [ @@ -1102,6 +1164,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "dmz", "cisco.ftd.source_interface": "dmz", + "destination.address": "192.0.0.12", "destination.ip": "192.0.0.12", "destination.port": 53, "event.action": "firewall-rule", @@ -1120,6 +1183,7 @@ "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", + "source.address": "192.168.1.33", "source.ip": "192.168.1.33", "source.port": 5555, "tags": [ @@ -1132,6 +1196,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "dmz", "cisco.ftd.source_interface": "dmz", + "destination.address": "192.0.0.12", "destination.ip": "192.0.0.12", "destination.port": 53, "event.action": "firewall-rule", @@ -1150,6 +1215,7 @@ "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", + "source.address": "192.168.1.33", "source.ip": "192.168.1.33", "source.port": 5555, "tags": [ @@ -1202,6 +1268,7 @@ "cisco.ftd.destination_interface": "dmz", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "192.168.1.34", "destination.ip": "192.168.1.34", "destination.port": 5678, "event.action": "flow-expiration", @@ -1223,6 +1290,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ @@ -1235,6 +1303,7 @@ "cisco.ftd.destination_interface": "dmz", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "192.168.1.35", "destination.ip": "192.168.1.35", "destination.port": 5678, "event.action": "flow-expiration", @@ -1256,6 +1325,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ @@ -1268,6 +1338,7 @@ "cisco.ftd.destination_interface": "dmz", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "192.168.1.35", "destination.ip": "192.168.1.35", "destination.port": 5678, "event.action": "flow-expiration", @@ -1289,6 +1360,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ @@ -1299,6 +1371,7 @@ "@timestamp": "2018-12-11T08:01:38.000-02:00", "cisco.ftd.message_id": "106015", "cisco.ftd.source_interface": "outside", + "destination.address": "192.168.1.34", "destination.ip": "192.168.1.34", "destination.port": 5679, "event.action": "firewall-rule", @@ -1317,6 +1390,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ @@ -1327,6 +1401,7 @@ "@timestamp": "2018-12-11T08:01:38.000-02:00", "cisco.ftd.message_id": "106015", "cisco.ftd.source_interface": "outside", + "destination.address": "192.168.1.34", "destination.ip": "192.168.1.34", "destination.port": 5679, "event.action": "firewall-rule", @@ -1345,6 +1420,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ @@ -1357,6 +1433,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "dmz", "cisco.ftd.source_interface": "dmz", + "destination.address": "192.0.0.12", "destination.ip": "192.0.0.12", "destination.port": 5000, "event.action": "firewall-rule", @@ -1375,6 +1452,7 @@ "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", + "source.address": "192.168.1.34", "source.ip": "192.168.1.34", "source.port": 5679, "tags": [ @@ -1427,6 +1505,7 @@ "cisco.ftd.destination_interface": "dmz", "cisco.ftd.message_id": "302014", "cisco.ftd.source_interface": "outside", + "destination.address": "10.10.10.10", "destination.ip": "10.10.10.10", "destination.port": 1235, "event.action": "flow-expiration", @@ -1448,6 +1527,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ @@ -1460,6 +1540,7 @@ "cisco.ftd.destination_interface": "inside", "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "outside", + "destination.address": "10.44.2.2", "destination.ip": "10.44.2.2", "destination.port": 500, "event.action": "flow-expiration", @@ -1480,6 +1561,7 @@ "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", + "source.address": "10.44.4.4", "source.ip": "10.44.4.4", "source.port": 500, "tags": [ @@ -1490,6 +1572,7 @@ "@timestamp": "2014-09-12T06:50:53.000-02:00", "cisco.ftd.message_id": "106016", "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.address": "192.88.99.47", "destination.ip": "192.88.99.47", "event.action": "firewall-rule", "event.code": 106016, @@ -1505,6 +1588,7 @@ "log.level": "critical", "log.offset": 8624, "service.type": "cisco", + "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ "cisco-ftd" @@ -1514,6 +1598,7 @@ "@timestamp": "2014-09-12T06:51:01.000-02:00", "cisco.ftd.message_id": "106016", "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.address": "192.88.99.57", "destination.ip": "192.88.99.57", "event.action": "firewall-rule", "event.code": 106016, @@ -1529,6 +1614,7 @@ "log.level": "critical", "log.offset": 8745, "service.type": "cisco", + "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ "cisco-ftd" @@ -1538,6 +1624,7 @@ "@timestamp": "2014-09-12T06:51:05.000-02:00", "cisco.ftd.message_id": "106016", "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.address": "192.88.99.47", "destination.ip": "192.88.99.47", "event.action": "firewall-rule", "event.code": 106016, @@ -1553,6 +1640,7 @@ "log.level": "critical", "log.offset": 8866, "service.type": "cisco", + "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ "cisco-ftd" @@ -1562,6 +1650,7 @@ "@timestamp": "2014-09-12T06:51:05.000-02:00", "cisco.ftd.message_id": "106016", "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.address": "192.88.99.47", "destination.ip": "192.88.99.47", "event.action": "firewall-rule", "event.code": 106016, @@ -1577,6 +1666,7 @@ "log.level": "critical", "log.offset": 8987, "service.type": "cisco", + "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ "cisco-ftd" @@ -1586,6 +1676,7 @@ "@timestamp": "2014-09-12T06:51:06.000-02:00", "cisco.ftd.message_id": "106016", "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.address": "192.88.99.57", "destination.ip": "192.88.99.57", "event.action": "firewall-rule", "event.code": 106016, @@ -1601,6 +1692,7 @@ "log.level": "critical", "log.offset": 9108, "service.type": "cisco", + "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ "cisco-ftd" @@ -1610,6 +1702,7 @@ "@timestamp": "2014-09-12T06:51:17.000-02:00", "cisco.ftd.message_id": "106016", "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.address": "192.88.99.57", "destination.ip": "192.88.99.57", "event.action": "firewall-rule", "event.code": 106016, @@ -1625,6 +1718,7 @@ "log.level": "critical", "log.offset": 9229, "service.type": "cisco", + "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ "cisco-ftd" @@ -1634,6 +1728,7 @@ "@timestamp": "2014-09-12T06:52:48.000-02:00", "cisco.ftd.message_id": "106016", "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.address": "192.168.1.255", "destination.ip": "192.168.1.255", "event.action": "firewall-rule", "event.code": 106016, @@ -1649,6 +1744,7 @@ "log.level": "critical", "log.offset": 9350, "service.type": "cisco", + "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ "cisco-ftd" @@ -1658,6 +1754,7 @@ "@timestamp": "2014-09-12T06:53:00.000-02:00", "cisco.ftd.message_id": "106016", "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.address": "192.168.1.255", "destination.ip": "192.168.1.255", "event.action": "firewall-rule", "event.code": 106016, @@ -1673,6 +1770,7 @@ "log.level": "critical", "log.offset": 9472, "service.type": "cisco", + "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ "cisco-ftd" @@ -1684,6 +1782,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "PERMIT_IN", "cisco.ftd.source_interface": "outside", + "destination.address": "10.32.112.125", "destination.ip": "10.32.112.125", "destination.port": 25, "event.action": "firewall-rule", @@ -1702,6 +1801,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "192.0.2.95", "source.ip": "192.0.2.95", "source.port": 24069, "tags": [ @@ -1730,6 +1830,7 @@ "network.iana_number": 1, "network.transport": "icmp", "service.type": "cisco", + "source.address": "10.2.3.5", "source.ip": "10.2.3.5", "tags": [ "cisco-ftd" @@ -1740,6 +1841,7 @@ "cisco.ftd.icmp_type": 0, "cisco.ftd.message_id": "313004", "cisco.ftd.source_interface": "inside", + "destination.address": "172.16.1.10", "destination.ip": "172.16.1.10", "event.action": "firewall-rule", "event.code": 313004, @@ -1756,6 +1858,7 @@ "network.iana_number": 1, "network.transport": "icmp", "service.type": "cisco", + "source.address": "172.16.30.2", "source.ip": "172.16.30.2", "tags": [ "cisco-ftd" @@ -1771,6 +1874,7 @@ "cisco.ftd.message_id": "338002", "cisco.ftd.rule_name": "dynamic", "cisco.ftd.source_interface": "inside", + "destination.address": "192.88.99.129", "destination.domain": "bad.example.com", "destination.ip": "192.88.99.129", "destination.port": 80, @@ -1790,6 +1894,7 @@ "network.transport": "tcp", "server.domain": "bad.example.com", "service.type": "cisco", + "source.address": "10.1.1.45", "source.ip": "10.1.1.45", "source.nat.ip": "192.88.99.1", "source.nat.port": "7890", @@ -1810,6 +1915,7 @@ "cisco.ftd.source_interface": "inside", "cisco.ftd.threat_category": "Malware", "cisco.ftd.threat_level": "very-high", + "destination.address": "192.0.2.223", "destination.ip": "192.0.2.223", "destination.nat.ip": "192.0.2.225", "destination.nat.port": "80", @@ -1829,6 +1935,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", "source.nat.port": "33340", @@ -1849,6 +1956,7 @@ "cisco.ftd.source_interface": "inside", "cisco.ftd.threat_category": "Malware", "cisco.ftd.threat_level": "very-high", + "destination.address": "192.0.2.223", "destination.ip": "192.0.2.223", "destination.nat.ip": "192.0.2.223", "destination.nat.port": "8080", @@ -1868,6 +1976,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", "source.nat.port": "33340", @@ -1879,6 +1988,7 @@ { "@timestamp": "2009-11-16T14:12:35.000-02:00", "cisco.ftd.message_id": "304001", + "destination.address": "192.0.2.1", "destination.ip": "192.0.2.1", "event.action": "firewall-rule", "event.code": 304001, @@ -1893,6 +2003,7 @@ "log.level": "notification", "log.offset": 10843, "service.type": "cisco", + "source.address": "10.30.30.30", "source.ip": "10.30.30.30", "tags": [ "cisco-ftd" @@ -1902,6 +2013,7 @@ { "@timestamp": "2009-11-16T14:12:36.000-02:00", "cisco.ftd.message_id": "304001", + "destination.address": "192.0.2.32", "destination.ip": "192.0.2.32", "event.action": "firewall-rule", "event.code": 304001, @@ -1916,6 +2028,7 @@ "log.level": "notification", "log.offset": 10920, "service.type": "cisco", + "source.address": "10.5.111.32", "source.ip": "10.5.111.32", "tags": [ "cisco-ftd" @@ -1926,6 +2039,7 @@ "@timestamp": "2009-11-16T14:12:37.000-02:00", "cisco.ftd.message_id": "304002", "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.19", "destination.ip": "192.0.0.19", "event.action": "firewall-rule", "event.code": 304002, @@ -1940,6 +2054,7 @@ "log.level": "notification", "log.offset": 11012, "service.type": "cisco", + "source.address": "10.69.6.39", "source.ip": "10.69.6.39", "tags": [ "cisco-ftd" diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 730fe9b50d8..06b6a10b131 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -29,6 +29,7 @@ "cisco.ftd.security.src_ip": "10.0.100.30", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "output", + "destination.address": "10.0.1.20", "destination.bytes": 0, "destination.ip": "10.0.1.20", "destination.packets": 0, @@ -50,6 +51,7 @@ "network.protocol": "icmp", "network.transport": "icmp", "service.type": "cisco", + "source.address": "10.0.100.30", "source.bytes": 98, "source.ip": "10.0.100.30", "source.packets": 1, @@ -90,6 +92,7 @@ "cisco.ftd.security.src_ip": "10.0.100.30", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "output", + "destination.address": "10.0.1.20", "destination.bytes": 98, "destination.ip": "10.0.1.20", "destination.packets": 1, @@ -114,6 +117,7 @@ "network.protocol": "icmp", "network.transport": "icmp", "service.type": "cisco", + "source.address": "10.0.100.30", "source.bytes": 98, "source.ip": "10.0.100.30", "source.packets": 1, @@ -155,6 +159,7 @@ "cisco.ftd.security.src_port": "50074", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 0, @@ -186,6 +191,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 106, "source.ip": "10.0.1.20", "source.packets": 1, @@ -231,6 +237,7 @@ "cisco.ftd.security.src_port": "49264", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.bytes": 314, @@ -265,6 +272,7 @@ "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 164, "source.ip": "10.0.1.20", "source.packets": 2, @@ -303,6 +311,7 @@ "cisco.ftd.security.src_port": "43228", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "52.59.244.233", "destination.as.number": 16509, "destination.as.organization.name": "Amazon.com, Inc.", "destination.bytes": 74, @@ -332,6 +341,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 140, "source.ip": "10.0.1.20", "source.packets": 2, @@ -379,6 +389,7 @@ "cisco.ftd.security.user_agent": "Debian APT-HTTP/1.3 (1.6.11)", "cisco.ftd.security.web_application": "Ubuntu", "cisco.ftd.source_interface": "inside", + "destination.address": "52.59.244.233", "destination.as.number": 16509, "destination.as.organization.name": "Amazon.com, Inc.", "destination.bytes": 41319018, @@ -417,6 +428,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 97454, "source.ip": "10.0.1.20", "source.packets": 1359, @@ -458,6 +470,7 @@ "cisco.ftd.security.src_port": "46000", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "inside", + "destination.address": "213.211.198.62", "destination.as.number": 43341, "destination.as.organization.name": "MDlink online service center GmbH", "destination.bytes": 74, @@ -487,6 +500,7 @@ "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 140, "source.ip": "10.0.1.20", "source.packets": 2, @@ -533,6 +547,7 @@ "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.security.user_agent": "curl/7.58.0", "cisco.ftd.source_interface": "inside", + "destination.address": "213.211.198.62", "destination.as.number": 43341, "destination.as.organization.name": "MDlink online service center GmbH", "destination.bytes": 690, @@ -568,6 +583,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 503, "source.ip": "10.0.1.20", "source.packets": 6, @@ -609,6 +625,7 @@ "cisco.ftd.security.src_ip": "10.0.100.30", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.source_interface": "output", + "destination.address": "10.0.1.20", "destination.bytes": 0, "destination.ip": "10.0.1.20", "destination.packets": 0, @@ -628,6 +645,7 @@ "network.iana_number": 1, "network.transport": "icmp", "service.type": "cisco", + "source.address": "10.0.100.30", "source.bytes": 0, "source.ip": "10.0.100.30", "source.packets": 0, @@ -675,6 +693,7 @@ "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.security.user_agent": "curl/7.58.0", "cisco.ftd.source_interface": "input", + "destination.address": "10.0.100.30", "destination.bytes": 1927, "destination.ip": "10.0.100.30", "destination.packets": 7, @@ -701,6 +720,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.bytes": 365, "source.ip": "10.0.1.20", "source.packets": 4, diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index 613165501ae..616050e1980 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -19,6 +19,7 @@ "cisco.ftd.security.src_port": "41522", "cisco.ftd.security.uri": "http://10.0.100.30:8000/exploit.exe", "cisco.ftd.security.user": "No Authentication Required", + "destination.address": "10.0.100.30", "destination.ip": "10.0.100.30", "destination.port": 8000, "event.action": "file-detected", @@ -40,6 +41,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.ip": "10.0.1.20", "source.port": 41522, "tags": [ @@ -69,6 +71,7 @@ "cisco.ftd.security.src_port": "41526", "cisco.ftd.security.uri": "http://10.0.100.30:8000/exploit.exe", "cisco.ftd.security.user": "No Authentication Required", + "destination.address": "10.0.100.30", "destination.ip": "10.0.100.30", "destination.port": 8000, "event.action": "file-detected", @@ -90,6 +93,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.ip": "10.0.1.20", "source.port": 41526, "tags": [ @@ -119,6 +123,7 @@ "cisco.ftd.security.src_port": "41530", "cisco.ftd.security.uri": "http://10.0.100.30:8000/eicar.com", "cisco.ftd.security.user": "No Authentication Required", + "destination.address": "10.0.100.30", "destination.ip": "10.0.100.30", "destination.port": 8000, "event.action": "file-detected", @@ -140,6 +145,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.ip": "10.0.1.20", "source.port": 41530, "tags": [ @@ -169,6 +175,7 @@ "cisco.ftd.security.src_port": "41534", "cisco.ftd.security.uri": "http://10.0.100.30:8000/eicar.com.txt", "cisco.ftd.security.user": "No Authentication Required", + "destination.address": "10.0.100.30", "destination.ip": "10.0.100.30", "destination.port": 8000, "event.action": "file-detected", @@ -190,6 +197,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.ip": "10.0.1.20", "source.port": 41534, "tags": [ @@ -223,6 +231,7 @@ "cisco.ftd.security.uri": "http://10.0.100.30:8000/eicar_com.zip", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.threat_category": "Unknown", + "destination.address": "10.0.100.30", "destination.ip": "10.0.100.30", "destination.port": 8000, "event.action": "file-detected", @@ -246,6 +255,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.ip": "10.0.1.20", "source.port": 41540, "tags": [ @@ -279,6 +289,7 @@ "cisco.ftd.security.uri": "http://10.0.100.30:8000/eicar_com.zip", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.threat_category": "Unknown", + "destination.address": "10.0.100.30", "destination.ip": "10.0.100.30", "destination.port": 8000, "event.action": "file-detected", @@ -302,6 +313,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.ip": "10.0.1.20", "source.port": 41542, "tags": [ @@ -339,6 +351,7 @@ "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.threat_category": "Win.Ransomware.Eicar::95.sbx.tg", "cisco.ftd.threat_level": "76", + "destination.address": "10.0.100.30", "destination.ip": "10.0.100.30", "destination.port": 8000, "event.action": "malware-detected", @@ -362,6 +375,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.ip": "10.0.1.20", "source.port": 41544, "tags": [ @@ -398,6 +412,7 @@ "cisco.ftd.security.uri": "http://www.eicar.org/download/eicar_com.zip", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.threat_category": "Win.Ransomware.Eicar::95.sbx.tg", + "destination.address": "213.211.198.62", "destination.as.number": 43341, "destination.as.organization.name": "MDlink online service center GmbH", "destination.geo.city_name": "Osterweddingen", @@ -430,6 +445,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.ip": "10.0.1.20", "source.port": 46004, "tags": [ @@ -466,6 +482,7 @@ "cisco.ftd.security.uri": "http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.threat_category": "Unknown", + "destination.address": "10.0.100.30", "destination.ip": "10.0.100.30", "destination.port": 80, "event.action": "malware-detected", @@ -489,6 +506,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.ip": "10.0.1.20", "source.port": 55378, "tags": [ @@ -526,6 +544,7 @@ "cisco.ftd.security.user": "No Authentication Required", "cisco.ftd.threat_category": "Pdf.Exploit.Pdfka::100.sbx.tg", "cisco.ftd.threat_level": "100", + "destination.address": "18.197.225.123", "destination.as.number": 16509, "destination.as.organization.name": "Amazon.com, Inc.", "destination.geo.city_name": "Frankfurt am Main", @@ -558,6 +577,7 @@ "network.protocol": "http", "network.transport": "tcp", "service.type": "cisco", + "source.address": "10.0.1.20", "source.ip": "10.0.1.20", "source.port": 47926, "tags": [ diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 5e441bcc548..e1ad27b11ea 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -159,27 +159,27 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '106001'" field: "message" - pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106002'" field: "message" - pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.ip} dest %{destination.ip}" + pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" - dissect: if: "ctx._temp_.cisco.message_id == '106006'" field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} on interface %{_temp_.cisco.source_interface}" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106007'" field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} due to %{network.protocol} %{}" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" - dissect: if: "ctx._temp_.cisco.message_id == '106010'" field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} %{} dst %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} %{}" + pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" - dissect: if: "ctx._temp_.cisco.message_id == '106013'" field: "message" - pattern: "Dropping echo request from %{source.ip} to PAT address %{destination.ip}" + pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}" - set: if: "ctx._temp_.cisco.message_id == '106013'" field: "network.transport" @@ -191,59 +191,59 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '106014'" field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.ip} %{}dst %{_temp_.cisco.destination_interface}:%{destination.ip} %{}" + pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address} %{}dst %{_temp_.cisco.destination_interface}:%{destination.address} %{}" - dissect: if: "ctx._temp_.cisco.message_id == '106015'" field: "message" - pattern: "%{event.outcome} %{network.transport} (no connection) from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + pattern: "%{event.outcome} %{network.transport} (no connection) from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106016'" field: "message" - pattern: "%{event.outcome} IP spoof from (%{source.ip}) to %{destination.ip} on interface %{_temp_.cisco.source_interface}" + pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106017'" field: "message" - pattern: "%{event.outcome} IP due to Land Attack from %{source.ip} to %{destination.ip}" + pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}" - dissect: if: "ctx._temp_.cisco.message_id == '106018'" field: "message" - pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.ip} dest %{destination.ip}" + pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" - dissect: if: "ctx._temp_.cisco.message_id == '106020'" field: "message" - pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.ip} to %{destination.ip}" + pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" - dissect: if: "ctx._temp_.cisco.message_id == '106021'" field: "message" - pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.ip} to %{destination.ip} on interface %{_temp_.cisco.source_interface}" + pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106022'" field: "message" - pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.ip} to %{destination.ip} on interface %{_temp_.cisco.source_interface}" + pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106023'" field: "message" - pattern: "%{event.outcome} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} dst %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} %{} access%{}group \"%{_temp_.cisco.list_id}\"%{}" + pattern: "%{event.outcome} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{} access%{}group \"%{_temp_.cisco.list_id}\"%{}" - dissect: if: "ctx._temp_.cisco.message_id == '106027'" field: "message" - pattern: "%{} %{event.outcome} src %{source.ip} dst %{destination.ip} by access-group \"%{_temp_.cisco.list_id}\"" + pattern: "%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group \"%{_temp_.cisco.list_id}\"" - dissect: if: "ctx._temp_.cisco.message_id == '106100'" field: "message" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.ip}(%{source.port}) -> %{_temp_.cisco.destination_interface}/%{destination.ip}(%{destination.port}) %{}" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port}) -> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port}) %{}" - dissect: if: "ctx._temp_.cisco.message_id == '106102'" field: "message" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.ip} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.ip} %{destination.port} %{}" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.address} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.address} %{destination.port} %{}" - dissect: if: "ctx._temp_.cisco.message_id == '106103'" field: "message" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.ip} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.ip} %{destination.port} %{}" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.address} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.address} %{destination.port} %{}" - dissect: if: "ctx._temp_.cisco.message_id == '304001'" field: "message" - pattern: "%{source.ip} %{}ccessed URL %{destination.ip}:%{url.original}" + pattern: "%{source.address} %{}ccessed URL %{destination.address}:%{url.original}" - set: if: "ctx._temp_.cisco.message_id == '304001'" field: "event.outcome" @@ -251,15 +251,15 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '304002'" field: "message" - pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.ip} %{}EST %{destination.ip} on interface %{_temp_.cisco.source_interface}" + pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '313001'" field: "message" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.ip} on interface %{_temp_.cisco.source_interface}" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '313004'" field: "message" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.ip} on interface %{_temp_.cisco.source_interface} to %{destination.ip}: no matching session" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" - dissect: if: "ctx._temp_.cisco.message_id == '313005'" field: "message" @@ -267,11 +267,11 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '313008'" field: "message" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type} , code=%{_temp_.cisco.icmp_code} from %{source.ip} on interface %{_temp_.cisco.source_interface}" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type} , code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '313009'" field: "message" - pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code} , for %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}" + pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code} , for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}" - dissect: if: "ctx._temp_.cisco.message_id == '322001'" field: "message" @@ -279,7 +279,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338001'" field: "message" - pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338001'" field: "server.domain" @@ -287,7 +287,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338002'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - set: if: "ctx._temp_.cisco.message_id == '338002'" field: "server.domain" @@ -295,15 +295,15 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338003'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338004'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338005'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338005'" field: "server.domain" @@ -311,7 +311,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338006'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338006'" field: "server.domain" @@ -319,15 +319,15 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338007'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338008'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338101'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" - set: if: "ctx._temp_.cisco.message_id == '338101'" field: "server.domain" @@ -335,7 +335,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338102'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - set: if: "ctx._temp_.cisco.message_id == '338102'" field: "server.domain" @@ -343,15 +343,15 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338103'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" - dissect: if: "ctx._temp_.cisco.message_id == '338104'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" - dissect: if: "ctx._temp_.cisco.message_id == '338201'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338201'" field: "server.domain" @@ -359,7 +359,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338202'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338202'" field: "server.domain" @@ -367,7 +367,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338203'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338203'" field: "server.domain" @@ -375,7 +375,7 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338204'" field: "message" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338204'" field: "server.domain" @@ -383,19 +383,19 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '338301'" field: "message" - pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port}, matched %{_temp_.cisco.list_id}" + pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}" - set: if: "ctx._temp_.cisco.message_id == '338301'" - field: "client.ip" - value: "{{destination.ip}}" + field: "client.address" + value: "{{destination.address}}" - set: if: "ctx._temp_.cisco.message_id == '338301'" field: "client.port" value: "{{destination.port}}" - set: if: "ctx._temp_.cisco.message_id == '338301'" - field: "server.ip" - value: "{{source.ip}}" + field: "server.address" + value: "{{source.address}}" - set: if: "ctx._temp_.cisco.message_id == '338301'" field: "server.port" @@ -412,13 +412,13 @@ processors: field: "message" if: "[\"302014\", \"302016\", \"302018\", \"302021\", \"302036\", \"302304\", \"302306\"].contains(ctx._temp_.cisco.message_id)" patterns: - - "Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.ip}/%{NUMBER:source.port:int} (?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.ip}/%{NUMBER:destination.port:int} (?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA}" + - "Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int} (?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int} (?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA}" - "Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER} (?:%{NOTSPACE:_temp_.cisco.destination_username} )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER:_temp_.cisco.icmp_code:int}(?: %{NOTSPACE:_temp_.cisco.source_username})?%{GREEDYDATA}" pattern_definitions: NOTCOLON: "[^:]*" - ECSSOURCEIPORHOST: "(?:%{IP:source.ip}|%{HOSTNAME:source.domain})" - ECSDESTIPORHOST: "(?:%{IP:destination.ip}|%{HOSTNAME:destination.domain})" - MAPPEDSRC: "(?:%{IP:_temp_.cisco.mapped_source_ip}|%{HOSTNAME})" + ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" + ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" + MAPPEDSRC: "(?:%{DATA:_temp_.cisco.mapped_source_ip}|%{HOSTNAME})" # # Decode FTD's Security Event Syslog Messages @@ -541,7 +541,7 @@ processors: id: ["430002", "430003"] DstIP: target: dst_ip - ecs: [destination.ip] + ecs: [destination.address] DstPort: target: dst_port ecs: [destination.port] @@ -738,7 +738,7 @@ processors: id: ["430004", "430005"] SrcIP: target: src_ip - ecs: [source.ip] + ecs: [source.address] SrcPort: target: src_port ecs: [source.port] @@ -789,7 +789,7 @@ processors: originalClientSrcIP: target: original_client_src_ip id: ["430002", "430003"] - ecs: [client.ip] + ecs: [client.address] lang: painless source: | boolean isEmpty(def value) { @@ -1108,6 +1108,31 @@ processors: type: integer ignore_failure: true +# +# Assign ECS .ip fields from .address is a valid IP address is found, +# otherwise set .domain field. +# + - grok: + field: source.address + patterns: + - "(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})" + ignore_failure: true + - grok: + field: destination.address + patterns: + - "(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})" + ignore_failure: true + - grok: + field: client.address + patterns: + - "(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})" + ignore_failure: true + - grok: + field: server.address + patterns: + - "(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})" + ignore_failure: true + # # Geolocation for source and destination addresses # diff --git a/x-pack/filebeat/module/cisco/shared/security-mappings.csv b/x-pack/filebeat/module/cisco/shared/security-mappings.csv index 9e3d42d0aeb..532b888f85d 100644 --- a/x-pack/filebeat/module/cisco/shared/security-mappings.csv +++ b/x-pack/filebeat/module/cisco/shared/security-mappings.csv @@ -2,7 +2,7 @@ intrusion,430001,ACPolicy, intrusion,430001,ApplicationProtocol,network.protocol intrusion,430001,Classification, intrusion,430001,Client, -intrusion,430001,DstIP,destination.ip +intrusion,430001,DstIP,destination.address intrusion,430001,DstPort,destination.port intrusion,430001,EgressInterface,cisco.ftd.destination_interface intrusion,430001,EgressZone, @@ -23,7 +23,7 @@ intrusion,430001,Protocol,network.transport intrusion,430001,Revision, intrusion,430001,SID, intrusion,430001,SSLActualAction, -intrusion,430001,SrcIP,source.ip +intrusion,430001,SrcIP,source.address intrusion,430001,SrcPort,source.port intrusion,430001,User,user.id,user.name intrusion,430001,VLAN_ID, @@ -41,7 +41,7 @@ flow_start,430002,DNSQuery,dns.question.name flow_start,430002,DNSRecordType,dns.question.type flow_start,430002,DNSResponseType,dns.response_code flow_start,430002,DNSSICategory, -flow_start,430002,DstIP,destination.ip +flow_start,430002,DstIP,destination.address flow_start,430002,DstPort,destination.port flow_start,430002,EgressInterface,cisco.ftd.destination_interface flow_start,430002,EgressZone, @@ -57,13 +57,13 @@ flow_start,430002,IPReputationSICategory, flow_start,430002,IPSCount, flow_start,430002,NAPPolicy, flow_start,430002,NetBIOSDomain,host.hostname -flow_start,430002,originalClientSrcIP,client.ip +flow_start,430002,originalClientSrcIP,client.address flow_start,430002,Prefilter Policy, flow_start,430002,Protocol,network.transport flow_start,430002,ReferencedHost,url.domain flow_start,430002,SecIntMatchingIP, flow_start,430002,Security Group, -flow_start,430002,SrcIP,source.ip +flow_start,430002,SrcIP,source.address flow_start,430002,SrcPort,source.port flow_start,430002,SSLActualAction,event.outcome flow_start,430002,SSLCertificate, @@ -102,7 +102,7 @@ flow_end,430003,DNSQuery,dns.question.name flow_end,430003,DNSRecordType,dns.question.type flow_end,430003,DNSResponseType,dns.response_code flow_end,430003,DNSSICategory, -flow_end,430003,DstIP,destination.ip +flow_end,430003,DstIP,destination.address flow_end,430003,DstPort,destination.port flow_end,430003,EgressInterface,cisco.ftd.destination_interface flow_end,430003,EgressZone, @@ -120,7 +120,7 @@ flow_end,430003,IPReputationSICategory, flow_end,430003,IPSCount, flow_end,430003,NAPPolicy, flow_end,430003,NetBIOSDomain,host.hostname -flow_end,430003,originalClientSrcIP,client.ip +flow_end,430003,originalClientSrcIP,client.address flow_end,430003,Prefilter Policy, flow_end,430003,Protocol,network.transport flow_end,430003,ReferencedHost,url.domain @@ -128,7 +128,7 @@ flow_end,430003,ResponderBytes,destination.bytes flow_end,430003,ResponderPackets,destination.packets flow_end,430003,SecIntMatchingIP, flow_end,430003,Security Group, -flow_end,430003,SrcIP,source.ip +flow_end,430003,SrcIP,source.address flow_end,430003,SrcPort,source.port flow_end,430003,SSLActualAction,event.outcome flow_end,430003,SSLCertificate, @@ -159,7 +159,7 @@ file,430004,ArchiveFileName,file.name file,430004,ArchiveFileStatus, file,430004,ArchiveSHA256,file.hash.sha256 file,430004,Client,network.application -file,430004,DstIP,destination.ip +file,430004,DstIP,destination.address file,430004,DstPort,destination.port file,430004,FileAction, file,430004,FileDirection, @@ -174,7 +174,7 @@ file,430004,FirstPacketSecond,event.start file,430004,Protocol,network.transport file,430004,SHA_Disposition, file,430004,SperoDisposition, -file,430004,SrcIP,source.ip +file,430004,SrcIP,source.address file,430004,SrcPort,source.port file,430004,SSLActualAction, file,430004,SSLCertificate, @@ -188,7 +188,7 @@ malware,430005,ArchiveFileName,file.name malware,430005,ArchiveFileStatus, malware,430005,ArchiveSHA256,file.hash.sha256 malware,430005,Client,network.application -malware,430005,DstIP,destination.ip +malware,430005,DstIP,destination.address malware,430005,DstPort,destination.port malware,430005,FileAction, malware,430005,FileDirection, @@ -203,7 +203,7 @@ malware,430005,FirstPacketSecond,event.start malware,430005,Protocol,network.transport malware,430005,SHA_Disposition, malware,430005,SperoDisposition, -malware,430005,SrcIP,source.ip +malware,430005,SrcIP,source.address malware,430005,SrcPort,source.port malware,430005,SSLActualAction, malware,430005,SSLCertificate,