diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 1e91a41424b9..4c36c16badec 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -69,6 +69,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff] *Filebeat* +- Add handling of AAA operations for Cisco ASA module. {issue}32257[32257] {pull}32789[32789] *Heartbeat* diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log index 42ffa8a85d77..7a90091d6fc3 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log @@ -91,3 +91,12 @@ May 5 19:02:25 dev01: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current May 5 19:02:25 dev01: %ASA-4-733100: [ 192.168.0.1] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6018 May 5 19:02:25 dev01: %ASA-4-733100: [ Port-5432 5432] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 20 per second, max configured rate is 5; Cumulative total count is 12466 May 5 19:02:25 dev01: %ASA-4-733100: [ RDP 3389] drop rate-1 exceeded. Current burst rate is 63 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3054 +May 5 19:02:25 dev01: %ASA-6-113004: AAA user authentication Successful: server = 81.2.69.144 , User = alice +May 5 19:02:25 dev01: %ASA-6-113004: AAA user authorization Successful: server = 81.2.69.144 , User = alice +May 5 19:02:25 dev01: %ASA-6-113005: AAA user authentication Rejected: reason = AAA failure: server = 81.2.69.144 : user = *****: user IP = 172.31.98.44 +May 5 19:02:25 dev01: %ASA-6-113012: AAA user authentication Successful: local database: user = alice +May 5 19:02:25 dev01: %ASA-3-113021: Attempted console login failed. User eve did NOT have appropriate Admin Rights. +May 5 19:02:25 dev01: %ASA-6-716039: Authentication: rejected, group = malcorp user = eve , Session Type: admin +May 5 19:02:25 dev01: %ASA-6-716039: Authentication: rejected, group = malcorp user = malory , Session Type: WebVPN +May 5 19:02:25 dev01: %ASA-6-716039: Group User IP <172.31.98.44> Authentication: rejected, Session Type: Admin. +May 5 19:02:25 dev01: %ASA-6-716039: Group User IP <172.31.98.44> Authentication: rejected, Session Type: WebVPN. diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index c6feef5d7e81..34dfa5f225bb 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -4593,5 +4593,243 @@ "cisco-asa", "forwarded" ] + }, + { + "cisco.asa.message_id": "113004", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 113004, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-113004: AAA user authentication Successful: server = 81.2.69.144 , User = alice", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 13920, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "113004", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 113004, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-113004: AAA user authorization Successful: server = 81.2.69.144 , User = alice", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 14030, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "113005", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 113005, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-113005: AAA user authentication Rejected: reason = AAA failure: server = 81.2.69.144 : user = *****: user IP = 172.31.98.44", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 14139, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "113012", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 113012, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-113012: AAA user authentication Successful: local database: user = alice", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 14293, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "113021", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 113021, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-3-113021: Attempted console login failed. User eve did NOT have appropriate Admin Rights.", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "error", + "log.offset": 14396, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "716039", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 716039, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-716039: Authentication: rejected, group = malcorp user = eve , Session Type: admin", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 14514, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "716039", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 716039, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-716039: Authentication: rejected, group = malcorp user = malory , Session Type: WebVPN", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 14627, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/non-canonical.log b/x-pack/filebeat/module/cisco/asa/test/non-canonical.log new file mode 100644 index 000000000000..81cc35122d91 --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/non-canonical.log @@ -0,0 +1,19 @@ +Jul 15 13:38:14 216.160.83.56 : %ASA-6-302013: Built inbound TCP connection 3263493120 for DMZ:shule/5802 (shule/5802) to SERVERS:10.10.227.121/80 (10.10.227.121/80) +Jul 15 13:38:11 216.160.83.56 : %ASA-6-302013: Built outbound TCP connection 3263492189 for MG:exp_srv/10050 (exp_srv/10050) to SERVERS:10.10.227.170/46145 (10.10.224.1/46145) +Jul 15 13:38:08 81.2.69.142 %ASA-6-302015: Built outbound UDP connection 743108828 for outside:ns10/53 (ns10/53) to MND_sec:192.168.174.100/48347 (89.160.20.128/48347) +Jul 15 13:38:03 81.2.69.142 %ASA-6-302015: Built outbound UDP connection 743108738 for outside:ns10/53 (ns10/53) to MND_sec:192.168.174.100/55653 (81.2.69.192/55653) +Jul 15 13:36:59 216.160.83.56 : %ASA-6-106015: Deny TCP (no connection) from 10.12.227.40/389 to exp-angle/54703 flags RST on interface SH_INFRA_MGT +Jul 15 13:36:39 216.160.83.56 : %ASA-6-106015: Deny TCP (no connection) from 89.160.20.128/56594 to sh-mailgw1/25 flags FIN ACK on interface outside +Jul 15 13:38:47 216.160.83.56 : %ASA-6-305012: Teardown dynamic UDP translation from SERVERS:exp-wait/62409 to outside:81.2.69.142/62409 duration 0:00:41 +Jul 15 13:37:33 216.160.83.56 : %ASA-6-305012: Teardown dynamic UDP translation from SERVERS:exp-wait/56421 to outside:81.2.69.142/56421 duration 0:00:30 +Jul 15 13:39:04 216.160.83.56 : %ASA-6-305011: Built dynamic TCP translation from SERVERS:exp-srv/50578 to outside:81.2.69.142/50578 +Jul 15 13:37:02 216.160.83.56 : %ASA-6-305011: Built dynamic UDP translation from SERVERS:exp-wait/56570 to outside:81.2.69.142/56570 +Jul 15 13:18:06 216.160.83.56 : %ASA-4-106023: Deny tcp src MG:exp_srv/64593 dst SH_OSS:89.160.20.128/2511 by access-group "MGT_access_in" [0x0, 0x0] +Jul 15 01:18:01 216.160.83.56 : %ASA-4-106023: Deny tcp src MG:exp_srv/63513 dst SH_OSS:89.160.20.128/2511 by access-group "MGT_access_in" [0x0, 0x0] +Jul 15 13:30:09 81.2.69.142 %ASA-6-302020: Built inbound ICMP connection for faddr eth0_fw/6553 gaddr 81.2.69.192/0 laddr 81.2.69.192/0 type 8 code 0 +Jul 14 01:45:09 81.2.69.142 %ASA-6-302020: Built inbound ICMP connection for faddr eth0_fw/8396 gaddr 81.2.69.192/0 laddr 81.2.69.192/0 type 8 code 0 +Jul 15 13:30:09 81.2.69.142 %ASA-6-302021: Teardown ICMP connection for faddr eth0_fw/6553 gaddr 81.2.69.192/0 laddr 81.2.69.192/0 type 8 code 0 +Jul 14 01:45:09 81.2.69.142 %ASA-6-302021: Teardown ICMP connection for faddr eth0_fw/8396 gaddr 81.2.69.192/0 laddr 81.2.69.192/0 type 8 code 0 +Jul 15 12:18:51 81.2.69.192 %ASA-6-113039: Group User IP <216.160.83.56> AnyConnect parent session started. +Jul 1 09:27:13 216.160.83.56 : %ASA-6-113039: Group User IP <81.2.69.192> AnyConnect parent session started. +Jun 14 01:22:47 81.2.69.142 %ASA-5-304001: 192.168.14.22 Accessed URL mirror:http://mirror.example.com/path/to/resource diff --git a/x-pack/filebeat/module/cisco/asa/test/non-canonical.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/non-canonical.log-expected.json new file mode 100644 index 000000000000..7a78a5a2bf45 --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/non-canonical.log-expected.json @@ -0,0 +1,1044 @@ +[ + { + "cisco.asa.connection_id": "3263493120", + "cisco.asa.destination_interface": "SERVERS", + "cisco.asa.mapped_destination_ip": "10.10.227.121", + "cisco.asa.mapped_destination_port": 80, + "cisco.asa.mapped_source_host": "shule", + "cisco.asa.mapped_source_port": 5802, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "DMZ", + "destination.address": "10.10.227.121", + "destination.ip": "10.10.227.121", + "destination.port": 80, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built inbound TCP connection 3263493120 for DMZ:shule/5802 (shule/5802) to SERVERS:10.10.227.121/80 (10.10.227.121/80)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "216.160.83.56", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "SERVERS", + "observer.hostname": "216.160.83.56", + "observer.ingress.interface.name": "DMZ", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "216.160.83.56", + "shule" + ], + "related.ip": [ + "10.10.227.121" + ], + "service.type": "cisco", + "source.address": "shule", + "source.domain": "shule", + "source.port": 5802, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "3263492189", + "cisco.asa.destination_interface": "SERVERS", + "cisco.asa.mapped_destination_ip": "10.10.224.1", + "cisco.asa.mapped_destination_port": 46145, + "cisco.asa.mapped_source_host": "exp_srv", + "cisco.asa.mapped_source_port": 10050, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "MG", + "destination.address": "10.10.227.170", + "destination.ip": "10.10.227.170", + "destination.nat.ip": "10.10.224.1", + "destination.port": 46145, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 3263492189 for MG:exp_srv/10050 (exp_srv/10050) to SERVERS:10.10.227.170/46145 (10.10.224.1/46145)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "216.160.83.56", + "input.type": "log", + "log.level": "informational", + "log.offset": 166, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "SERVERS", + "observer.hostname": "216.160.83.56", + "observer.ingress.interface.name": "MG", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "216.160.83.56", + "exp_srv" + ], + "related.ip": [ + "10.10.224.1", + "10.10.227.170" + ], + "service.type": "cisco", + "source.address": "exp_srv", + "source.domain": "exp_srv", + "source.port": 10050, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "743108828", + "cisco.asa.destination_interface": "MND_sec", + "cisco.asa.mapped_destination_ip": "89.160.20.128", + "cisco.asa.mapped_destination_port": 48347, + "cisco.asa.mapped_source_host": "ns10", + "cisco.asa.mapped_source_port": 53, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.174.100", + "destination.ip": "192.168.174.100", + "destination.nat.ip": "89.160.20.128", + "destination.port": 48347, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 743108828 for outside:ns10/53 (ns10/53) to MND_sec:192.168.174.100/48347 (89.160.20.128/48347)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "81.2.69.142", + "input.type": "log", + "log.level": "informational", + "log.offset": 342, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "MND_sec", + "observer.hostname": "81.2.69.142", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "81.2.69.142", + "ns10" + ], + "related.ip": [ + "192.168.174.100", + "89.160.20.128" + ], + "service.type": "cisco", + "source.address": "ns10", + "source.domain": "ns10", + "source.port": 53, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "743108738", + "cisco.asa.destination_interface": "MND_sec", + "cisco.asa.mapped_destination_ip": "81.2.69.192", + "cisco.asa.mapped_destination_port": 55653, + "cisco.asa.mapped_source_host": "ns10", + "cisco.asa.mapped_source_port": 53, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.174.100", + "destination.ip": "192.168.174.100", + "destination.nat.ip": "81.2.69.192", + "destination.port": 55653, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built outbound UDP connection 743108738 for outside:ns10/53 (ns10/53) to MND_sec:192.168.174.100/55653 (81.2.69.192/55653)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "81.2.69.142", + "input.type": "log", + "log.level": "informational", + "log.offset": 510, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "MND_sec", + "observer.hostname": "81.2.69.142", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "81.2.69.142", + "ns10" + ], + "related.ip": [ + "192.168.174.100", + "81.2.69.192" + ], + "service.type": "cisco", + "source.address": "ns10", + "source.domain": "ns10", + "source.port": 53, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106015", + "cisco.asa.source_interface": "SH_INFRA_MGT", + "destination.address": "exp-angle", + "destination.domain": "exp-angle", + "destination.port": 54703, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106015: Deny TCP (no connection) from 10.12.227.40/389 to exp-angle/54703 flags RST on interface SH_INFRA_MGT", + "event.outcome": "success", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "216.160.83.56", + "input.type": "log", + "log.level": "informational", + "log.offset": 676, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.hostname": "216.160.83.56", + "observer.ingress.interface.name": "SH_INFRA_MGT", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "216.160.83.56", + "exp-angle" + ], + "related.ip": [ + "10.12.227.40" + ], + "service.type": "cisco", + "source.address": "10.12.227.40", + "source.ip": "10.12.227.40", + "source.port": 389, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106015", + "cisco.asa.source_interface": "outside", + "destination.address": "sh-mailgw1", + "destination.domain": "sh-mailgw1", + "destination.port": 25, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106015: Deny TCP (no connection) from 89.160.20.128/56594 to sh-mailgw1/25 flags FIN ACK on interface outside", + "event.outcome": "success", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "216.160.83.56", + "input.type": "log", + "log.level": "informational", + "log.offset": 825, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.hostname": "216.160.83.56", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "216.160.83.56", + "sh-mailgw1" + ], + "related.ip": [ + "89.160.20.128" + ], + "service.type": "cisco", + "source.address": "89.160.20.128", + "source.as.number": 29518, + "source.as.organization.name": "Bredband2 AB", + "source.geo.city_name": "Link\u00f6ping", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "SE", + "source.geo.country_name": "Sweden", + "source.geo.location.lat": 58.4167, + "source.geo.location.lon": 15.6167, + "source.geo.region_iso_code": "SE-E", + "source.geo.region_name": "\u00d6sterg\u00f6tland County", + "source.ip": "89.160.20.128", + "source.port": 56594, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "outside", + "cisco.asa.message_id": "305012", + "cisco.asa.source_interface": "SERVERS", + "destination.address": "81.2.69.142", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", + "destination.geo.location.lat": 51.5142, + "destination.geo.location.lon": -0.0931, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": "81.2.69.142", + "destination.port": 62409, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 305012, + "event.dataset": "cisco.asa", + "event.duration": 41000000000, + "event.end": "2022-07-15T13:38:47.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic UDP translation from SERVERS:exp-wait/62409 to outside:81.2.69.142/62409 duration 0:00:41", + "event.severity": 6, + "event.start": "2022-07-15T15:38:06.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "216.160.83.56", + "input.type": "log", + "log.level": "informational", + "log.offset": 974, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "216.160.83.56", + "observer.ingress.interface.name": "SERVERS", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "216.160.83.56", + "exp-wait" + ], + "related.ip": [ + "81.2.69.142" + ], + "service.type": "cisco", + "source.address": "exp-wait", + "source.domain": "exp-wait", + "source.port": 62409, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "outside", + "cisco.asa.message_id": "305012", + "cisco.asa.source_interface": "SERVERS", + "destination.address": "81.2.69.142", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", + "destination.geo.location.lat": 51.5142, + "destination.geo.location.lon": -0.0931, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": "81.2.69.142", + "destination.port": 56421, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 305012, + "event.dataset": "cisco.asa", + "event.duration": 30000000000, + "event.end": "2022-07-15T13:37:33.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic UDP translation from SERVERS:exp-wait/56421 to outside:81.2.69.142/56421 duration 0:00:30", + "event.severity": 6, + "event.start": "2022-07-15T15:37:03.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "216.160.83.56", + "input.type": "log", + "log.level": "informational", + "log.offset": 1128, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "216.160.83.56", + "observer.ingress.interface.name": "SERVERS", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "216.160.83.56", + "exp-wait" + ], + "related.ip": [ + "81.2.69.142" + ], + "service.type": "cisco", + "source.address": "exp-wait", + "source.domain": "exp-wait", + "source.port": 56421, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "outside", + "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "SERVERS", + "destination.address": "81.2.69.142", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", + "destination.geo.location.lat": 51.5142, + "destination.geo.location.lon": -0.0931, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": "81.2.69.142", + "destination.port": 50578, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 305011, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from SERVERS:exp-srv/50578 to outside:81.2.69.142/50578", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "216.160.83.56", + "input.type": "log", + "log.level": "informational", + "log.offset": 1282, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "216.160.83.56", + "observer.ingress.interface.name": "SERVERS", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "216.160.83.56", + "exp-srv" + ], + "related.ip": [ + "81.2.69.142" + ], + "service.type": "cisco", + "source.address": "exp-srv", + "source.domain": "exp-srv", + "source.port": 50578, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "outside", + "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "SERVERS", + "destination.address": "81.2.69.142", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", + "destination.geo.location.lat": 51.5142, + "destination.geo.location.lon": -0.0931, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": "81.2.69.142", + "destination.port": 56570, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 305011, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic UDP translation from SERVERS:exp-wait/56570 to outside:81.2.69.142/56570", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "216.160.83.56", + "input.type": "log", + "log.level": "informational", + "log.offset": 1415, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "216.160.83.56", + "observer.ingress.interface.name": "SERVERS", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "216.160.83.56", + "exp-wait" + ], + "related.ip": [ + "81.2.69.142" + ], + "service.type": "cisco", + "source.address": "exp-wait", + "source.domain": "exp-wait", + "source.port": 56570, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "SH_OSS", + "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "MGT_access_in", + "cisco.asa.source_interface": "MG", + "destination.address": "89.160.20.128", + "destination.as.number": 29518, + "destination.as.organization.name": "Bredband2 AB", + "destination.geo.city_name": "Link\u00f6ping", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SE", + "destination.geo.country_name": "Sweden", + "destination.geo.location.lat": 58.4167, + "destination.geo.location.lon": 15.6167, + "destination.geo.region_iso_code": "SE-E", + "destination.geo.region_name": "\u00d6sterg\u00f6tland County", + "destination.ip": "89.160.20.128", + "destination.port": 2511, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src MG:exp_srv/64593 dst SH_OSS:89.160.20.128/2511 by access-group \"MGT_access_in\" [0x0, 0x0]", + "event.outcome": "success", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "216.160.83.56", + "input.type": "log", + "log.level": "warning", + "log.offset": 1549, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "SH_OSS", + "observer.hostname": "216.160.83.56", + "observer.ingress.interface.name": "MG", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "216.160.83.56", + "exp_srv" + ], + "related.ip": [ + "89.160.20.128" + ], + "service.type": "cisco", + "source.address": "exp_srv", + "source.domain": "exp_srv", + "source.port": 64593, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "SH_OSS", + "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "MGT_access_in", + "cisco.asa.source_interface": "MG", + "destination.address": "89.160.20.128", + "destination.as.number": 29518, + "destination.as.organization.name": "Bredband2 AB", + "destination.geo.city_name": "Link\u00f6ping", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SE", + "destination.geo.country_name": "Sweden", + "destination.geo.location.lat": 58.4167, + "destination.geo.location.lon": 15.6167, + "destination.geo.region_iso_code": "SE-E", + "destination.geo.region_name": "\u00d6sterg\u00f6tland County", + "destination.ip": "89.160.20.128", + "destination.port": 2511, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src MG:exp_srv/63513 dst SH_OSS:89.160.20.128/2511 by access-group \"MGT_access_in\" [0x0, 0x0]", + "event.outcome": "success", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "216.160.83.56", + "input.type": "log", + "log.level": "warning", + "log.offset": 1699, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "SH_OSS", + "observer.hostname": "216.160.83.56", + "observer.ingress.interface.name": "MG", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "216.160.83.56", + "exp_srv" + ], + "related.ip": [ + "89.160.20.128" + ], + "service.type": "cisco", + "source.address": "exp_srv", + "source.domain": "exp_srv", + "source.port": 63513, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.icmp_code": 0, + "cisco.asa.icmp_type": 8, + "cisco.asa.mapped_source_ip": "81.2.69.192", + "cisco.asa.message_id": "302020", + "destination.domain": "eth0_fw", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302020: Built inbound ICMP connection for faddr eth0_fw/6553 gaddr 81.2.69.192/0 laddr 81.2.69.192/0 type 8 code 0", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "81.2.69.142", + "input.type": "log", + "log.level": "informational", + "log.offset": 1849, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.hostname": "81.2.69.142", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "81.2.69.142", + "eth0_fw" + ], + "related.ip": [ + "81.2.69.192" + ], + "service.type": "cisco", + "source.address": "81.2.69.192", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5142, + "source.geo.location.lon": -0.0931, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "81.2.69.192", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.icmp_code": 0, + "cisco.asa.icmp_type": 8, + "cisco.asa.mapped_source_ip": "81.2.69.192", + "cisco.asa.message_id": "302020", + "destination.domain": "eth0_fw", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302020: Built inbound ICMP connection for faddr eth0_fw/8396 gaddr 81.2.69.192/0 laddr 81.2.69.192/0 type 8 code 0", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "81.2.69.142", + "input.type": "log", + "log.level": "informational", + "log.offset": 1999, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.hostname": "81.2.69.142", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "81.2.69.142", + "eth0_fw" + ], + "related.ip": [ + "81.2.69.192" + ], + "service.type": "cisco", + "source.address": "81.2.69.192", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5142, + "source.geo.location.lon": -0.0931, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "81.2.69.192", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.icmp_code": 0, + "cisco.asa.icmp_type": 8, + "cisco.asa.mapped_source_ip": "81.2.69.192", + "cisco.asa.message_id": "302021", + "destination.domain": "eth0_fw", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302021, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr eth0_fw/6553 gaddr 81.2.69.192/0 laddr 81.2.69.192/0 type 8 code 0", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "81.2.69.142", + "input.type": "log", + "log.level": "informational", + "log.offset": 2149, + "network.iana_number": 1, + "network.transport": "icmp", + "observer.hostname": "81.2.69.142", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "81.2.69.142", + "eth0_fw" + ], + "related.ip": [ + "81.2.69.192" + ], + "service.type": "cisco", + "source.address": "81.2.69.192", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5142, + "source.geo.location.lon": -0.0931, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "81.2.69.192", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.icmp_code": 0, + "cisco.asa.icmp_type": 8, + "cisco.asa.mapped_source_ip": "81.2.69.192", + "cisco.asa.message_id": "302021", + "destination.domain": "eth0_fw", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302021, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr eth0_fw/8396 gaddr 81.2.69.192/0 laddr 81.2.69.192/0 type 8 code 0", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "81.2.69.142", + "input.type": "log", + "log.level": "informational", + "log.offset": 2294, + "network.iana_number": 1, + "network.transport": "icmp", + "observer.hostname": "81.2.69.142", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "81.2.69.142", + "eth0_fw" + ], + "related.ip": [ + "81.2.69.192" + ], + "service.type": "cisco", + "source.address": "81.2.69.192", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5142, + "source.geo.location.lon": -0.0931, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "81.2.69.192", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "113039", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 113039, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-113039: Group User IP <216.160.83.56> AnyConnect parent session started.", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "81.2.69.192", + "input.type": "log", + "log.level": "informational", + "log.offset": 2439, + "observer.hostname": "81.2.69.192", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "81.2.69.192" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "113039", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 113039, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-113039: Group User IP <81.2.69.192> AnyConnect parent session started.", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "216.160.83.56", + "input.type": "log", + "log.level": "informational", + "log.offset": 2566, + "observer.hostname": "216.160.83.56", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "216.160.83.56" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "304001", + "destination.address": "mirror", + "destination.domain": "mirror", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: 192.168.14.22 Accessed URL mirror:http://mirror.example.com/path/to/resource", + "event.outcome": "success", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "asa", + "host.hostname": "81.2.69.142", + "input.type": "log", + "log.level": "notification", + "log.offset": 2705, + "observer.hostname": "81.2.69.142", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "81.2.69.142", + "mirror" + ], + "related.ip": [ + "192.168.14.22" + ], + "service.type": "cisco", + "source.address": "192.168.14.22", + "source.ip": "192.168.14.22", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.domain": "mirror.example.com", + "url.original": "http://mirror.example.com/path/to/resource", + "url.path": "/path/to/resource", + "url.scheme": "http" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 460db3884195..01a398260fc1 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -243,7 +243,7 @@ processors: field: "message" description: "106015" patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IPORHOST:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106016'" field: "message" @@ -279,8 +279,10 @@ processors: field: "message" description: "106023" patterns: - - ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(\(%{CISCO_USER:_temp_.cisco.source_username}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}" + - ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(\(%{CISCO_USER:_temp_.cisco.source_username}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}" pattern_definitions: + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + IPORHOST: "(?:%{IP}|%{HOSTNAME})" NOTCOLON: "[^:]*" CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - dissect: @@ -343,8 +345,10 @@ processors: field: "message" description: "302013, 302015" patterns: - - Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER:_temp_.cisco.destination_username}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} + - Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port} \(%{IPORHOST:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER:_temp_.cisco.destination_username}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} pattern_definitions: + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + IPORHOST: "(?:%{IP}|%{HOSTNAME})" NOTCOLON: "[^:]*" CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - dissect: @@ -357,9 +361,11 @@ processors: field: "message" description: "305012" patterns: - - Teardown %{DATA} %{NOTSPACE:network.transport} translation from %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\s*\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} duration %{DURATION:_temp_.duration_hms} + - Teardown %{DATA} %{NOTSPACE:network.transport} translation from %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port}(\s*\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} duration %{DURATION:_temp_.duration_hms} pattern_definitions: NOTCOLON: "[^:]*" + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + IPORHOST: "(?:%{IP}|%{HOSTNAME})" CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) DURATION: "%{INT}:%{MINUTE}:%{SECOND}" - grok: @@ -367,8 +373,10 @@ processors: field: "message" description: "302020" patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" pattern_definitions: + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + IPORHOST: "(?:%{IP}|%{HOSTNAME})" NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" @@ -389,12 +397,12 @@ processors: field: "message" description: "304001" patterns: - - "(%{NOTSPACE:source.user.name}@)?%{IP:source.address}(\\(%{DATA}\\))? %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" + - "(%{NOTSPACE:source.user.name}@)?%{IP:source.address}(\\(%{DATA}\\))? %{DATA} (%{NOTSPACE}@)?%{IPORHOST:destination.address}:%{GREEDYDATA:url.original}" - set: if: "ctx._temp_.cisco.message_id == '304001'" field: "event.outcome" description: "304001" - value: "allowed" + value: allowed - dissect: if: "ctx._temp_.cisco.message_id == '304002'" field: "message" @@ -405,7 +413,7 @@ processors: field: "message" description: "305011" patterns: - - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} + - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} - dissect: if: "ctx._temp_.cisco.message_id == '313001'" field: "message" @@ -822,6 +830,8 @@ processors: - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{CISCO_USER:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? pattern_definitions: + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + IPORHOST: "(?:%{IP}|%{HOSTNAME})" NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})"