Fix Cisco ASA and FTD parsing of unexpected domain names

This patch makes the Cisco ASA and FTD ingest pipeline handle the case where a domain name is found for a field where an IP is expected according to the documentation. To do so it follows ECS guidelines, setting .address to be the raw value and .ip or .domain from it, depending if it's a valid IP address or not. Fixes elastic#14034
adriansr · Oct 14, 2019 · eb2f86c · eb2f86c
1 parent 43eb364
commit eb2f86c
Show file tree

Hide file tree

Showing 16 changed files with 639 additions and 72 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -161,6 +161,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix timezone parsing of iptables, mssql and panw module ingest pipelines. {pull}13926[13926]
 - Fix merging of fields specified in global scope with fields specified under an input's scope. {issue}3628[3628] {pull}13909[13909]
 - Fix delay in enforcing close_renamed and close_removed options. {issue}13488[13488] {pull}13907[13907]
+- Fix cisco module's asa and ftd filesets parsing of domain names where an IP address is expected. {issue}14034[14034]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc
@@ -119,7 +119,7 @@ Mappings for Intrusion events fields:
 |====================================
 | FTD Field | Mapped fields
 | ApplicationProtocol | network.protocol
-| DstIP | destination.ip
+| DstIP | destination.address
 | DstPort | destination.port
 | EgressInterface | cisco.ftd.destination_interface
 | GID | service.id
@@ -129,7 +129,7 @@ Mappings for Intrusion events fields:
 | IntrusionPolicy | cisco.ftd.rule_name
 | Message | message
 | Protocol | network.transport
-| SrcIP | source.ip
+| SrcIP | source.address
 | SrcPort | source.port
 | User | user.id, user.name
 | WebApplication | network.application
@@ -147,7 +147,7 @@ Mappings for Connection and Security Intelligence events fields:
 | DNSQuery | dns.question.name
 | DNSRecordType | dns.question.type
 | DNSResponseType | dns.response_code
-| DstIP | destination.ip
+| DstIP | destination.address
 | DstPort | destination.port
 | EgressInterface | cisco.ftd.destination_interface
 | HTTPReferer | http.request.referrer
@@ -162,13 +162,13 @@ Mappings for Connection and Security Intelligence events fields:
 | ResponderPackets | destination.packets
 | SSLActualAction | event.outcome
 | SSLServerName | server.domain
-| SrcIP | source.ip
+| SrcIP | source.address
 | SrcPort | source.port
 | URL | url.original
 | User | user.name
 | UserAgent | user_agent.original
 | WebApplication | network.application
-| originalClientSrcIP | client.ip
+| originalClientSrcIP | client.address
 |====================================
 
 Mappings for File and Malware events fields:
@@ -179,15 +179,15 @@ Mappings for File and Malware events fields:
 | ArchiveFileName | file.name
 | ArchiveSHA256 | file.hash.sha256
 | Client | network.application
-| DstIP | destination.ip
+| DstIP | destination.address
 | DstPort | destination.port
 | FileName | file.name
 | FilePolicy | cisco.ftd.rule_name
 | FileSHA256 | file.hash.sha256
 | FileSize | file.size
 | FirstPacketSecond | event.start
 | Protocol | network.transport
-| SrcIP | source.ip
+| SrcIP | source.address
 | SrcPort | source.port
 | URI | url.original
 | User | user.name