[Filebeat Enhancement] Pattern for Cisco Message 734001. (elastic#16612)

The split part is needed, because one has to be able to search for an explicit dap_record. As the records order and number can vary a lot, just saving the whole string makes no sense. I chose "user.email", "source.ip" as ECS fields and "cisco.connection_type", "cisco.dap_records", as looking to the syslog messages docs,they also call it like that. I made "make update" in /beats/x.pack/filebeat and /beats/filebeat. Hopefully the pipeline succeeds now. Fixes elastic#16212 Co-authored-by: MarcusCaepio <7324088+MarcusCaepio@users.noreply.github.com> (cherry picked from commit ac2b333)
adriansr · Mar 19, 2020 · f8eef3d · f8eef3d
1 parent f951a29
commit f8eef3d
Show file tree

Hide file tree

Showing 8 changed files with 112 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -259,6 +259,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Improve ECS categorization field mappings in suricata module. {issue}16181[16181] {pull}16843[16843]
 - Release ActiveMQ module as GA. {issue}17047[17047] {pull}17049[17049]
 - Improve ECS categorization field mappings in iptables module. {issue}16166[16166] {pull}16637[16637]
+- Add Filebeat Okta module. {pull}16362[16362]
+- Add custom string mapping to CEF module to support Check Point devices. {issue}16041[16041] {pull}16907[16907]
+- Add pattern for Cisco ASA / FTD Message 734001 {issue}16212[16212] {pull}16612[16612]
 
 *Heartbeat*
 

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -4882,6 +4882,26 @@ type: short
 
 --
 
+*`cisco.asa.connection_type`*::
++
+--
+The VPN connection type
+
+
+type: keyword
+
+--
+
+*`cisco.asa.dap_records`*::
++
+--
+The assigned DAP records
+
+
+type: keyword
+
+--
+
 [float]
 === ftd
 
@@ -5060,6 +5080,26 @@ type: object
 
 --
 
+*`cisco.ftd.connection_type`*::
++
+--
+The VPN connection type
+
+
+type: keyword
+
+--
+
+*`cisco.ftd.dap_records`*::
++
+--
+The assigned DAP records
+
+
+type: keyword
+
+--
+
 [float]
 === ios
 

diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml
@@ -85,3 +85,15 @@
     type: short
     description: >
       ICMP code.
+
+  - name: connection_type
+    type: keyword
+    default_field: false
+    description: >
+      The VPN connection type
+
+  - name: dap_records
+    default_field: false
+    type: keyword
+    description: >
+      The assigned DAP records
diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log b/x-pack/filebeat/module/cisco/asa/test/dap_records.log
@@ -0,0 +1 @@
+Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2
diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json
@@ -0,0 +1,35 @@
+[
+    {
+        "cisco.asa.connection_type": "AnyConnect",
+        "cisco.asa.dap_records": [
+            "dap_1",
+            "dap_2"
+        ],
+        "cisco.asa.message_id": "734001",
+        "event.action": "firewall-rule",
+        "event.code": 734001,
+        "event.dataset": "cisco.asa",
+        "event.module": "cisco",
+        "event.original": "%ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2",
+        "event.severity": 6,
+        "event.timezone": "-02:00",
+        "fileset.name": "asa",
+        "input.type": "log",
+        "log.level": "informational",
+        "log.offset": 0,
+        "service.type": "cisco",
+        "source.address": "1.2.3.4",
+        "source.geo.city_name": "Moscow",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "RU",
+        "source.geo.location.lat": 55.7527,
+        "source.geo.location.lon": 37.6172,
+        "source.geo.region_iso_code": "RU-MOW",
+        "source.geo.region_name": "Moscow",
+        "source.ip": "1.2.3.4",
+        "tags": [
+            "cisco-asa"
+        ],
+        "user.email": "firsname.lastname@domain.net"
+    }
+]
diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go
diff --git a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml
@@ -90,3 +90,15 @@
     type: object
     description:
       Raw fields for Security Events.
+
+  - name: connection_type
+    type: keyword
+    default_field: false
+    description: >
+      The VPN connection type
+
+  - name: dap_records
+    type: keyword
+    default_field: false
+    description: >
+      The assigned DAP records
diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml
@@ -420,6 +420,14 @@ processors:
       if: "ctx._temp_.cisco.message_id == '338301'"
       field: "server.port"
       value: "{{source.port}}"
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '734001'"
+      field: "message"
+      pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}"
+  - split:
+      field: "_temp_.cisco.dap_records"
+      separator: ",\\s+"
+      ignore_missing: true
 
   #
   # Handle 302xxx messages (Flow expiration a.k.a "Teardown")