diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b5dca9e3591..da40342f051 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -259,6 +259,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS categorization field mappings in suricata module. {issue}16181[16181] {pull}16843[16843] - Release ActiveMQ module as GA. {issue}17047[17047] {pull}17049[17049] - Improve ECS categorization field mappings in iptables module. {issue}16166[16166] {pull}16637[16637] +- Add Filebeat Okta module. {pull}16362[16362] +- Add custom string mapping to CEF module to support Check Point devices. {issue}16041[16041] {pull}16907[16907] +- Add pattern for Cisco ASA / FTD Message 734001 {issue}16212[16212] {pull}16612[16612] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 38e55e70f10..8f0800c15ae 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -4882,6 +4882,26 @@ type: short -- +*`cisco.asa.connection_type`*:: ++ +-- +The VPN connection type + + +type: keyword + +-- + +*`cisco.asa.dap_records`*:: ++ +-- +The assigned DAP records + + +type: keyword + +-- + [float] === ftd @@ -5060,6 +5080,26 @@ type: object -- +*`cisco.ftd.connection_type`*:: ++ +-- +The VPN connection type + + +type: keyword + +-- + +*`cisco.ftd.dap_records`*:: ++ +-- +The assigned DAP records + + +type: keyword + +-- + [float] === ios diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml index e5ada6df441..2cf9a5a5afd 100644 --- a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml @@ -85,3 +85,15 @@ type: short description: > ICMP code. + + - name: connection_type + type: keyword + default_field: false + description: > + The VPN connection type + + - name: dap_records + default_field: false + type: keyword + description: > + The assigned DAP records diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log b/x-pack/filebeat/module/cisco/asa/test/dap_records.log new file mode 100644 index 00000000000..a02a1136b19 --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/dap_records.log @@ -0,0 +1 @@ +Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2 diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json new file mode 100644 index 00000000000..998044932f0 --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json @@ -0,0 +1,35 @@ +[ + { + "cisco.asa.connection_type": "AnyConnect", + "cisco.asa.dap_records": [ + "dap_1", + "dap_2" + ], + "cisco.asa.message_id": "734001", + "event.action": "firewall-rule", + "event.code": 734001, + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.original": "%ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2", + "event.severity": 6, + "event.timezone": "-02:00", + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "service.type": "cisco", + "source.address": "1.2.3.4", + "source.geo.city_name": "Moscow", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.location.lat": 55.7527, + "source.geo.location.lon": 37.6172, + "source.geo.region_iso_code": "RU-MOW", + "source.geo.region_name": "Moscow", + "source.ip": "1.2.3.4", + "tags": [ + "cisco-asa" + ], + "user.email": "firsname.lastname@domain.net" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index 568f33c53bb..cee10776bcc 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsmU9v4zYQxe/5FHMp0AKOe8+hQOAkQIBmE1S7h54Mhhxa3FAclRxZ629fkJJtWasoNqJdZAHrEMT6896PI3L4YF/CC26uQJog6QKADVu8gkX7UWGQ3pRsyF3BXxcAAA+kKougyUMunLLGrZrbwSHX5F9A4dpIBEurML8A0AatClfp4UtwosC9XTx4U+IVrDxVZXtmwDUed0kItKeiddxaxKNr07USQezODZmNGHZNybee19k13BmPtbB23rm1778nKDAEscKlUQfKDcoLbmryh1dGcAA+59ghabXBKHRstEG/ZxpACZXW5tuRGPhNFGWcDQFDMOSOZ3xM54Vt/UBoRg+/ReBjQanyEpfGMXotJE5RuSxpwk4zvVTOEbSlGsgDrtHxKJbCwMaJqD8t281e+F2AvrK4jP9OAfVJFAikE8K1lBgCLMixJwt/m8DJDDgXDIVgmaMCzk04grJ9u1VA/yNYo27DZUI60fi15TyKsPuifxpmx/QU1kKUJarldsmUA5y9k282GPbCBSsY1bZ2908glPIYwgksJXkeoLHkVu/lidLHkBys2IlL031fp9WnS/UjitQle7NSnHsUvLS4RjvNDhX1IOmleVwIWwuP8Cc8EzvkSKq1kXN4dGk1rNFvLi3VM4h/enIFKfSCcQa5WeWxDabb44djhiUF44r8ZoqRLVqtXWN+fWR3sV1vN9C18VWYtff0x8eevgo3A2Q5Oh5JzqFsJvIkSeKLM/9V3eiQhiXSbjNKYmRRLqPpAEXI+9N5lOF+8fCUnnzbUJKayjBKzb9LiprVpEkxpsSSavTbFXGDGl3ADxIf7z7f/FrxMQKf4+M5Pp7j4y8dH+FLQLhdZO2luRM8N+UHSpVDgB84bu5wO9dPKOpPj6Kv8p6D6jmonoPqgeFhUB3aClFW3vDQpKHnryhfN+zZ/SPqNoOm4matLtzG/SN8H5YNhUnD8v1jdvB1LoxmYpHixNKaMNSv3rWtxs7ahJWoPlp8LaSxw8UfDcTZ7eK0dro1AiaocyPzZk234d2jRh/gd71fyTPIPj08zSD7N5uBcHF/68lq8pz/MYfrvbgUDp4RBOTCq9Qtmm/yZyCg9MQkyc4grbyi+RGAdL9FxLS0CYwFBNIcReZwz6DQEeNBmmobkxRV2NW+ebTfVpthzi/+DwAA//9UIqfH" + return "eJzsmcFu4zYQhu95irkUaAHHvftQwHASIECTGPVugZ6MCTm0uKFIlRzZ67cvSMm2LCiOjCiLbGEdgpiS5v84JIc/oWt4oe0EhA7CXQGwZkMTmNU/JQXhdcHa2Qn8cQUA8OBkaQiU85ChlUbbVfU4WOKN8y8gaa0FgXGrML4CUJqMDJP08jVYzOkgFy/eFjSBlXdlUbd0qMbrLgUC5V1eK+4k4tWUaUphwH1bl9gJwaao87XmdDGFO+1pg8aMG4+29Q8EOYWAK1pqeRS5Qnmh7cb54zsncAC+ZNQgqWODlmRZK03+wNSBEkql9PeeGPQd8yLOhkAhaGf7Mz6ldjS1HqBi8vBLBO4L6kovaKktk1coaIjMLVJM2MdMg8oZgTJuA84DrcnySSxJgbXFGH9YtptD4HcB+tLQMv47BNQj5gROJYSpEBQCzJxl7wz8qQMnMeAMGXJkkZEEznToQVmPbhnIfwRrjFtx6ZAaKr06nb0ImwP9wzAbouew5lgUJJe7JVN0cLYa3yww7NEGg0xyl7v7OaCUnkI4g6VwnjtojLOr9/LE0H1IjlbswKlpjtd5+WlSfUSSmmRvZoozT8hLQ2syw+xQMR6keGke52g26Al+h2fHljiSKqXFGJ5sWg1r8ttr4zYjiH9a4XInySPTCDK9ymIZTI/HH326JZBp5fx2iJ7N6lj7wvx6z+5iud5toGvtyzCqn2n3j737hnYExOJkf4SzlkQ1kQdxEl+t/rdsWofULUy7zUkSLfJiGUU7KELWns4nGe5nD/P05tuCwsmhBGOovrl+pZ/d2VZYGl4mKzgBhSbQeUv47/ljQxuOtLt2KSyWnoTzMpwH8g7viSHolSUJN9M5tMV3YIrloKY7Gu7CbcjvissNKbKBPokTv/ty83M58Qh8ceIXJ35x4j+1E4evgeB2tqhvjS3yWBefyKB3AX5i577Hbdw/I6k/3NW/ynvx/BfPf/H8R4Jvev5AovSauyaNe/5G4nXBltxfuKk9aEruoo4Lt3H/CE2n+v87eXwkYq+Th3Zh0JPH/dPi6DMDnDxgYPJmS6NDV/F/l0eJ21Tl/GL0kzNZodCmeyafPF0sbmfnjchOCNjBJtMiqwpkfRLypMgH+FUdyuIIFo8P8xEs/lmMAG00C62wynnOfhvD9BBcoIVnAoQMvUylt/rCNAKEwjt2wpkRpDKWVx+nnGrX22g9t4Eph+AUxyBjuGeQZB3TkTWtq7zAMuxzX73a3qOqbo6v/gsAAP//XBVT9g==" } diff --git a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml index 8571cd8dbfb..e1356d78886 100644 --- a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml @@ -90,3 +90,15 @@ type: object description: Raw fields for Security Events. + + - name: connection_type + type: keyword + default_field: false + description: > + The VPN connection type + + - name: dap_records + type: keyword + default_field: false + description: > + The assigned DAP records diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 75009ac95d5..9dfc96d77e8 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -420,6 +420,14 @@ processors: if: "ctx._temp_.cisco.message_id == '338301'" field: "server.port" value: "{{source.port}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '734001'" + field: "message" + pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" + - split: + field: "_temp_.cisco.dap_records" + separator: ",\\s+" + ignore_missing: true # # Handle 302xxx messages (Flow expiration a.k.a "Teardown")