Skip to content

Commit

Permalink
[7.17](backport #32196) x-pack/filebeat/module/cisco: fix handling of…
Browse files Browse the repository at this point in the history 
… user parsing with sgt fields (#32238)

* x-pack/filebeat/module/cisco: fix handling of user parsing with sgt fields (#32196)

(cherry picked from commit f8622ed)

# Conflicts:
#	x-pack/filebeat/module/cisco/fields.go

* fix conflict
* fix expectations
* update CHANGELOG.next.asciidoc

Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
  • Loading branch information
@mergify @efd6
3 people authored Aug 31, 2022
1 parent 2e2d972 commit 94a1b3f
Show file tree
Hide file tree
Showing 8 changed files with 322 additions and 17 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

*Filebeat*

- cisco/asa: fix handling of user names when there are Security Group Tags present. {issue}32009[32009] {pull}32196[32196]
- Fix file.path field in cloudtrail fileset to use json.digestS3Object. {pull}32759[32759]
- Fix not parsing as json when `json` and `ndjson` content types have charset information in `aws-s3` input {pull}32767[32767]

Expand Down
20 changes: 20 additions & 0 deletions filebeat/docs/fields.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21639,6 +21639,16 @@ type: keyword

--

*`cisco.asa.source_user_security_group_tag`*::
+
--
The Security Group Tag for the source user. Security Group Tag are 16-bit identifiers used to represent logical group privilege.


type: long

--

*`cisco.asa.destination_username`*::
+
--
Expand All @@ -21649,6 +21659,16 @@ type: keyword

--

*`cisco.asa.destination_user_security_group_tag`*::
+
--
The Security Group Tag for the destination user. Security Group Tag are 16-bit identifiers used to represent logical group privilege.


type: long

--

*`cisco.asa.mapped_source_ip`*::
+
--
Expand Down
10 changes: 10 additions & 0 deletions x-pack/filebeat/module/cisco/asa/_meta/fields.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,21 @@
description: >
Name of the user that is the source for this event.
- name: source_user_security_group_tag
type: long
description: >
The Security Group Tag for the source user. Security Group Tag are 16-bit identifiers used to represent logical group privilege.
- name: destination_username
type: keyword
description: >
Name of the user that is the destination for this event.
- name: destination_user_security_group_tag
type: long
description: >
The Security Group Tag for the destination user. Security Group Tag are 16-bit identifiers used to represent logical group privilege.
- name: mapped_source_ip
type: ip
description: >
Expand Down
3 changes: 3 additions & 0 deletions x-pack/filebeat/module/cisco/asa/test/asa-fix.log
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,6 @@ Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127
Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\username) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]
Aug 6 2020 11:01:37: %ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -> inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]
Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -> outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]
Jun 21 2022 11:47:08: %ASA-6-302015: Built inbound UDP connection 7 for outside:81.2.69.142/3424 (81.2.69.142/3424)(LOCAL\alice, 123) to inside:89.160.20.112/9803 (89.160.20.112/9803) (bob)
Jun 21 2022 11:47:08: %ASA-6-302015: Built inbound UDP connection 7 for outside:81.2.69.142/3424 (81.2.69.142/3424)(LOCAL\alice) to inside:89.160.20.112/9803 (89.160.20.112/9803) (bob)
Jun 21 2022 11:47:09: %ASA-6-302015: Built inbound UDP connection 7 for outside:81.2.69.142/3424 (81.2.69.142/3424)(LOCAL\alice, 123) to inside:89.160.20.112/9803 (89.160.20.112/9803)(LOCAL\dave, 246) (bob)
241 changes: 241 additions & 0 deletions x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -573,5 +573,246 @@
"forwarded"
],
"user.name": "joe"
},
{
"cisco.asa.connection_id": "7",
"cisco.asa.destination_interface": "inside",
"cisco.asa.mapped_destination_ip": "89.160.20.112",
"cisco.asa.mapped_destination_port": 9803,
"cisco.asa.mapped_source_ip": "81.2.69.142",
"cisco.asa.mapped_source_port": 3424,
"cisco.asa.message_id": "302015",
"cisco.asa.source_interface": "outside",
"cisco.asa.source_user_security_group_tag": 123,
"cisco.asa.source_username": "LOCAL\\alice",
"cisco.asa.termination_user": "bob",
"destination.address": "89.160.20.112",
"destination.as.number": 29518,
"destination.as.organization.name": "Bredband2 AB",
"destination.geo.city_name": "Tumba",
"destination.geo.continent_name": "Europe",
"destination.geo.country_iso_code": "SE",
"destination.geo.country_name": "Sweden",
"destination.geo.location.lat": 59.2,
"destination.geo.location.lon": 17.8167,
"destination.geo.region_iso_code": "SE-AB",
"destination.geo.region_name": "Stockholm",
"destination.ip": "89.160.20.112",
"destination.port": 9803,
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 302015,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-302015: Built inbound UDP connection 7 for outside:81.2.69.142/3424 (81.2.69.142/3424)(LOCAL\\alice, 123) to inside:89.160.20.112/9803 (89.160.20.112/9803) (bob)",
"event.severity": 6,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"input.type": "log",
"log.level": "informational",
"log.offset": 1899,
"network.community_id": "1:797FALeb94mYDqvQDgC+6NRdALQ=",
"network.direction": "inbound",
"network.iana_number": 17,
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.ingress.interface.name": "outside",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.ip": [
"81.2.69.142",
"89.160.20.112"
],
"related.user": [
"alice"
],
"service.type": "cisco",
"source.address": "81.2.69.142",
"source.as.number": 20712,
"source.as.organization.name": "Andrews & Arnold Ltd",
"source.geo.city_name": "Abingdon",
"source.geo.continent_name": "Europe",
"source.geo.country_iso_code": "GB",
"source.geo.country_name": "United Kingdom",
"source.geo.location.lat": 51.7095,
"source.geo.location.lon": -1.3614,
"source.geo.region_iso_code": "GB-OXF",
"source.geo.region_name": "Oxfordshire",
"source.ip": "81.2.69.142",
"source.port": 3424,
"source.user.name": "alice",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.connection_id": "7",
"cisco.asa.destination_interface": "inside",
"cisco.asa.mapped_destination_ip": "89.160.20.112",
"cisco.asa.mapped_destination_port": 9803,
"cisco.asa.mapped_source_ip": "81.2.69.142",
"cisco.asa.mapped_source_port": 3424,
"cisco.asa.message_id": "302015",
"cisco.asa.source_interface": "outside",
"cisco.asa.source_username": "LOCAL\\alice",
"cisco.asa.termination_user": "bob",
"destination.address": "89.160.20.112",
"destination.as.number": 29518,
"destination.as.organization.name": "Bredband2 AB",
"destination.geo.city_name": "Tumba",
"destination.geo.continent_name": "Europe",
"destination.geo.country_iso_code": "SE",
"destination.geo.country_name": "Sweden",
"destination.geo.location.lat": 59.2,
"destination.geo.location.lon": 17.8167,
"destination.geo.region_iso_code": "SE-AB",
"destination.geo.region_name": "Stockholm",
"destination.ip": "89.160.20.112",
"destination.port": 9803,
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 302015,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-302015: Built inbound UDP connection 7 for outside:81.2.69.142/3424 (81.2.69.142/3424)(LOCAL\\alice) to inside:89.160.20.112/9803 (89.160.20.112/9803) (bob)",
"event.severity": 6,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"input.type": "log",
"log.level": "informational",
"log.offset": 2089,
"network.community_id": "1:797FALeb94mYDqvQDgC+6NRdALQ=",
"network.direction": "inbound",
"network.iana_number": 17,
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.ingress.interface.name": "outside",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.ip": [
"81.2.69.142",
"89.160.20.112"
],
"related.user": [
"alice"
],
"service.type": "cisco",
"source.address": "81.2.69.142",
"source.as.number": 20712,
"source.as.organization.name": "Andrews & Arnold Ltd",
"source.geo.city_name": "Abingdon",
"source.geo.continent_name": "Europe",
"source.geo.country_iso_code": "GB",
"source.geo.country_name": "United Kingdom",
"source.geo.location.lat": 51.7095,
"source.geo.location.lon": -1.3614,
"source.geo.region_iso_code": "GB-OXF",
"source.geo.region_name": "Oxfordshire",
"source.ip": "81.2.69.142",
"source.port": 3424,
"source.user.name": "alice",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.connection_id": "7",
"cisco.asa.destination_interface": "inside",
"cisco.asa.destination_user_security_group_tag": 246,
"cisco.asa.destination_username": "LOCAL\\dave",
"cisco.asa.mapped_destination_ip": "89.160.20.112",
"cisco.asa.mapped_destination_port": 9803,
"cisco.asa.mapped_source_ip": "81.2.69.142",
"cisco.asa.mapped_source_port": 3424,
"cisco.asa.message_id": "302015",
"cisco.asa.source_interface": "outside",
"cisco.asa.source_user_security_group_tag": 123,
"cisco.asa.source_username": "LOCAL\\alice",
"cisco.asa.termination_user": "bob",
"destination.address": "89.160.20.112",
"destination.as.number": 29518,
"destination.as.organization.name": "Bredband2 AB",
"destination.geo.city_name": "Tumba",
"destination.geo.continent_name": "Europe",
"destination.geo.country_iso_code": "SE",
"destination.geo.country_name": "Sweden",
"destination.geo.location.lat": 59.2,
"destination.geo.location.lon": 17.8167,
"destination.geo.region_iso_code": "SE-AB",
"destination.geo.region_name": "Stockholm",
"destination.ip": "89.160.20.112",
"destination.port": 9803,
"destination.user.name": "dave",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 302015,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-302015: Built inbound UDP connection 7 for outside:81.2.69.142/3424 (81.2.69.142/3424)(LOCAL\\alice, 123) to inside:89.160.20.112/9803 (89.160.20.112/9803)(LOCAL\\dave, 246) (bob)",
"event.severity": 6,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"input.type": "log",
"log.level": "informational",
"log.offset": 2274,
"network.community_id": "1:797FALeb94mYDqvQDgC+6NRdALQ=",
"network.direction": "inbound",
"network.iana_number": 17,
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.ingress.interface.name": "outside",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.ip": [
"81.2.69.142",
"89.160.20.112"
],
"related.user": [
"alice",
"dave"
],
"service.type": "cisco",
"source.address": "81.2.69.142",
"source.as.number": 20712,
"source.as.organization.name": "Andrews & Arnold Ltd",
"source.geo.city_name": "Abingdon",
"source.geo.continent_name": "Europe",
"source.geo.country_iso_code": "GB",
"source.geo.country_name": "United Kingdom",
"source.geo.location.lat": 51.7095,
"source.geo.location.lon": -1.3614,
"source.geo.region_iso_code": "GB-OXF",
"source.geo.region_name": "Oxfordshire",
"source.ip": "81.2.69.142",
"source.port": 3424,
"source.user.name": "alice",
"tags": [
"cisco-asa",
"forwarded"
],
"user.name": "dave"
}
]
12 changes: 6 additions & 6 deletions x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3940,7 +3940,7 @@
"85.0.0.1"
],
"related.user": [
"user@domain.tld"
"user"
],
"service.type": "cisco",
"source.address": "85.0.0.1",
Expand All @@ -3959,7 +3959,7 @@
"source.nat.port": "34534",
"source.port": 12312,
"source.user.domain": "domain.tld",
"source.user.name": "user@domain.tld",
"source.user.name": "user",
"tags": [
"cisco-asa",
"forwarded"
Expand Down Expand Up @@ -4059,7 +4059,7 @@
"destination.geo.region_name": "Aargau",
"destination.ip": "85.0.0.1",
"destination.user.domain": "domain.tld",
"destination.user.name": "user@domain.tld",
"destination.user.name": "user",
"event.action": "flow-expiration",
"event.category": [
"network"
Expand Down Expand Up @@ -4093,7 +4093,7 @@
"85.0.0.1"
],
"related.user": [
"user@domain.tld"
"user"
],
"service.type": "cisco",
"source.address": "81.0.0.1",
Expand All @@ -4109,12 +4109,12 @@
"source.geo.region_name": "Madrid",
"source.ip": "81.0.0.1",
"source.user.domain": "domain.tld",
"source.user.name": "user@domain.tld",
"source.user.name": "user",
"tags": [
"cisco-asa",
"forwarded"
],
"user.name": "user@domain.tld"
"user.name": "user"
},
{
"@timestamp": "2021-01-13T19:12:37.000-02:00",
Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/cisco/fields.go
View file

Large diffs are not rendered by default.

Loading

0 comments on commit 94a1b3f

Please sign in to comment.