Filebeat Cisco ASA module - add ECS authentication fields for SIEM

[leweafan]

Describe the enhancement:

Cisco ASA log has authentication messages for successful and failed attempt. But ECS fields important for SIEM like
event.category, event.type, event.action, event.outcome are missing.

Successful authentication messages have event.code:

• 113005
• 113021
• 605004
• 611102
• 716039

Failure authentication messages have event.code:

• 113004
• 113012
• 611101
• 734001

Successful authentication message should have fields:

• event.category = "authentication"
• event.action = "logged-in"
• event.type = "start"
• event.outcome = "success"

Failed authentication message should have fields:

• event.category = "authentication"
• event.action = "logon-failed"
• event.type = "start"
• event.outcome = "failure"

Describe a specific use case for the enhancement or feature:

Successful authentication messages

%ASA-6-113004: AAA user authorization Successful : server =  LOCAL : user = admin
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-611101: User authentication succeeded: IP address: 10.10.10.10, Uname: admin
%ASA-6-734001: DAP: User xxx, Addr 10.10.10.10, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy

Failed authentication messages

%ASA-6-113005: AAA user authentication Rejected: reason = AAA failure: server = 11.11.11.11 : user = xxx: user IP = 10.10.10.10
%ASA-6-113021: Attempted console login failed. User xxx did NOT have appropriate Admin Rights
%ASA-6-605004: Login denied from 10.10.10.10/52859 to inside:11.11.11.11/8443 for user “admin”
%ASA-6-611102: User authentication failed: IP address: 10.10.10.10, Uname: admin
%ASA-6-716039: Group <DefaultADMINGroup> User <xxx> IP <10.10.10.10> Authentication: rejected, Session Type: Admin.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

@leweafan Can you give the provenance for the 716039 message? It does not match the syntax shown in the Cisco docs. The order differs, and also the user, group and IP are wrapped in angle bracket — this latter part is interesting for me for another related issue.

%ASA-6-716039: Authentication: rejected, group = name user = user , Session Type: %s

[leweafan]

Hello @efd6! Thank for help with this issue! We have event with id 716039 on our devices and format is correct. Please find screenshot in attachments. This format for Cisco Adaptive Security Appliance Version 9.16(3) - Released: May 26, 2021.

[efd6]

Thanks for that. I will add in the extra pattern.

[efd6]

@leweafan I believe this is fixed in v2.7.0. This version is still in snapshot.

[leweafan]

Hello @efd6!
I've checked last ingest pipeline version and not found event codes 113005,113021,716039,113004,113012.
Also event.category=authentication and event.action=logged-in/logged-failed missing.
Is it intentional?

[efd6]

No. They weren't in the list, so they weren't added.