[Cisco ASA] Loosen time parsing and add group and session type capture (

#1891)
elastic · Oct 11, 2021 · a8431cf · a8431cf
1 parent 3250d81
commit a8431cf
Show file tree

Hide file tree

Showing 9 changed files with 368 additions and 92 deletions.
diff --git a/packages/cisco_asa/changelog.yml b/packages/cisco_asa/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.2.1"
+  changes:
+    - description: Relax time parsing and capture group and session type in Cisco ASA module
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1891
 - version: "1.2.0"
   changes:
     - description: Add support for Cisco ASA SIP events

diff --git a/...s/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json b/...s/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log
@@ -0,0 +1,5 @@
+Jun 08 2020 12:59:57: %ASA-4-113019: Group = TheBeatles, Username = Ringo, IP = 234.56.12.87, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:01m:52s, Bytes xmt: 32452, Bytes rcv: 0, Reason: User Requested
+Oct 20 2019 15:42:53: %ASA-4-113019: Group = TheBeatles, Username = John, IP = 234.28.45.42, Session disconnected. Session Type: SSL, Duration: 2h:27m:34s, Bytes xmt: 45323434, Bytes rcv: 43252324, Reason: Idle Timeout
+Oct 20 2019 15:42:54: %ASA-4-722037: Group <GroupPolicy_TheBeatles> User <Paul> IP <83.212.241.149> SVC closing connection: DPD failure.
+Aug  6 2020 11:01:37: %ASA-4-722037: Group <GroupPolicy_TheBeatles> User <Brian> IP <234.63.56.32> SVC closing connection: Transport closing.
+Aug  6 2020 11:01:38: %ASA-4-722051: Group <GroupPolicy_TheBeatles> User <George> IP <234.24.156.94> IPv4 Address <234.56.47.98> IPv6 address <::> assigned to session
diff --git a/...es/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json b/...es/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json
@@ -0,0 +1,250 @@
+{
+    "expected": [
+        {
+            "log": {
+                "level": "warning"
+            },
+            "destination": {
+                "bytes": 0,
+                "address": "234.56.12.87",
+                "ip": "234.56.12.87"
+            },
+            "source": {
+                "user": {
+                    "name": "Ringo",
+                    "group": {
+                        "name": "TheBeatles"
+                    }
+                },
+                "bytes": 32452
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "observer": {
+                "type": "firewall",
+                "product": "asa",
+                "vendor": "Cisco"
+            },
+            "@timestamp": "2020-06-08T12:59:57.000Z",
+            "ecs": {
+                "version": "1.12.0"
+            },
+            "related": {
+                "user": [
+                    "Ringo"
+                ],
+                "ip": [
+                    "234.56.12.87"
+                ]
+            },
+            "event": {
+                "severity": 4,
+                "duration": 112000000000,
+                "reason": "User Requested",
+                "ingested": "2021-10-11T11:16:23.841932100Z",
+                "original": "Jun 08 2020 12:59:57: %ASA-4-113019: Group = TheBeatles, Username = Ringo, IP = 234.56.12.87, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:01m:52s, Bytes xmt: 32452, Bytes rcv: 0, Reason: User Requested",
+                "code": "113019",
+                "kind": "event",
+                "start": "2020-06-08T12:58:05.000Z",
+                "action": "firewall-rule",
+                "end": "2020-06-08T12:59:57.000Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "info"
+                ]
+            },
+            "cisco": {
+                "asa": {
+                    "session_type": "AnyConnect-Parent"
+                }
+            }
+        },
+        {
+            "log": {
+                "level": "warning"
+            },
+            "destination": {
+                "bytes": 43252324,
+                "address": "234.28.45.42",
+                "ip": "234.28.45.42"
+            },
+            "source": {
+                "user": {
+                    "name": "John",
+                    "group": {
+                        "name": "TheBeatles"
+                    }
+                },
+                "bytes": 45323434
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "observer": {
+                "type": "firewall",
+                "product": "asa",
+                "vendor": "Cisco"
+            },
+            "@timestamp": "2019-10-20T15:42:53.000Z",
+            "ecs": {
+                "version": "1.12.0"
+            },
+            "related": {
+                "user": [
+                    "John"
+                ],
+                "ip": [
+                    "234.28.45.42"
+                ]
+            },
+            "event": {
+                "severity": 4,
+                "duration": 8854000000000,
+                "reason": "Idle Timeout",
+                "ingested": "2021-10-11T11:16:23.841946100Z",
+                "original": "Oct 20 2019 15:42:53: %ASA-4-113019: Group = TheBeatles, Username = John, IP = 234.28.45.42, Session disconnected. Session Type: SSL, Duration: 2h:27m:34s, Bytes xmt: 45323434, Bytes rcv: 43252324, Reason: Idle Timeout",
+                "code": "113019",
+                "kind": "event",
+                "start": "2019-10-20T13:15:19.000Z",
+                "action": "firewall-rule",
+                "end": "2019-10-20T15:42:53.000Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "info"
+                ]
+            },
+            "cisco": {
+                "asa": {
+                    "session_type": "SSL"
+                }
+            }
+        },
+        {
+            "observer": {
+                "type": "firewall",
+                "product": "asa",
+                "vendor": "Cisco"
+            },
+            "@timestamp": "2019-10-20T15:42:54.000Z",
+            "ecs": {
+                "version": "1.12.0"
+            },
+            "log": {
+                "level": "warning"
+            },
+            "event": {
+                "severity": 4,
+                "ingested": "2021-10-11T11:16:23.841954400Z",
+                "original": "Oct 20 2019 15:42:54: %ASA-4-722037: Group \u003cGroupPolicy_TheBeatles\u003e User \u003cPaul\u003e IP \u003c83.212.241.149\u003e SVC closing connection: DPD failure.",
+                "code": "722037",
+                "kind": "event",
+                "action": "firewall-rule",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "info"
+                ]
+            },
+            "cisco": {
+                "asa": {}
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "observer": {
+                "type": "firewall",
+                "product": "asa",
+                "vendor": "Cisco"
+            },
+            "@timestamp": "2020-08-06T11:01:37.000Z",
+            "ecs": {
+                "version": "1.12.0"
+            },
+            "log": {
+                "level": "warning"
+            },
+            "event": {
+                "severity": 4,
+                "ingested": "2021-10-11T11:16:23.841961900Z",
+                "original": "Aug  6 2020 11:01:37: %ASA-4-722037: Group \u003cGroupPolicy_TheBeatles\u003e User \u003cBrian\u003e IP \u003c234.63.56.32\u003e SVC closing connection: Transport closing.",
+                "code": "722037",
+                "kind": "event",
+                "action": "firewall-rule",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "info"
+                ]
+            },
+            "cisco": {
+                "asa": {}
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "observer": {
+                "type": "firewall",
+                "product": "asa",
+                "vendor": "Cisco"
+            },
+            "@timestamp": "2020-08-06T11:01:38.000Z",
+            "ecs": {
+                "version": "1.12.0"
+            },
+            "related": {
+                "user": [
+                    "George"
+                ],
+                "ip": [
+                    "234.24.156.94"
+                ]
+            },
+            "log": {
+                "level": "warning"
+            },
+            "source": {
+                "user": {
+                    "name": "George"
+                },
+                "address": "234.24.156.94",
+                "ip": "234.24.156.94"
+            },
+            "event": {
+                "severity": 4,
+                "ingested": "2021-10-11T11:16:23.841969400Z",
+                "original": "Aug  6 2020 11:01:38: %ASA-4-722051: Group \u003cGroupPolicy_TheBeatles\u003e User \u003cGeorge\u003e IP \u003c234.24.156.94\u003e IPv4 Address \u003c234.56.47.98\u003e IPv6 address \u003c::\u003e assigned to session",
+                "code": "722051",
+                "kind": "event",
+                "action": "firewall-rule",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "info"
+                ]
+            },
+            "cisco": {
+                "asa": {
+                    "webvpn": {
+                        "group_name": "GroupPolicy_TheBeatles"
+                    },
+                    "assigned_ip": "234.56.47.98"
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
diff --git a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -322,7 +322,7 @@ processors:
       if: "ctx._temp_.cisco.message_id == '113019'"
       field: "message"
       description: "113019"
-      pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}"
+      pattern: "Group = %{source.user.group.name}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{_temp_.cisco.session_type}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{event.reason}"
   - grok:
       if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)'
       field: "message"
@@ -1321,7 +1321,7 @@ processors:
                 } else if (c == (char)':') {
                     total = (total + cur) * 60;
                     cur = 0;
-                } else {
+                } else if (c != (char)'h' && c == (char)'m' && c == (char)'s') {
                     return 0;
                 }
             }

diff --git a/packages/cisco_asa/data_stream/log/fields/ecs.yml b/packages/cisco_asa/data_stream/log/fields/ecs.yml
@@ -166,6 +166,8 @@
   name: source.port
 - external: ecs
   name: source.user.name
+- external: ecs
+  name: source.user.group.name
 - external: ecs
   name: tags
 - external: ecs

diff --git a/packages/cisco_asa/data_stream/log/fields/fields.yml b/packages/cisco_asa/data_stream/log/fields/fields.yml
@@ -86,6 +86,12 @@
       description: >
         The VPN connection type
 
+    - name: session_type
+      type: keyword
+      default_field: false
+      description: >
+        Session type (for example, IPsec or UDP).
+
     - name: dap_records
       type: keyword
       description: >

diff --git a/packages/cisco_asa/docs/README.md b/packages/cisco_asa/docs/README.md
@@ -158,6 +158,7 @@ An example event for `log` looks as following:
 | cisco.asa.privilege.old | When a users privilege is changed this is the old value | keyword |
 | cisco.asa.rule_name | Name of the Access Control List rule that matched this event. | keyword |
 | cisco.asa.security | Cisco FTD security event fields. | flattened |
+| cisco.asa.session_type | Session type (for example, IPsec or UDP). | keyword |
 | cisco.asa.source_interface | Source interface for the flow or event. | keyword |
 | cisco.asa.source_username | Name of the user that is the source for this event. | keyword |
 | cisco.asa.suffix | Optional suffix after %ASA identifier. | keyword |
@@ -289,6 +290,7 @@ An example event for `log` looks as following:
 | source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
 | source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
 | source.port | Port of the source. | long |
+| source.user.group.name | Name of the group. | keyword |
 | source.user.name | Short name or login of the user. | keyword |
 | syslog.facility.code | Syslog numeric facility of the event. | long |
 | syslog.priority | Syslog priority of the event. | long |

diff --git a/packages/cisco_asa/manifest.yml b/packages/cisco_asa/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: cisco_asa
 title: Cisco ASA
-version: 1.2.0
+version: 1.2.1
 license: basic
 description: This Elastic integration collects logs from Cisco ASA network devices
 type: integration