[Cisco ASA] Add support for Authentication and VPN Events

[jamiehynds]

While the Cisco module provides coverage for some ASA authentication events, we regularly see requests for broader coverage of both authentication and VPN events.

Attached sheet includes all the relevant events that should be covered by the module.
Cisco ASA Auth and VPN Events.xlsx

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[jurim76]

Interesting, kibana shows VPN events for filebeat-7.9.3 (cisco module enabled), but not for filebeat-7.10.0.

[jamiehynds]

Hey @jurim76, there should be at least some VPN events showing as our pipeline supports a few VPN events (e.g. 716002 and 713049. We haven't removed any events from the pipeline.

Could you provide some examples of events that you're no longer seeing?

[jurim76]

Hello

Here are missing entries for VPN events

%ASA-4-106103: access-list VPN_FILTER_DEV denied icmp for user 'user.name' outside/172.16.24.67(8) -> outside/10.80.103.32(0) hit-cnt 1 first hit
[0xc242c110, 0x0]

%ASA-5-746012: user-identity: Add IP-User mapping 10.160.103.32 - TEST\MSOL_956e694d46b7 Succeeded - PIP notification

%ASA-4-113019: Group = DefaultWEBVPNGroup, Username = user.name, IP = 90.90.90.90, Session disconnected. Session Type: SSL, Duration: 8h:46m:04s, By
tes xmt: 36535288, Bytes rcv: 12850300, Reason: Idle Timeout

Another issue that filebeat unable to start after installation with enabled cisco module (filebeat 7.10.0, Debian 10)
I'm able to start filebeat, deleting /usr/share/filebeat/module/cisco/umbrella/manifest.yml

apt install filebeat
Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: filebeat 0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded. Need to get 34.3 MB of archives. After this operation, 123 MB of additional disk space will be used. Get:1 https://artifacts.elastic.co/packages/7.x/apt stable/main amd64 filebeat amd64 7.10.0 [34.3 MB] Fetched 34.3 MB in 4s (8,653 kB/s) Selecting previously unselected package filebeat. (Reading database ... 51113 files and directories currently installed.) Preparing to unpack .../filebeat_7.10.0_amd64.deb ... Unpacking filebeat (7.10.0) ... Setting up filebeat (7.10.0) ... Installing new version of config file /etc/filebeat/fields.yml ... Installing new version of config file /etc/filebeat/filebeat.reference.yml

filebeat modules enable cisco && filebeat
Exiting: Failed to start crawler: creating module reloader failed: Error getting config for fileset cisco/umbrella: Error interpreting the template of the input: template: text:1:9: executing "text" at <.input>: map has no entry for key "input"

Kibana search screenshots
filebeat 7.9.3
filebeat 7.10.0

[jamiehynds]

Thanks for the additional infomation! Both the 106103 and 113019 are included in our ingest pipeline, so should definitely be appearing.

@marc-gr @P1llus any thoughts on the Filebeat error, seems to be related to Umbrella?

[P1llus]

I can quickly comment on the Umbrella side, there has been a fix created for this, so the workaround should not need to be applied in the next release:
elastic/beats#22892

For the different events that is not being ingested I would need to come back to you on that one.

[jurim76]

Hello,

The bug is still exists for filebeat 7.11.1

021-03-01T10:13:07.610Z ERROR fileset/factory.go:121 Error checking input configuration: No paths were defined for input accessing config
2021-03-01T10:13:07.621Z ERROR instance/beat.go:971 Exiting: Failed to start crawler: creating module reloader failed: No paths were defined f
or input accessing config

[MarcusCaepio]

Looks like my current issue is relevant to this elastic/beats#24721

[MarcusCaepio]

Hi all,
additional to the list of @jamiehynds please also add the message ID %ASA-7-734003.
This message shows very important information when debugging VPN problems.
The ASA prints several messages with the same Syslog ID for the username and all Attribute/Values Pairs. The Log Messages look like this:

%ASA-7-734003: DAP: User name , Addr ipaddr : Session Attribute: attr name/value
user —The authenticated username
ipaddr —The IP address of the remote client
attr/value —The AAA or endpoint attribute name and value

Possible Attributes for example:

• endpoint.anyconnect.clientversion
• endpoint.anyconnect.platform
• endpoint.anyconnect.devicetype
• endpoint.anyconnect.platformversion
• endpoint.anyconnect.deviceuniqueid
• endpoint.anyconnect.deviceuniqueidglobal
• endpoint.anyconnect.macaddress["0"]
• endpoint.anyconnect.useragent

So in this case, the asa syslog would send 8 syslog messages all with the same username and every single Attribute.
The hard part here will be, to combine every message to a single document based on the username or at least create the necessary endpoint.anyconnect.x fields.

[jurim76]

Some notes from me.
Cisco ASA-5-722033 VPN messages are shown in Kibana in "event.original" field, not in "message" field and therefore not searchable via KQL query.

Filebeat 7.15.1
Cisco ASA 9.14.2

[botelastic]

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

[jamiehynds]

Transferring to integrations repo.

[botelastic]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!