From 93cf0d0385020d1e8ac28f04f2877e92c9ee859b Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Sat, 18 Sep 2021 21:35:57 +0000 Subject: [PATCH 1/2] Synce changes from eastic/beats#26879 --- packages/cisco_asa/changelog.yml | 5 + .../pipeline/test-additional-messages.log | 9 +- ...test-additional-messages.log-expected.json | 751 ++++- .../pipeline/test-asa-fix.log-expected.json | 55 +- .../test/pipeline/test-asa.log-expected.json | 2592 +++++++++++++---- .../test-dap-records.log-expected.json | 2 +- .../pipeline/test-filtered.log-expected.json | 9 +- .../pipeline/test-hostnames.log-expected.json | 5 +- .../pipeline/test-not-ip.log-expected.json | 8 +- .../log/_dev/test/pipeline/test-sample.log | 15 + .../pipeline/test-sample.log-expected.json | 1826 +++++++++++- .../elasticsearch/ingest_pipeline/default.yml | 133 +- .../cisco_asa/data_stream/log/fields/ecs.yml | 6 + .../data_stream/log/fields/fields.yml | 13 + packages/cisco_asa/docs/README.md | 5 + packages/cisco_asa/manifest.yml | 2 +- packages/cisco_ftd/changelog.yml | 11 +- .../log/_dev/test/pipeline/test-asa-fix.log | 7 + .../pipeline/test-asa-fix.log-expected.json | 533 +++- .../test/pipeline/test-asa.log-expected.json | 2592 +++++++++++++---- .../test/pipeline/test-dns.log-expected.json | 63 +- .../pipeline/test-filtered.log-expected.json | 4 +- ...est-firepower-management.log-expected.json | 68 +- .../pipeline/test-intrusion.log-expected.json | 12 +- .../test-no-type-id.log-expected.json | 8 +- .../pipeline/test-not-ip.log-expected.json | 8 +- .../log/_dev/test/pipeline/test-sample.log | 15 + .../pipeline/test-sample.log-expected.json | 1813 +++++++++++- ...test-security-connection.log-expected.json | 30 +- ...st-security-file-malware.log-expected.json | 30 +- ...st-security-malware-site.log-expected.json | 3 +- .../elasticsearch/ingest_pipeline/default.yml | 131 +- .../cisco_ftd/data_stream/log/fields/ecs.yml | 6 + .../data_stream/log/fields/fields.yml | 12 + packages/cisco_ftd/docs/README.md | 5 + packages/cisco_ftd/manifest.yml | 2 +- 36 files changed, 9090 insertions(+), 1699 deletions(-) diff --git a/packages/cisco_asa/changelog.yml b/packages/cisco_asa/changelog.yml index ba705e60c24..d45d80ecec7 100644 --- a/packages/cisco_asa/changelog.yml +++ b/packages/cisco_asa/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.2" + changes: + - description: sync package with module changes (Beats PR 26879) + type: enhancement + link: https://github.com/elastic/integrations/pull/1740 - version: "1.0.1" changes: - description: Adding missing ECS fields diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log index 0c3aef67223..e1666f72432 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log @@ -17,7 +17,7 @@ May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10 May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839) -May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00 +May 5 18:29:32 dev01: %ASA-6-305012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00 May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006 May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111 @@ -83,3 +83,10 @@ Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unaccept Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable! Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable! Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny protocol 47 src outside:100.66.124.24 dst inside:172.31.98.44 by access-group "inbound" +Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src OUTSIDE:2a05:d016:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group "OUTSIDE_in" +Apr 27 2020 02:03:03 dev01: %ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:82.0.0.1/500 to identity:85.0.0.1/500 duration 92:24:20 bytes 4671944 +May 5 19:02:25 dev01: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 19269 +May 5 19:02:25 dev01: %ASA-4-733100: [ 192.168.0.1] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6018 +May 5 19:02:25 dev01: %ASA-4-733100: [ Port-5432 5432] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 20 per second, max configured rate is 5; Cumulative total count is 12466 +May 5 19:02:25 dev01: %ASA-4-733100: [ RDP 3389] drop rate-1 exceeded. Current burst rate is 63 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3054 diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json index 4a5cd2c480a..e3edf58b596 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json @@ -24,8 +24,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:Fw2gM6G3TtQ3pHWsZKBU6LW96pQ=", "transport": "tcp", + "iana_number": "6", "direction": "inbound" }, "observer": { @@ -64,7 +65,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.229896Z", + "ingested": "2021-09-18T20:35:08.757695464Z", "original": "May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", "code": "302013", "kind": "event", @@ -112,8 +113,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:IVpSg0ysDmubwwgwjXBIZ47C7h0=", "transport": "udp", + "iana_number": "17", "direction": "inbound" }, "observer": { @@ -152,7 +154,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.229959500Z", + "ingested": "2021-09-18T20:35:08.757700799Z", "original": "May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", "code": "302015", "kind": "event", @@ -223,7 +225,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.229967500Z", + "ingested": "2021-09-18T20:35:08.757703026Z", "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", "code": "302020", "kind": "event", @@ -284,7 +286,7 @@ "event": { "severity": 7, "duration": 0, - "ingested": "2021-09-07T09:05:47.229973400Z", + "ingested": "2021-09-18T20:35:08.757705066Z", "original": "May 5 17:51:17 dev01: %FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00", "code": "609002", "kind": "event", @@ -344,7 +346,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T09:05:47.229978900Z", + "ingested": "2021-09-18T20:35:08.757707069Z", "original": "May 5 17:51:17 dev01: %FTD-7-609001: Built local-host net:192.168.2.2", "code": "609001", "kind": "event", @@ -410,7 +412,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.229984900Z", + "ingested": "2021-09-18T20:35:08.757709026Z", "original": "May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1", "code": "302020", "kind": "event", @@ -455,7 +457,9 @@ "preserve_original_event" ], "network": { - "transport": "tcp flow" + "community_id": "1:fZKugXq2jG4PzddJfuy6XDBSNb4=", + "iana_number": "6", + "transport": "tcp" }, "observer": { "ingress": { @@ -493,7 +497,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.229990100Z", + "ingested": "2021-09-18T20:35:08.757711008Z", "original": "May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111)", "code": "805001", "kind": "event", @@ -535,6 +539,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:RAjPAJDWj8kCZQnmEJzqMl9E6h8=", "iana_number": "6", "transport": "tcp" }, @@ -572,7 +577,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.229995100Z", + "ingested": "2021-09-18T20:35:08.757712996Z", "original": "May 5 17:51:17 dev01: %FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443)", "code": "805002", "kind": "event", @@ -614,6 +619,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:7GE6gaRtd6w4KEJWhDLHwfgp1Do=", "iana_number": "17", "transport": "udp" }, @@ -646,7 +652,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T09:05:47.230Z", + "ingested": "2021-09-18T20:35:08.757724303Z", "original": "May 5 17:51:17 dev01: %FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67", "code": "710005", "kind": "event", @@ -728,7 +734,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230005200Z", + "ingested": "2021-09-18T20:35:08.757726370Z", "original": "May 5 17:51:17 dev01: %FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log", "code": "303002", "kind": "event", @@ -771,7 +777,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T09:05:47.230012Z", + "ingested": "2021-09-18T20:35:08.757728480Z", "original": "May 5 17:51:17 dev01: %FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4", "code": "710006", "kind": "event", @@ -826,7 +832,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:47.230017Z", + "ingested": "2021-09-18T20:35:08.757730865Z", "original": "May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872.", "code": "313005", "kind": "event", @@ -863,6 +869,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:adLbp2MSbpgtKlYEN938sSARKPs=", "iana_number": "1", "transport": "icmp" }, @@ -891,7 +898,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230021800Z", + "ingested": "2021-09-18T20:35:08.757732869Z", "original": "May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0", "code": "302021", "kind": "event", @@ -951,7 +958,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T09:05:47.230033400Z", + "ingested": "2021-09-18T20:35:08.757734823Z", "original": "May 5 18:22:35 dev01: %ASA-7-609001: Built local-host net:10.10.10.10", "code": "609001", "kind": "event", @@ -1010,7 +1017,7 @@ "event": { "severity": 7, "duration": 0, - "ingested": "2021-09-07T09:05:47.230038500Z", + "ingested": "2021-09-18T20:35:08.757736887Z", "original": "May 5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00", "code": "609002", "kind": "event", @@ -1078,7 +1085,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230043400Z", + "ingested": "2021-09-18T20:35:08.757738918Z", "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0", "code": "302020", "kind": "event", @@ -1144,7 +1151,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230048700Z", + "ingested": "2021-09-18T20:35:08.757741060Z", "original": "May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", "code": "302020", "kind": "event", @@ -1183,9 +1190,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:4wndP8OTPk0tlCwv5mj9vURDLQ0=", + "transport": "tcp", "bytes": 0, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -1223,7 +1231,7 @@ "severity": 6, "duration": 0, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:47.230053500Z", + "ingested": "2021-09-18T20:35:08.757743052Z", "original": "May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", "code": "302014", "kind": "event", @@ -1270,8 +1278,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:N0ZlFq5yxkndvN9h3uigv6XgVms=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -1309,7 +1318,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230058300Z", + "ingested": "2021-09-18T20:35:08.757745045Z", "original": "May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839)", "code": "302013", "kind": "event", @@ -1351,6 +1360,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:PyQWTuzAdzYav2//+TQFcJTt2os=", "iana_number": "17", "transport": "udp" }, @@ -1389,9 +1399,9 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:47.230062900Z", - "original": "May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", - "code": "302012", + "ingested": "2021-09-18T20:35:08.757747012Z", + "original": "May 5 18:29:32 dev01: %ASA-6-305012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", + "code": "305012", "kind": "event", "start": "2021-05-05T18:29:32.000Z", "action": "flow-expiration", @@ -1427,6 +1437,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:adLbp2MSbpgtKlYEN938sSARKPs=", "iana_number": "1", "transport": "icmp" }, @@ -1459,7 +1470,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:47.230068Z", + "ingested": "2021-09-18T20:35:08.757749071Z", "original": "May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", "code": "313004", "kind": "event", @@ -1498,6 +1509,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:hoENwaIuofrQAf7gW+y4f0XXbxc=", "iana_number": "6", "transport": "tcp" }, @@ -1535,7 +1547,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230090200Z", + "ingested": "2021-09-18T20:35:08.757751106Z", "original": "May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006", "code": "305011", "kind": "event", @@ -1572,8 +1584,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:+xI89PlchTpu6dxTMHpkmkd99Ns=", "transport": "tcp", + "iana_number": "6", "direction": "inbound" }, "observer": { @@ -1605,7 +1618,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T09:05:47.230096Z", + "ingested": "2021-09-18T20:35:08.757753112Z", "original": "May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", "code": "106001", "kind": "event", @@ -1661,9 +1674,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:eOIoJBMMmanddR7cRZ0I9vTVI7o=", + "transport": "udp", "bytes": 64585, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -1700,7 +1714,7 @@ "event": { "severity": 2, "duration": 124000000000, - "ingested": "2021-09-07T09:05:47.230101300Z", + "ingested": "2021-09-18T20:35:08.757755207Z", "original": "May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585", "code": "302016", "kind": "event", @@ -1747,8 +1761,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:QsMj86uzy+H1c1pPwrevpSOTh6Q=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -1787,7 +1802,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T09:05:47.230105700Z", + "ingested": "2021-09-18T20:35:08.757757211Z", "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", "code": "302015", "kind": "event", @@ -1835,8 +1850,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:QsMj86uzy+H1c1pPwrevpSOTh6Q=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -1875,7 +1891,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T09:05:47.230110400Z", + "ingested": "2021-09-18T20:35:08.757759198Z", "original": "May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", "code": "302015", "kind": "event", @@ -1917,6 +1933,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:mPK7q/c5ZVhrh2fX6Uqp5314u3M=", "iana_number": "6", "transport": "tcp" }, @@ -1954,7 +1971,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:47.230115100Z", + "ingested": "2021-09-18T20:35:08.757761219Z", "original": "May 5 18:40:50 dev01: %ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", "code": "106023", "kind": "event", @@ -2024,7 +2041,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:47.230119600Z", + "ingested": "2021-09-18T20:35:08.757763220Z", "original": "May 5 18:40:50 dev01: %ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", "code": "106021", "kind": "event", @@ -2062,8 +2079,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:CQXm0MA6TgkTzvcatvgQvikqqes=", "transport": "udp", + "iana_number": "17", "direction": "inbound" }, "observer": { @@ -2095,7 +2113,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T09:05:47.230124200Z", + "ingested": "2021-09-18T20:35:08.757765267Z", "original": "May 5 19:02:58 dev01: %ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", "code": "106006", "kind": "event", @@ -2133,6 +2151,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:CctaOB5wLrJrIATPwYjXODlSpRk=", "iana_number": "6", "transport": "tcp" }, @@ -2165,7 +2184,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230129Z", + "ingested": "2021-09-18T20:35:08.757767268Z", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", "code": "106015", "kind": "event", @@ -2203,6 +2222,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:ghA7Jv5D0sCP4HhHb948hjqh3H4=", "iana_number": "6", "transport": "tcp" }, @@ -2235,7 +2255,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230133400Z", + "ingested": "2021-09-18T20:35:08.757769252Z", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", "code": "106015", "kind": "event", @@ -2273,6 +2293,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:daEI7UiyuAFNVP1xsUsb/AHJ/1I=", "iana_number": "6", "transport": "tcp" }, @@ -2305,7 +2326,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230137500Z", + "ingested": "2021-09-18T20:35:08.757771231Z", "original": "May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", "code": "106015", "kind": "event", @@ -2343,6 +2364,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:1Rjth0DOphFZyLUBP572S4VdEu0=", "iana_number": "6", "transport": "tcp" }, @@ -2380,7 +2402,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230143800Z", + "ingested": "2021-09-18T20:35:08.757773229Z", "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)", "code": "302022", "kind": "event", @@ -2417,6 +2439,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:1Rjth0DOphFZyLUBP572S4VdEu0=", "iana_number": "6", "transport": "tcp" }, @@ -2454,7 +2477,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230148100Z", + "ingested": "2021-09-18T20:35:08.757775225Z", "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)", "code": "302022", "kind": "event", @@ -2528,7 +2551,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230152300Z", + "ingested": "2021-09-18T20:35:08.757777343Z", "original": "May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051)", "code": "302022", "kind": "event", @@ -2565,9 +2588,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:A692g/lxHLbLsT0d0M1RFfiHIs0=", + "transport": "tcp", "bytes": 0, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -2605,7 +2629,7 @@ "severity": 6, "duration": 0, "reason": "Cluster flow with CLU closed on owner", - "ingested": "2021-09-07T09:05:47.230156400Z", + "ingested": "2021-09-18T20:35:08.757779327Z", "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", "code": "302023", "kind": "event", @@ -2644,9 +2668,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:pcILvYGm5J7rxuqU5/TRGZGGe3E=", + "transport": "tcp", "bytes": 0, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -2684,7 +2709,7 @@ "severity": 6, "duration": 0, "reason": "Forwarding or redirect flow removed to create director or backup flow", - "ingested": "2021-09-07T09:05:47.230160300Z", + "ingested": "2021-09-18T20:35:08.757781297Z", "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", "code": "302023", "kind": "event", @@ -2735,7 +2760,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T09:05:47.230164400Z", + "ingested": "2021-09-18T20:35:08.757783325Z", "original": "May 5 19:03:27 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief", "code": "111009", "kind": "event", @@ -2786,7 +2811,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T09:05:47.230168400Z", + "ingested": "2021-09-18T20:35:08.757785359Z", "original": "May 5 19:02:26 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief", "code": "111009", "kind": "event", @@ -2825,6 +2850,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:XgYjYk8hbPPlEnBcHqCD172wQQE=", "iana_number": "6", "transport": "tcp" }, @@ -2862,7 +2888,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230172100Z", + "ingested": "2021-09-18T20:35:08.757787374Z", "original": "May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -\u003e fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]", "code": "106100", "kind": "event", @@ -2902,6 +2928,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:a99mceIcFv0NTz6Aw/+bwE1TnPA=", "iana_number": "6", "transport": "tcp" }, @@ -2939,7 +2966,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230176Z", + "ingested": "2021-09-18T20:35:08.757789357Z", "original": "May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -\u003e fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]", "code": "106100", "kind": "event", @@ -2985,7 +3012,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230179800Z", + "ingested": "2021-09-18T20:35:08.757791345Z", "original": "May 5 19:02:26 dev01: %ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner", "code": "302027", "kind": "event", @@ -3028,7 +3055,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230183900Z", + "ingested": "2021-09-18T20:35:08.757793331Z", "original": "May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8)", "code": "302026", "kind": "event", @@ -3065,6 +3092,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:pXZbIlTv2J4XdRhqORC4IQqpKKg=", "iana_number": "17", "transport": "udp" }, @@ -3097,7 +3125,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T09:05:47.230188Z", + "ingested": "2021-09-18T20:35:08.757795351Z", "original": "May 5 19:02:26 dev01: %ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985", "code": "710005", "kind": "event", @@ -3141,7 +3169,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230192Z", + "ingested": "2021-09-18T20:35:08.757797377Z", "original": "May 5 19:02:26 dev01: %ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout", "code": "302025", "kind": "event", @@ -3184,7 +3212,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230196100Z", + "ingested": "2021-09-18T20:35:08.757799369Z", "original": "May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123)", "code": "302024", "kind": "event", @@ -3219,8 +3247,9 @@ "preserve_original_event" ], "network": { - "iana_number": "1", + "community_id": "1:4MHSMLtBw+4q7Wke3ztBRVwtgt0=", "transport": "icmp", + "iana_number": "1", "direction": "inbound" }, "observer": { @@ -3256,7 +3285,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-07T09:05:47.230199900Z", + "ingested": "2021-09-18T20:35:08.757801357Z", "original": "May 5 19:02:26 dev01: %ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", "code": "106014", "kind": "event", @@ -3301,7 +3330,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:47.230203800Z", + "ingested": "2021-09-18T20:35:08.757803358Z", "original": "May 5 19:02:25 dev01: %ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063", "code": "733100", "kind": "event", @@ -3348,6 +3377,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:frDwW4LN1XFwCsYClx5AmXSlEBE=", "transport": "sctp", "direction": "inbound" }, @@ -3384,7 +3414,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-07T09:05:47.230207400Z", + "ingested": "2021-09-18T20:35:08.757805351Z", "original": "May 5 19:02:25 dev01: %ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", "code": "106010", "kind": "event", @@ -3423,6 +3453,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:gZP3lWRSgL55d5cZvFu18yXen5M=", "iana_number": "6", "transport": "tcp" }, @@ -3460,7 +3491,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:47.230211200Z", + "ingested": "2021-09-18T20:35:08.757807370Z", "original": "May 5 19:02:25 dev01: %ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet.", "code": "507003", "kind": "event", @@ -3523,7 +3554,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:05:47.230215Z", + "ingested": "2021-09-18T20:35:08.757809483Z", "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/", "code": "304001", "kind": "event", @@ -3585,7 +3616,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:05:47.230218800Z", + "ingested": "2021-09-18T20:35:08.757811451Z", "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]", "code": "304001", "kind": "event", @@ -3647,7 +3678,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:05:47.230222600Z", + "ingested": "2021-09-18T20:35:08.757813403Z", "original": "Apr 27 17:54:52 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", "code": "304001", "kind": "event", @@ -3709,7 +3740,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:05:47.230226400Z", + "ingested": "2021-09-18T20:35:08.757815376Z", "original": "Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/", "code": "304001", "kind": "event", @@ -3775,9 +3806,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:GUlUhGicslkTpg27XLqbp4L0H68=", + "transport": "tcp", "bytes": 245, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -3815,7 +3847,7 @@ "severity": 6, "duration": 3602000000000, "reason": "Connection timeout", - "ingested": "2021-09-07T09:05:47.230230100Z", + "ingested": "2021-09-18T20:35:08.757817362Z", "original": "Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout", "code": "302304", "kind": "event", @@ -3856,6 +3888,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:B0rqhFg9+Gx1GmU4JRhiyO3+xmE=", "iana_number": "6", "transport": "tcp" }, @@ -3893,7 +3926,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:47.230233900Z", + "ingested": "2021-09-18T20:35:08.757819366Z", "original": "Apr 27 02:02:02 dev01: %ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", "code": "106023", "kind": "event", @@ -3988,7 +4021,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:05:47.230237900Z", + "ingested": "2021-09-18T20:35:08.757821349Z", "original": "Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -\u003e OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", @@ -4042,7 +4075,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:05:47.230241700Z", + "ingested": "2021-09-18T20:35:08.757823339Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-111004: console end configuration: OK", "code": "111004", "kind": "event", @@ -4100,7 +4133,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:05:47.230245500Z", + "ingested": "2021-09-18T20:35:08.757825321Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear'", "code": "111010", "kind": "event", @@ -4148,7 +4181,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:05:47.230249300Z", + "ingested": "2021-09-18T20:35:08.757827319Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15", "code": "502103", "kind": "event", @@ -4226,7 +4259,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230253200Z", + "ingested": "2021-09-18T20:35:08.757829294Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user \"*****\"", "code": "605004", "kind": "event", @@ -4286,7 +4319,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230257Z", + "ingested": "2021-09-18T20:35:08.757831286Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin", "code": "611102", "kind": "event", @@ -4357,7 +4390,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230260800Z", + "ingested": "2021-09-18T20:35:08.757833272Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user \"admin\"", "code": "605005", "kind": "event", @@ -4417,7 +4450,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230264800Z", + "ingested": "2021-09-18T20:35:08.757835298Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin", "code": "611101", "kind": "event", @@ -4486,7 +4519,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:05:47.230268400Z", + "ingested": "2021-09-18T20:35:08.757837281Z", "original": "Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d", "code": "713049", "kind": "event", @@ -4565,7 +4598,7 @@ "event": { "severity": 4, "duration": 0, - "ingested": "2021-09-07T09:05:47.230272300Z", + "ingested": "2021-09-18T20:35:08.757839254Z", "original": "Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", "code": "113019", "kind": "event", @@ -4623,7 +4656,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:47.230276200Z", + "ingested": "2021-09-18T20:35:08.757841207Z", "original": "Apr 27 02:03:03 dev01: %ASA-4-722051: Group \u003cVPN5Policy\u003e User \u003cjohn\u003e IP \u003c192.168.50.3\u003e IPv4 Address \u003c192.168.50.5\u003e IPv6 address \u003c::\u003e assigned to session", "code": "722051", "kind": "event", @@ -4700,7 +4733,7 @@ "event": { "severity": 6, "reason": "User Requested", - "ingested": "2021-09-07T09:05:47.230280Z", + "ingested": "2021-09-18T20:35:08.757843357Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested.", "code": "716002", "kind": "event", @@ -4761,7 +4794,7 @@ "event": { "severity": 6, "reason": "Idle timeout", - "ingested": "2021-09-07T09:05:47.230303200Z", + "ingested": "2021-09-18T20:35:08.757845333Z", "original": "Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout.", "code": "716002", "kind": "event", @@ -4835,6 +4868,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:9NRUY+1nxDxjlLBwQoakpBYA9sc=", "iana_number": "6", "transport": "tcp" }, @@ -4867,7 +4901,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-07T09:05:47.230308700Z", + "ingested": "2021-09-18T20:35:08.757847305Z", "original": "Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23", "code": "710003", "kind": "event", @@ -4959,7 +4993,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:05:47.230313400Z", + "ingested": "2021-09-18T20:35:08.757849246Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:91.240.17.178/8888 to destinationInterfaceName:192.168.2.2/123123 locally", "code": "434004", "kind": "event", @@ -5053,7 +5087,7 @@ "event": { "severity": 4, "action": "drop", - "ingested": "2021-09-07T09:05:47.230317700Z", + "ingested": "2021-09-18T20:35:08.757851239Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:91.240.17.138/8888 to destinationInterfaceName:192.168.2.2/514514", "code": "434002", "outcome": "unknown" @@ -5133,7 +5167,7 @@ "event": { "severity": 6, "reason": "Failed to locate egress interface", - "ingested": "2021-09-07T09:05:47.230321700Z", + "ingested": "2021-09-18T20:35:08.757853209Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:91.240.17.178/7777 to 192.168.2.2/123412", "code": "110002", "kind": "event", @@ -5226,7 +5260,7 @@ "event": { "severity": 4, "reason": "Duplicate TCP SYN with different initial sequence number", - "ingested": "2021-09-07T09:05:47.230326900Z", + "ingested": "2021-09-18T20:35:08.757855171Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:91.240.17.178/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number", "code": "419002", "kind": "event", @@ -5280,7 +5314,6 @@ ], "network": { "type": "ipsec", - "inner": "LAN-to-LAN", "direction": "outbound" }, "observer": { @@ -5311,7 +5344,7 @@ "event": { "severity": 6, "action": "created", - "ingested": "2021-09-07T09:05:47.230331300Z", + "ingested": "2021-09-18T20:35:08.757857233Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been created.", "code": "602303", "outcome": "success" @@ -5320,7 +5353,9 @@ "name": "admin" }, "cisco": { - "asa": {} + "asa": { + "tunnel_type": "LAN-to-LAN" + } } }, { @@ -5358,7 +5393,6 @@ ], "network": { "type": "ipsec", - "inner": "LAN-to-LAN", "direction": "outbound" }, "observer": { @@ -5388,7 +5422,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230335200Z", + "ingested": "2021-09-18T20:35:08.757859191Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been deleted.", "code": "602304", "kind": "event", @@ -5408,7 +5442,9 @@ "name": "admin" }, "cisco": { - "asa": {} + "asa": { + "tunnel_type": "LAN-to-LAN" + } } }, { @@ -5474,7 +5510,7 @@ "event": { "severity": 5, "reason": "Received a IKE_INIT_SA request", - "ingested": "2021-09-07T09:05:47.230339300Z", + "ingested": "2021-09-18T20:35:08.757861116Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request", "code": "750002", "kind": "event", @@ -5557,7 +5593,7 @@ "event": { "severity": 4, "reason": "Negotiation aborted due to Failed to locate an item in the database", - "ingested": "2021-09-07T09:05:47.230343200Z", + "ingested": "2021-09-18T20:35:08.757863069Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database", "code": "750003", "kind": "event", @@ -5620,7 +5656,7 @@ "event": { "severity": 5, "reason": "PHASE 2 COMPLETED", - "ingested": "2021-09-07T09:05:47.230347100Z", + "ingested": "2021-09-18T20:35:08.757865045Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.128.1.1, PHASE 2 COMPLETED (msgid=bbe383e88)", "code": "713120", "kind": "event", @@ -5683,7 +5719,7 @@ "event": { "severity": 5, "reason": "Duplicate first packet detected", - "ingested": "2021-09-07T09:05:47.230350900Z", + "ingested": "2021-09-18T20:35:08.757867002Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.64.157.61, Duplicate first packet detected. Ignoring packet.", "code": "713202", "kind": "event", @@ -5743,7 +5779,7 @@ "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-09-07T09:05:47.230354800Z", + "ingested": "2021-09-18T20:35:08.757868943Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", "code": "713905", "kind": "event", @@ -5786,7 +5822,7 @@ "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-09-07T09:05:47.230358600Z", + "ingested": "2021-09-18T20:35:08.757870899Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unacceptable!", "code": "713904", "kind": "event", @@ -5831,7 +5867,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:47.230363300Z", + "ingested": "2021-09-18T20:35:08.757872868Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", "code": "713903", "kind": "event", @@ -5875,7 +5911,7 @@ "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-09-07T09:05:47.230367400Z", + "ingested": "2021-09-18T20:35:08.757874808Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!", "code": "713902", "kind": "event", @@ -5940,7 +5976,7 @@ "event": { "severity": 6, "reason": "All IPSec SA proposals found unacceptable!", - "ingested": "2021-09-07T09:05:47.230371200Z", + "ingested": "2021-09-18T20:35:08.757876792Z", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!", "code": "713901", "kind": "event", @@ -5957,6 +5993,501 @@ "cisco": { "asa": {} } + }, + { + "log": { + "level": "warning" + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:Uo11LCySQ1S0c9jtHZVIb4Pm/2k=", + "iana_number": "47" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "ingested": "2021-09-18T20:35:08.757878761Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny protocol 47 src outside:100.66.124.24 dst inside:172.31.98.44 by access-group \"inbound\"", + "code": "106023", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "failure" + }, + "cisco": { + "asa": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "log": { + "level": "warning" + }, + "destination": { + "address": "fe00:afa0::1", + "ip": "fe00:afa0::1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Stockholm", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", + "location": { + "lon": 18.05, + "lat": 59.3333 + } + }, + "as": { + "number": 16509, + "organization": { + "name": "Amazon.com, Inc." + } + }, + "address": "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6", + "ip": "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:VA3lwFPBuRus2kxMs1BexFp+gp4=", + "iana_number": "1", + "transport": "icmp" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "OUTSIDE" + } + } + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6", + "fe00:afa0::1" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "ingested": "2021-09-18T20:35:08.757880710Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src OUTSIDE:2a05:d016:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group \"OUTSIDE_in\"", + "code": "106023", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "failure" + }, + "cisco": { + "asa": { + "destination_interface": "OUTSIDE", + "rule_name": "OUTSIDE_in", + "source_interface": "OUTSIDE" + } + } + }, + { + "log": { + "level": "warning" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "CH-AG", + "city_name": "Kolliken", + "country_iso_code": "CH", + "country_name": "Switzerland", + "region_name": "Aargau", + "location": { + "lon": 8.0264, + "lat": 47.3388 + } + }, + "as": { + "number": 3303, + "organization": { + "name": "Bluewin" + } + }, + "address": "85.0.0.1", + "port": 500, + "ip": "85.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "country_name": "United Kingdom", + "location": { + "lon": -0.1224, + "lat": 51.4964 + }, + "country_iso_code": "GB" + }, + "as": { + "number": 5089, + "organization": { + "name": "Virgin Media Limited" + } + }, + "address": "82.0.0.1", + "port": 500, + "ip": "82.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:rwM9yFUsWh6N2utKviU7S94dS9U=", + "transport": "udp", + "bytes": 4671944, + "iana_number": "17" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "identity" + } + } + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "82.0.0.1", + "85.0.0.1" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "duration": 332660000000000, + "ingested": "2021-09-18T20:35:08.757882669Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:82.0.0.1/500 to identity:85.0.0.1/500 duration 92:24:20 bytes 4671944", + "code": "302016", + "kind": "event", + "start": "2020-04-23T05:38:43.000Z", + "action": "flow-expiration", + "end": "2020-04-27T02:03:03.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "destination_interface": "identity", + "connection_id": "123364823", + "source_interface": "OUTSIDE" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2021-05-05T19:02:25.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "ingested": "2021-09-18T20:35:08.757884598Z", + "original": "May 5 19:02:25 dev01: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 19269", + "code": "733100", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "burst": { + "configured_avg_rate": "4", + "cumulative_count": "19269", + "configured_rate": "8", + "avg_rate": "5", + "current_rate": "0", + "id": "rate-2", + "object": "Scanning" + } + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2021-05-05T19:02:25.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "ingested": "2021-09-18T20:35:08.757886528Z", + "original": "May 5 19:02:25 dev01: %ASA-4-733100: [ 192.168.0.1] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6018", + "code": "733100", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "burst": { + "configured_avg_rate": "5", + "cumulative_count": "6018", + "configured_rate": "10", + "avg_rate": "5", + "current_rate": "0", + "id": "rate-1", + "object": "192.168.0.1" + } + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2021-05-05T19:02:25.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "ingested": "2021-09-18T20:35:08.757888497Z", + "original": "May 5 19:02:25 dev01: %ASA-4-733100: [ Port-5432 5432] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 20 per second, max configured rate is 5; Cumulative total count is 12466", + "code": "733100", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "burst": { + "configured_avg_rate": "5", + "cumulative_count": "12466", + "configured_rate": "10", + "avg_rate": "20", + "current_rate": "8", + "id": "rate-1", + "object": "Port-5432 5432" + } + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2021-05-05T19:02:25.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "ingested": "2021-09-18T20:35:08.757890446Z", + "original": "May 5 19:02:25 dev01: %ASA-4-733100: [ RDP 3389] drop rate-1 exceeded. Current burst rate is 63 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3054", + "code": "733100", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "burst": { + "configured_avg_rate": "5", + "cumulative_count": "3054", + "configured_rate": "10", + "avg_rate": "5", + "current_rate": "63", + "id": "rate-1", + "object": "RDP 3389" + } + } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json index 8585399b6a1..d7a6cc0af3e 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -10,17 +10,21 @@ "ip": "10.233.123.123" }, "source": { - "port": 53723, "address": "10.123.123.123", + "port": 53723, + "user": { + "name": "Elastic" + }, "ip": "10.123.123.123" }, "tags": [ "preserve_original_event" ], "network": { + "community_id": "1:9aBQ+NznvYals1agEGRVJm37dvQ=", + "transport": "udp", "bytes": 148, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -43,6 +47,9 @@ "version": "1.11.0" }, "related": { + "user": [ + "Elastic" + ], "hosts": [ "SNL-ASA-VPN-A01" ], @@ -57,7 +64,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:53.884473600Z", + "ingested": "2021-09-18T20:35:45.721879282Z", "original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", "code": "302016", "kind": "event", @@ -74,7 +81,7 @@ }, "cisco": { "asa": { - "source_username": "(LOCAL\\Elastic)", + "source_username": "LOCAL\\Elastic", "destination_interface": "Inside", "termination_user": "zzzzzz", "connection_id": "110577675", @@ -98,6 +105,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:kV/6Jt4iMhVyUT1AW+UO0itOhqU=", "iana_number": "1", "transport": "icmp" }, @@ -134,7 +142,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:53.884491300Z", + "ingested": "2021-09-18T20:35:45.721884195Z", "original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -174,6 +182,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:7nrIUULEgk5A+nhbh4kNmEkwL3o=", "iana_number": "6", "transport": "tcp" }, @@ -203,7 +212,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:53.884495600Z", + "ingested": "2021-09-18T20:35:45.721886186Z", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", "code": "106023", "kind": "event", @@ -235,14 +244,18 @@ "ip": "10.123.123.123" }, "source": { - "port": 57621, "address": "10.123.123.123", + "port": 57621, + "user": { + "name": "Elastic" + }, "ip": "10.123.123.123" }, "tags": [ "preserve_original_event" ], "network": { + "community_id": "1:LM0R4Wi8tEf+1pe2ukofXQKxfMc=", "iana_number": "17", "transport": "udp" }, @@ -267,6 +280,9 @@ "version": "1.11.0" }, "related": { + "user": [ + "Elastic" + ], "hosts": [ "SNL-ASA-VPN-A01" ], @@ -279,7 +295,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:53.884499200Z", + "ingested": "2021-09-18T20:35:45.721888057Z", "original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -295,7 +311,7 @@ }, "cisco": { "asa": { - "source_username": "(LOCAL\\Elastic)", + "source_username": "LOCAL\\Elastic", "destination_interface": "Outside", "rule_name": "Inside_access_in", "source_interface": "Inside" @@ -340,7 +356,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T09:05:53.884502500Z", + "ingested": "2021-09-18T20:35:45.721889891Z", "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", "code": "106017", "kind": "event", @@ -401,7 +417,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-07T09:05:53.884505500Z", + "ingested": "2021-09-18T20:35:45.721891708Z", "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1", "code": "313008", "kind": "event", @@ -441,6 +457,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:/zjqku0IM1BTHL37aH0DvJSecYY=", "iana_number": "1", "transport": "icmp" }, @@ -471,7 +488,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:53.884508200Z", + "ingested": "2021-09-18T20:35:45.721893488Z", "original": "Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8", "code": "313009", "kind": "event", @@ -515,6 +532,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:F0lY+M777B6QL2SDSKa9RfuUJ7s=", "iana_number": "17", "transport": "udp" }, @@ -545,7 +563,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:53.884511200Z", + "ingested": "2021-09-18T20:35:45.721895270Z", "original": "Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", "code": "106100", "kind": "event", @@ -585,6 +603,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:F0lY+M777B6QL2SDSKa9RfuUJ7s=", "iana_number": "17", "transport": "udp" }, @@ -615,7 +634,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:53.884514Z", + "ingested": "2021-09-18T20:35:45.721897074Z", "original": "Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -\u003e inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", "code": "106100", "kind": "event", @@ -655,6 +674,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:kRCfRJ9T/IeRNAhAhzOsF6EjIV4=", "iana_number": "17", "transport": "udp" }, @@ -688,7 +708,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-07T09:05:53.884516800Z", + "ingested": "2021-09-18T20:35:45.721898861Z", "original": "Aug 6 2020 11:01:37: %ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -\u003e inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", "code": "106102", "kind": "event", @@ -743,6 +763,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:cJpy7sqGDQbchRUXDtR8k10HinM=", "iana_number": "1", "transport": "icmp" }, @@ -776,7 +797,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T09:05:53.884519600Z", + "ingested": "2021-09-18T20:35:45.721900666Z", "original": "Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -\u003e outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", "code": "106103", "kind": "event", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json index ae7b542420d..bb59c49ce0c 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json @@ -22,6 +22,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:ygCOhTlTMVGn+PXlTgyzRveBJ9g=", "iana_number": "6", "transport": "tcp" }, @@ -59,7 +60,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.749857400Z", + "ingested": "2021-09-18T20:35:50.122669471Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", "code": "305011", "kind": "event", @@ -100,8 +101,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:aH+Rcp4nenimMGZQ733uys/x0js=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -138,7 +140,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.749875500Z", + "ingested": "2021-09-18T20:35:50.122674311Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", "code": "302013", "kind": "event", @@ -184,9 +186,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:nawleoAMDhKg7pshv6H5enEaKV8=", + "transport": "tcp", "bytes": 38110, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -224,7 +227,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.749880300Z", + "ingested": "2021-09-18T20:35:50.122676314Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", "code": "302014", "kind": "event", @@ -269,9 +272,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:XqwLVHNEt7Z1fB2ZZXj1piBH4PM=", + "transport": "tcp", "bytes": 44010, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -309,7 +313,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.749883600Z", + "ingested": "2021-09-18T20:35:50.122678191Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", "code": "302014", "kind": "event", @@ -354,9 +358,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Q18EvtK0EmoGK6hViBJu2B9syjc=", + "transport": "tcp", "bytes": 7652, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -394,7 +399,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.749886600Z", + "ingested": "2021-09-18T20:35:50.122680037Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", "code": "302014", "kind": "event", @@ -439,9 +444,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:k3K4xSa45aJwCWLM9eIJsqCydLQ=", + "transport": "tcp", "bytes": 7062, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -479,7 +485,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.749889400Z", + "ingested": "2021-09-18T20:35:50.122681838Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", "code": "302014", "kind": "event", @@ -524,9 +530,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Qq/qwMDt7lmCdvQnPYJ86wHp5mY=", + "transport": "tcp", "bytes": 5738, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -564,7 +571,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.749892300Z", + "ingested": "2021-09-18T20:35:50.122683614Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", "code": "302014", "kind": "event", @@ -609,9 +616,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:ezm9yQGN1cdh1QEJ2nw19295QfU=", + "transport": "tcp", "bytes": 4176, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -649,7 +657,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.749895Z", + "ingested": "2021-09-18T20:35:50.122685452Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", "code": "302014", "kind": "event", @@ -694,9 +702,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:dV1ILqqOHNIkUwdYUt2iodkCTIg=", + "transport": "tcp", "bytes": 1715, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -734,7 +743,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.749897500Z", + "ingested": "2021-09-18T20:35:50.122687259Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", "code": "302014", "kind": "event", @@ -779,9 +788,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:M9jSkRNBaw+CV8aYYGLeh+1c4LQ=", + "transport": "tcp", "bytes": 45595, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -819,7 +829,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.749900200Z", + "ingested": "2021-09-18T20:35:50.122689038Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", "code": "302014", "kind": "event", @@ -864,9 +874,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:kcIahkhuYMj1cJNDgmYdpgb8b5o=", + "transport": "tcp", "bytes": 27359, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -904,7 +915,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.749903Z", + "ingested": "2021-09-18T20:35:50.122690809Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", "code": "302014", "kind": "event", @@ -949,9 +960,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Oll9UOQVtF14Vb1gAqDgbQ8GVN0=", + "transport": "tcp", "bytes": 4457, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -989,7 +1001,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.749906100Z", + "ingested": "2021-09-18T20:35:50.122692944Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", "code": "302014", "kind": "event", @@ -1034,9 +1046,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:SRok/PbYRZCXwEJ9MQDvhiR0OZc=", + "transport": "tcp", "bytes": 26709, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -1074,7 +1087,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.749909Z", + "ingested": "2021-09-18T20:35:50.122694794Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", "code": "302014", "kind": "event", @@ -1119,9 +1132,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:agnIkBJhbPXkAM0Ai6Q8vvm22FM=", + "transport": "tcp", "bytes": 22097, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -1159,7 +1173,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.749911700Z", + "ingested": "2021-09-18T20:35:50.122696629Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", "code": "302014", "kind": "event", @@ -1204,9 +1218,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:dyOBaLTo8f2aK6FSqmPQ8iEKQCM=", + "transport": "tcp", "bytes": 2209, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -1244,7 +1259,7 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.749914400Z", + "ingested": "2021-09-18T20:35:50.122698449Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", "code": "302014", "kind": "event", @@ -1289,9 +1304,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:JG3x+PLXI8vDNUP0xc2b7cGmtO8=", + "transport": "tcp", "bytes": 10404, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -1329,7 +1345,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.749917Z", + "ingested": "2021-09-18T20:35:50.122700308Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", "code": "302014", "kind": "event", @@ -1374,9 +1390,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:aVhOiCMAQUL3DYMg+b1hd6++Tsw=", + "transport": "tcp", "bytes": 123694, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -1414,7 +1431,7 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.749919900Z", + "ingested": "2021-09-18T20:35:50.122702237Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", "code": "302014", "kind": "event", @@ -1459,9 +1476,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:yvanaru1i/rrH9fF3MeSmHfJVH0=", + "transport": "tcp", "bytes": 35835, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -1499,7 +1517,7 @@ "severity": 6, "duration": 71000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.749922600Z", + "ingested": "2021-09-18T20:35:50.122704125Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", "code": "302014", "kind": "event", @@ -1544,9 +1562,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:h36yIuCF0zHqn+9q0Z5lLEIz2FE=", + "transport": "tcp", "bytes": 0, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -1584,7 +1603,7 @@ "severity": 6, "duration": 30000000000, "reason": "SYN Timeout", - "ingested": "2021-09-07T09:05:54.749925100Z", + "ingested": "2021-09-18T20:35:50.122705989Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", "code": "302014", "kind": "event", @@ -1629,6 +1648,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:tCQw5Th130a6dZONq7h6PjILJZY=", "iana_number": "17", "transport": "udp" }, @@ -1666,7 +1686,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.749927800Z", + "ingested": "2021-09-18T20:35:50.122707822Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", "code": "305011", "kind": "event", @@ -1707,8 +1727,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:kcCQj9lygM48oLeBgvoRv3KlTuA=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -1745,7 +1766,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.749930300Z", + "ingested": "2021-09-18T20:35:50.122709599Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -1791,9 +1812,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:kcCQj9lygM48oLeBgvoRv3KlTuA=", + "transport": "udp", "bytes": 148, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -1830,7 +1852,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.749933Z", + "ingested": "2021-09-18T20:35:50.122711403Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", "code": "302016", "kind": "event", @@ -1875,8 +1897,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:bp0GOEdY1zkuA4pQN1jtkfjom00=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -1913,7 +1936,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.749935600Z", + "ingested": "2021-09-18T20:35:50.122713188Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -1959,9 +1982,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:bp0GOEdY1zkuA4pQN1jtkfjom00=", + "transport": "udp", "bytes": 164, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -1998,7 +2022,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.749939400Z", + "ingested": "2021-09-18T20:35:50.122715157Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", "code": "302016", "kind": "event", @@ -2043,6 +2067,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:IqCv9QrYpJkgySoRM91LE2Ao1Ug=", "iana_number": "6", "transport": "tcp" }, @@ -2080,7 +2105,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.749942600Z", + "ingested": "2021-09-18T20:35:50.122716982Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", "code": "305011", "kind": "event", @@ -2121,8 +2146,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:sxPO5rXtxG30Oh+QP2ncQZ0N1U8=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -2159,7 +2185,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.749954100Z", + "ingested": "2021-09-18T20:35:50.122718800Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", "code": "302013", "kind": "event", @@ -2205,6 +2231,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:MZcBg2aQ/SdpVmPXf2Ze+Ng4g9Y=", "iana_number": "6", "transport": "tcp" }, @@ -2242,7 +2269,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.749960700Z", + "ingested": "2021-09-18T20:35:50.122720596Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", "code": "305011", "kind": "event", @@ -2283,8 +2310,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:G5HU7oEz3i/eGfSUoq5HuDVo7u4=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -2321,7 +2349,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.749964700Z", + "ingested": "2021-09-18T20:35:50.122722424Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", "code": "302013", "kind": "event", @@ -2367,8 +2395,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:H8tgP5tPUaaz9Npdxb+q+3ZYoN0=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -2405,7 +2434,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.749967600Z", + "ingested": "2021-09-18T20:35:50.122724233Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -2451,8 +2480,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:Sj4w7IG06WsDGSPRXBX9NS6LDEY=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -2489,7 +2519,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.749972100Z", + "ingested": "2021-09-18T20:35:50.122726087Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -2535,9 +2565,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:H8tgP5tPUaaz9Npdxb+q+3ZYoN0=", + "transport": "udp", "bytes": 111, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -2574,7 +2605,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.749976200Z", + "ingested": "2021-09-18T20:35:50.122727898Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", "code": "302016", "kind": "event", @@ -2619,9 +2650,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Sj4w7IG06WsDGSPRXBX9NS6LDEY=", + "transport": "udp", "bytes": 237, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -2658,7 +2690,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.749979600Z", + "ingested": "2021-09-18T20:35:50.122729735Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", "code": "302016", "kind": "event", @@ -2703,6 +2735,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:/KJCwT2FUqlgb+8c7f4b8fvqWFE=", "iana_number": "6", "transport": "tcp" }, @@ -2740,7 +2773,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.749982600Z", + "ingested": "2021-09-18T20:35:50.122731565Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", "code": "305011", "kind": "event", @@ -2781,8 +2814,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:gFO9U+lgj3sty9R349zScds2rBg=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -2819,7 +2853,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.749985500Z", + "ingested": "2021-09-18T20:35:50.122733405Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", "code": "302013", "kind": "event", @@ -2865,6 +2899,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:kpfWE+K4tPLbC1LWM9M8v5zQqyk=", "iana_number": "17", "transport": "udp" }, @@ -2902,7 +2937,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.749988500Z", + "ingested": "2021-09-18T20:35:50.122735390Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", "code": "305011", "kind": "event", @@ -2943,8 +2978,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:PmwiqFgdpl13iRx/dI+XAUpFScQ=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -2981,7 +3017,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.749991100Z", + "ingested": "2021-09-18T20:35:50.122737212Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3027,8 +3063,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:HgVBFZOMW/jvKdEmq/wc0JyLnZQ=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -3065,7 +3102,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.749993600Z", + "ingested": "2021-09-18T20:35:50.122738992Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3111,9 +3148,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:PmwiqFgdpl13iRx/dI+XAUpFScQ=", + "transport": "udp", "bytes": 87, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -3150,7 +3188,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.749996300Z", + "ingested": "2021-09-18T20:35:50.122740782Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", "code": "302016", "kind": "event", @@ -3195,9 +3233,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:HgVBFZOMW/jvKdEmq/wc0JyLnZQ=", + "transport": "udp", "bytes": 221, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -3234,7 +3273,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.749999100Z", + "ingested": "2021-09-18T20:35:50.122742539Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", "code": "302016", "kind": "event", @@ -3279,6 +3318,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:J8j4D9Hm6tPmF+enIkcOgaYzEg4=", "iana_number": "6", "transport": "tcp" }, @@ -3316,7 +3356,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750001700Z", + "ingested": "2021-09-18T20:35:50.122744314Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", "code": "305011", "kind": "event", @@ -3357,8 +3397,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:2VKYvyM6qODR0XAXnVUFrYSP/IU=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -3395,7 +3436,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750004200Z", + "ingested": "2021-09-18T20:35:50.122746127Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", "code": "302013", "kind": "event", @@ -3441,8 +3482,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -3479,7 +3521,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750006700Z", + "ingested": "2021-09-18T20:35:50.122747886Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3525,8 +3567,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:xuWnph7S4x01QQURwZz62YrNdQQ=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -3563,7 +3606,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750009500Z", + "ingested": "2021-09-18T20:35:50.122749638Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3609,9 +3652,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", + "transport": "udp", "bytes": 101, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -3648,7 +3692,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750012Z", + "ingested": "2021-09-18T20:35:50.122751408Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", "code": "302016", "kind": "event", @@ -3693,9 +3737,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:xuWnph7S4x01QQURwZz62YrNdQQ=", + "transport": "udp", "bytes": 126, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -3732,7 +3777,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750014800Z", + "ingested": "2021-09-18T20:35:50.122753174Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", "code": "302016", "kind": "event", @@ -3777,6 +3822,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:TO0ui5exOUfDCukU8mR9bJIjkLY=", "iana_number": "6", "transport": "tcp" }, @@ -3814,7 +3860,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750017400Z", + "ingested": "2021-09-18T20:35:50.122754946Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", "code": "305011", "kind": "event", @@ -3855,8 +3901,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:/NBLcipqeKvQyDqtEziGtIMUQTs=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -3893,7 +3940,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750020Z", + "ingested": "2021-09-18T20:35:50.122756743Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", "code": "302013", "kind": "event", @@ -3939,9 +3986,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:/NBLcipqeKvQyDqtEziGtIMUQTs=", + "transport": "tcp", "bytes": 862, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -3979,7 +4027,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750022600Z", + "ingested": "2021-09-18T20:35:50.122758510Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", "code": "302014", "kind": "event", @@ -4024,8 +4072,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:Aq1WnukJ+GNVqeRryOc0YYsSDos=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -4062,7 +4111,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750042900Z", + "ingested": "2021-09-18T20:35:50.122760282Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -4108,9 +4157,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", + "transport": "udp", "bytes": 104, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -4147,7 +4197,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750046700Z", + "ingested": "2021-09-18T20:35:50.122762040Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -4192,9 +4242,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Aq1WnukJ+GNVqeRryOc0YYsSDos=", + "transport": "udp", "bytes": 176, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -4231,7 +4282,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750050Z", + "ingested": "2021-09-18T20:35:50.122763913Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", "code": "302016", "kind": "event", @@ -4276,6 +4327,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:Aj/XpM3jpqRdnliZ41V6x4P43+E=", "iana_number": "6", "transport": "tcp" }, @@ -4313,7 +4365,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750052600Z", + "ingested": "2021-09-18T20:35:50.122765733Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", "code": "305011", "kind": "event", @@ -4354,8 +4406,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:2YT6PqWSIyoyRYVbl2cIXiGcMsw=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -4392,7 +4445,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750055300Z", + "ingested": "2021-09-18T20:35:50.122767525Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", "code": "302013", "kind": "event", @@ -4438,6 +4491,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:92e0i/+rET9QRb4OJPjo8ombnho=", "iana_number": "6", "transport": "tcp" }, @@ -4475,7 +4529,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750057900Z", + "ingested": "2021-09-18T20:35:50.122769312Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", "code": "305011", "kind": "event", @@ -4516,8 +4570,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:XheyUG03AcgRSOyMnpafZQNi3wY=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -4554,7 +4609,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750060400Z", + "ingested": "2021-09-18T20:35:50.122771125Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", "code": "302013", "kind": "event", @@ -4600,6 +4655,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:zO9YefYViVlpEmjk0y/xJ+kBVQM=", "iana_number": "6", "transport": "tcp" }, @@ -4637,7 +4693,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750063300Z", + "ingested": "2021-09-18T20:35:50.122772947Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", "code": "305011", "kind": "event", @@ -4678,8 +4734,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:cKgOVwHWv3CzYQlpMkVbynKHE30=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -4716,7 +4773,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750065900Z", + "ingested": "2021-09-18T20:35:50.122774777Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", "code": "302013", "kind": "event", @@ -4762,8 +4819,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -4800,7 +4858,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750068400Z", + "ingested": "2021-09-18T20:35:50.122776662Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -4846,9 +4904,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", + "transport": "udp", "bytes": 104, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -4885,7 +4944,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750070900Z", + "ingested": "2021-09-18T20:35:50.122778458Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -4930,6 +4989,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:04tYx55j9tCWtjlaXaCxE2U8b8M=", "iana_number": "6", "transport": "tcp" }, @@ -4967,7 +5027,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750073600Z", + "ingested": "2021-09-18T20:35:50.122780246Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", "code": "305011", "kind": "event", @@ -5008,8 +5068,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:YysjQgUCP64UYIQdnFMFxvopBMw=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -5046,7 +5107,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750076400Z", + "ingested": "2021-09-18T20:35:50.122782038Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", "code": "302013", "kind": "event", @@ -5092,6 +5153,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:1MUBdAvjCABqDQE9IfLWai42OhA=", "iana_number": "6", "transport": "tcp" }, @@ -5129,7 +5191,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750079700Z", + "ingested": "2021-09-18T20:35:50.122783802Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", "code": "305011", "kind": "event", @@ -5170,8 +5232,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:wH3OQfGQv6qlex3KDY6fleRZ3W4=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -5208,7 +5271,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750082300Z", + "ingested": "2021-09-18T20:35:50.122785620Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", "code": "302013", "kind": "event", @@ -5254,8 +5317,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:+y5eZK0soO9pFOh5l07R/VVpE0Q=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -5292,7 +5356,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750085900Z", + "ingested": "2021-09-18T20:35:50.122787480Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -5338,9 +5402,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:YysjQgUCP64UYIQdnFMFxvopBMw=", + "transport": "tcp", "bytes": 593, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -5378,7 +5443,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750088500Z", + "ingested": "2021-09-18T20:35:50.122789309Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", "code": "302014", "kind": "event", @@ -5423,6 +5488,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:Q4mw5/UOrraSXyucLYyaom31Os4=", "iana_number": "6", "transport": "tcp" }, @@ -5460,7 +5526,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750091200Z", + "ingested": "2021-09-18T20:35:50.122791105Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", "code": "305011", "kind": "event", @@ -5501,8 +5567,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:9aaIbdVfxtctEtHtisDVEKYc8wI=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -5539,7 +5606,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750094Z", + "ingested": "2021-09-18T20:35:50.122792899Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", "code": "302013", "kind": "event", @@ -5585,9 +5652,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:+y5eZK0soO9pFOh5l07R/VVpE0Q=", + "transport": "udp", "bytes": 375, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -5624,7 +5692,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750096600Z", + "ingested": "2021-09-18T20:35:50.122794709Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", "code": "302016", "kind": "event", @@ -5669,6 +5737,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:4DSy4gkfywR/vYGwMX8ni9L8xNA=", "iana_number": "6", "transport": "tcp" }, @@ -5706,7 +5775,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750099200Z", + "ingested": "2021-09-18T20:35:50.122796541Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", "code": "305011", "kind": "event", @@ -5747,8 +5816,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:CUxMKGQ8Da35o4Z5ZJ3cqjyBcjE=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -5785,7 +5855,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750101800Z", + "ingested": "2021-09-18T20:35:50.122798371Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", "code": "302013", "kind": "event", @@ -5817,14 +5887,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8267, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1454, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:Aj/XpM3jpqRdnliZ41V6x4P43+E=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -5833,6 +5928,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -5840,20 +5939,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750104400Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.122800171Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -5878,6 +5984,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:24J8khLuXWoetlU/J6WYj+4RnIU=", "iana_number": "6", "transport": "tcp" }, @@ -5915,7 +6022,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750107600Z", + "ingested": "2021-09-18T20:35:50.122801955Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", "code": "305011", "kind": "event", @@ -5956,8 +6063,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:gufBCDdtvRqSstVTarndQuv0AHg=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -5994,7 +6102,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750110400Z", + "ingested": "2021-09-18T20:35:50.122806434Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", "code": "302013", "kind": "event", @@ -6026,14 +6134,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8268, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1455, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:92e0i/+rET9QRb4OJPjo8ombnho=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -6042,6 +6175,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -6049,20 +6186,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750113800Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.122808281Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -6073,14 +6217,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8269, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1456, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:zO9YefYViVlpEmjk0y/xJ+kBVQM=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -6089,6 +6258,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -6096,20 +6269,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750116900Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.122810217Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -6120,14 +6300,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8270, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1457, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:04tYx55j9tCWtjlaXaCxE2U8b8M=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -6136,6 +6341,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -6143,20 +6352,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750119900Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.122822054Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -6167,14 +6383,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8271, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1458, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:1MUBdAvjCABqDQE9IfLWai42OhA=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -6183,6 +6424,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -6190,20 +6435,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750122500Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.122824061Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -6214,14 +6466,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8272, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1459, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:Q4mw5/UOrraSXyucLYyaom31Os4=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -6230,6 +6507,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -6237,20 +6518,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750125200Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.122825841Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -6261,14 +6549,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8273, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1460, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:4DSy4gkfywR/vYGwMX8ni9L8xNA=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -6277,6 +6590,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -6284,20 +6601,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750127700Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.122827598Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -6322,9 +6646,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:pux42VCSy7BX42P3cpyd4c/X1M8=", + "transport": "tcp", "bytes": 575, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -6362,7 +6687,7 @@ "severity": 6, "duration": 325000000000, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750130200Z", + "ingested": "2021-09-18T20:35:50.122829392Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", "code": "302014", "kind": "event", @@ -6407,9 +6732,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:gufBCDdtvRqSstVTarndQuv0AHg=", + "transport": "tcp", "bytes": 5391, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -6447,7 +6773,7 @@ "severity": 6, "duration": 0, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.750132800Z", + "ingested": "2021-09-18T20:35:50.122831170Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", "code": "302014", "kind": "event", @@ -6492,6 +6818,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:mWEQuMzgDppOFGfUpnRU2SOVLC4=", "iana_number": "6", "transport": "tcp" }, @@ -6529,7 +6856,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750135500Z", + "ingested": "2021-09-18T20:35:50.122832940Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", "code": "305011", "kind": "event", @@ -6570,8 +6897,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:WPQ7PgW0xK/OsH/dwOA4osO4W+M=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -6608,7 +6936,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750138100Z", + "ingested": "2021-09-18T20:35:50.122834695Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", "code": "302013", "kind": "event", @@ -6654,6 +6982,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -6691,7 +7020,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750140900Z", + "ingested": "2021-09-18T20:35:50.122836448Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6735,6 +7064,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -6772,7 +7102,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750143400Z", + "ingested": "2021-09-18T20:35:50.122838206Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6816,6 +7146,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -6853,7 +7184,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750146Z", + "ingested": "2021-09-18T20:35:50.122840022Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6897,6 +7228,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -6934,7 +7266,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750148500Z", + "ingested": "2021-09-18T20:35:50.122841981Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6978,6 +7310,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7015,7 +7348,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750151300Z", + "ingested": "2021-09-18T20:35:50.122843739Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7059,6 +7392,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7096,7 +7430,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750154Z", + "ingested": "2021-09-18T20:35:50.122845527Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7140,6 +7474,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7177,7 +7512,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750157Z", + "ingested": "2021-09-18T20:35:50.122847284Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7221,6 +7556,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7258,7 +7594,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750159700Z", + "ingested": "2021-09-18T20:35:50.122849045Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7302,6 +7638,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7339,7 +7676,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750162300Z", + "ingested": "2021-09-18T20:35:50.122850836Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7383,6 +7720,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7420,7 +7758,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750164900Z", + "ingested": "2021-09-18T20:35:50.122852622Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7464,6 +7802,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7501,7 +7840,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750167600Z", + "ingested": "2021-09-18T20:35:50.122854377Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7545,6 +7884,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7582,7 +7922,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750171200Z", + "ingested": "2021-09-18T20:35:50.122856143Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7626,6 +7966,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7663,7 +8004,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750174Z", + "ingested": "2021-09-18T20:35:50.122857895Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7707,6 +8048,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:ZuhnndzENnR8d8NKvStxJffM+XM=", "iana_number": "6", "transport": "tcp" }, @@ -7744,7 +8086,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750176500Z", + "ingested": "2021-09-18T20:35:50.122859686Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", "code": "305011", "kind": "event", @@ -7785,8 +8127,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:7t0ua2FV3S8YYwDwaXzw5Tm8M80=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -7823,7 +8166,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750179100Z", + "ingested": "2021-09-18T20:35:50.122861452Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", "code": "302013", "kind": "event", @@ -7869,6 +8212,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:ZhyIop0bR8c1qT9K7cSplqrW0ew=", "iana_number": "17", "transport": "udp" }, @@ -7906,7 +8250,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750182Z", + "ingested": "2021-09-18T20:35:50.122863249Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", "code": "305011", "kind": "event", @@ -7947,8 +8291,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:vvawE2mM1hKl2WU/GmHBmMoI3G8=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -7985,7 +8330,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750184900Z", + "ingested": "2021-09-18T20:35:50.122865005Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -8031,9 +8376,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:vvawE2mM1hKl2WU/GmHBmMoI3G8=", + "transport": "udp", "bytes": 373, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -8070,7 +8416,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750187500Z", + "ingested": "2021-09-18T20:35:50.122866752Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", "code": "302016", "kind": "event", @@ -8115,8 +8461,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:EbQL+Bkt/0HhFonc51xiLjU2ULs=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -8153,7 +8500,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750190300Z", + "ingested": "2021-09-18T20:35:50.122868503Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -8199,9 +8546,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:EbQL+Bkt/0HhFonc51xiLjU2ULs=", + "transport": "udp", "bytes": 207, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -8238,7 +8586,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750192800Z", + "ingested": "2021-09-18T20:35:50.122870318Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", "code": "302016", "kind": "event", @@ -8283,6 +8631,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:BbvA+2xZjkf52lWjSH3HOxxj5hU=", "iana_number": "6", "transport": "tcp" }, @@ -8320,7 +8669,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750195500Z", + "ingested": "2021-09-18T20:35:50.122872109Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280", "code": "305011", "kind": "event", @@ -8361,8 +8710,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:ShbrimWtNV85eRupsVdhYYGjinM=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -8399,7 +8749,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750198Z", + "ingested": "2021-09-18T20:35:50.122873906Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", "code": "302013", "kind": "event", @@ -8445,6 +8795,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:xM9jRCoCKsQva+HDcJ8nktupQ/U=", "iana_number": "6", "transport": "tcp" }, @@ -8482,7 +8833,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750200700Z", + "ingested": "2021-09-18T20:35:50.122875670Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281", "code": "305011", "kind": "event", @@ -8523,8 +8874,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:IcCOLZpFflYj07ZKALUHqkud7Og=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -8561,7 +8913,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750203500Z", + "ingested": "2021-09-18T20:35:50.122877438Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", "code": "302013", "kind": "event", @@ -8607,9 +8959,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:ShbrimWtNV85eRupsVdhYYGjinM=", + "transport": "tcp", "bytes": 12853, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -8647,7 +9000,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750206400Z", + "ingested": "2021-09-18T20:35:50.122879202Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", "code": "302014", "kind": "event", @@ -8692,6 +9045,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:1P8Fbc8oTceSX9f9YAusY6Mfscc=", "iana_number": "6", "transport": "tcp" }, @@ -8729,7 +9083,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750210100Z", + "ingested": "2021-09-18T20:35:50.122881012Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282", "code": "305011", "kind": "event", @@ -8770,8 +9124,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:dhiHohHbIs5hJvTmSlxicfumIG8=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -8808,7 +9163,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750213100Z", + "ingested": "2021-09-18T20:35:50.122882832Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", "code": "302013", "kind": "event", @@ -8854,9 +9209,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:IcCOLZpFflYj07ZKALUHqkud7Og=", + "transport": "tcp", "bytes": 5291, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -8894,7 +9250,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750216100Z", + "ingested": "2021-09-18T20:35:50.122884858Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", "code": "302014", "kind": "event", @@ -8939,6 +9295,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:R/Bwq8x4Nfwk474w7odsVLA+w60=", "iana_number": "6", "transport": "tcp" }, @@ -8976,7 +9333,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750219Z", + "ingested": "2021-09-18T20:35:50.122886638Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283", "code": "305011", "kind": "event", @@ -9017,8 +9374,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:a8PBN9kFi4P46nWxmgh0bVLBFiI=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -9055,7 +9413,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750221600Z", + "ingested": "2021-09-18T20:35:50.122888403Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", "code": "302013", "kind": "event", @@ -9101,9 +9459,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:dhiHohHbIs5hJvTmSlxicfumIG8=", + "transport": "tcp", "bytes": 965, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -9141,7 +9500,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750224400Z", + "ingested": "2021-09-18T20:35:50.122890202Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", "code": "302014", "kind": "event", @@ -9186,9 +9545,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:a8PBN9kFi4P46nWxmgh0bVLBFiI=", + "transport": "tcp", "bytes": 8605, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -9226,7 +9586,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750227300Z", + "ingested": "2021-09-18T20:35:50.122891951Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", "code": "302014", "kind": "event", @@ -9271,6 +9631,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:dTHfo+z9KqY8Iv5a+ZiicBoktu4=", "iana_number": "6", "transport": "tcp" }, @@ -9308,7 +9669,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750230Z", + "ingested": "2021-09-18T20:35:50.122893719Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284", "code": "305011", "kind": "event", @@ -9349,8 +9710,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:Zq6+JMxLF2IW+AMDtt69/DrxaV4=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -9387,7 +9749,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750232700Z", + "ingested": "2021-09-18T20:35:50.122895469Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", "code": "302013", "kind": "event", @@ -9433,9 +9795,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Zq6+JMxLF2IW+AMDtt69/DrxaV4=", + "transport": "tcp", "bytes": 3428, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -9473,7 +9836,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750235600Z", + "ingested": "2021-09-18T20:35:50.122897233Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", "code": "302014", "kind": "event", @@ -9518,6 +9881,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:vzr9XNGDTcZ5SwFWHFUilmbchlo=", "iana_number": "6", "transport": "tcp" }, @@ -9555,7 +9919,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750238200Z", + "ingested": "2021-09-18T20:35:50.122899002Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285", "code": "305011", "kind": "event", @@ -9596,8 +9960,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:ouKNG9b/He9jGnG4Ff7BJ3eD+hs=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -9634,7 +9999,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750240800Z", + "ingested": "2021-09-18T20:35:50.122900781Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", "code": "302013", "kind": "event", @@ -9680,6 +10045,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:OitMDe3Ye5KVpROuoY8+v8mfvCA=", "iana_number": "6", "transport": "tcp" }, @@ -9717,7 +10083,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750243400Z", + "ingested": "2021-09-18T20:35:50.122902537Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286", "code": "305011", "kind": "event", @@ -9758,8 +10124,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:l/JmkwP7ndSnY7mnopAakIfQfKs=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -9796,7 +10163,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750246Z", + "ingested": "2021-09-18T20:35:50.122904289Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", "code": "302013", "kind": "event", @@ -9842,6 +10209,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:3ob7O6L1949whjkG5YUJZf0Gwtk=", "iana_number": "6", "transport": "tcp" }, @@ -9879,7 +10247,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750248800Z", + "ingested": "2021-09-18T20:35:50.122906037Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287", "code": "305011", "kind": "event", @@ -9920,8 +10288,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:NK/etrnMLqzbSzpHgwOIUFndnDk=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -9958,7 +10327,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750251900Z", + "ingested": "2021-09-18T20:35:50.122909562Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", "code": "302013", "kind": "event", @@ -10004,6 +10373,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:X7DN+XIzlXidhVz1eb1s2EisS8A=", "iana_number": "6", "transport": "tcp" }, @@ -10041,7 +10411,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750254500Z", + "ingested": "2021-09-18T20:35:50.122911494Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288", "code": "305011", "kind": "event", @@ -10082,8 +10452,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:dO7q6mue24uZzru3hS2431rHoh0=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -10120,7 +10491,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750257Z", + "ingested": "2021-09-18T20:35:50.122913276Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", "code": "302013", "kind": "event", @@ -10166,9 +10537,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:ouKNG9b/He9jGnG4Ff7BJ3eD+hs=", + "transport": "tcp", "bytes": 2028, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -10206,7 +10578,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750259600Z", + "ingested": "2021-09-18T20:35:50.122915035Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", "code": "302014", "kind": "event", @@ -10251,9 +10623,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:l/JmkwP7ndSnY7mnopAakIfQfKs=", + "transport": "tcp", "bytes": 1085, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -10291,7 +10664,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750262200Z", + "ingested": "2021-09-18T20:35:50.122916803Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", "code": "302014", "kind": "event", @@ -10336,9 +10709,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:NK/etrnMLqzbSzpHgwOIUFndnDk=", + "transport": "tcp", "bytes": 868, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -10376,7 +10750,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750264900Z", + "ingested": "2021-09-18T20:35:50.122918562Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", "code": "302014", "kind": "event", @@ -10421,6 +10795,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:vx/8XNTvkRtAa9BJ9P+Qv+GY6UY=", "iana_number": "6", "transport": "tcp" }, @@ -10458,7 +10833,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750267600Z", + "ingested": "2021-09-18T20:35:50.122920368Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289", "code": "305011", "kind": "event", @@ -10499,8 +10874,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:hJUJWF+Gz6w41EJ8ERCngX/5MhE=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -10537,7 +10913,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750270200Z", + "ingested": "2021-09-18T20:35:50.122922155Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", "code": "302013", "kind": "event", @@ -10583,6 +10959,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:PvvylMfsR3ILT1QmY5jfmnXsLwM=", "iana_number": "6", "transport": "tcp" }, @@ -10620,7 +10997,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750272800Z", + "ingested": "2021-09-18T20:35:50.122923951Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290", "code": "305011", "kind": "event", @@ -10661,8 +11038,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:RE8bib2E1+cVRuVn9Z/id5XckGI=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -10699,7 +11077,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750275500Z", + "ingested": "2021-09-18T20:35:50.122925736Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", "code": "302013", "kind": "event", @@ -10745,9 +11123,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:dO7q6mue24uZzru3hS2431rHoh0=", + "transport": "tcp", "bytes": 4439, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -10785,7 +11164,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750278Z", + "ingested": "2021-09-18T20:35:50.122927520Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", "code": "302014", "kind": "event", @@ -10830,6 +11209,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:snPqiF9HMm3IkMvOOBv7JyO0Jr4=", "iana_number": "6", "transport": "tcp" }, @@ -10867,7 +11247,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750280900Z", + "ingested": "2021-09-18T20:35:50.122929302Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291", "code": "305011", "kind": "event", @@ -10908,8 +11288,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:V7thSrtXW0EdnGYslsAxp4MBQJg=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -10946,7 +11327,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750283900Z", + "ingested": "2021-09-18T20:35:50.122931124Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", "code": "302013", "kind": "event", @@ -10992,9 +11373,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:hJUJWF+Gz6w41EJ8ERCngX/5MhE=", + "transport": "tcp", "bytes": 914, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -11032,7 +11414,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750286500Z", + "ingested": "2021-09-18T20:35:50.122932956Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", "code": "302014", "kind": "event", @@ -11077,9 +11459,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:RE8bib2E1+cVRuVn9Z/id5XckGI=", + "transport": "tcp", "bytes": 871, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -11117,7 +11500,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750289100Z", + "ingested": "2021-09-18T20:35:50.122934721Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", "code": "302014", "kind": "event", @@ -11162,8 +11545,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:Y27uWNe6ijdkBpClrtKDp5L3mSo=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -11200,7 +11584,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750291600Z", + "ingested": "2021-09-18T20:35:50.122936515Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -11246,6 +11630,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:IJVR+iN4aneACrehGe0SX+IkbqM=", "iana_number": "6", "transport": "tcp" }, @@ -11283,7 +11668,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750295100Z", + "ingested": "2021-09-18T20:35:50.122938291Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292", "code": "305011", "kind": "event", @@ -11324,8 +11709,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:d30dOVDkWdEFkiVN1wosi1HxOGE=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -11362,7 +11748,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750297800Z", + "ingested": "2021-09-18T20:35:50.122940076Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", "code": "302013", "kind": "event", @@ -11408,9 +11794,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Y27uWNe6ijdkBpClrtKDp5L3mSo=", + "transport": "udp", "bytes": 384, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -11447,7 +11834,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750300500Z", + "ingested": "2021-09-18T20:35:50.122941892Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", "code": "302016", "kind": "event", @@ -11492,8 +11879,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:9ljUyVL3OcVqZNj7cZTlE7kaFTQ=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -11530,7 +11918,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750303100Z", + "ingested": "2021-09-18T20:35:50.122943694Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -11576,9 +11964,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:9ljUyVL3OcVqZNj7cZTlE7kaFTQ=", + "transport": "udp", "bytes": 94, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -11615,7 +12004,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750305700Z", + "ingested": "2021-09-18T20:35:50.122945452Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", "code": "302016", "kind": "event", @@ -11660,6 +12049,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:qEan4RAn/LAvHNZD4hESC4XExTA=", "iana_number": "6", "transport": "tcp" }, @@ -11697,7 +12087,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750308300Z", + "ingested": "2021-09-18T20:35:50.122947241Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293", "code": "305011", "kind": "event", @@ -11738,8 +12128,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:B2CFl0/wZgvMfeeRh4a7fZovd5s=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -11776,7 +12167,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750310900Z", + "ingested": "2021-09-18T20:35:50.122949018Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", "code": "302013", "kind": "event", @@ -11822,9 +12213,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:d30dOVDkWdEFkiVN1wosi1HxOGE=", + "transport": "tcp", "bytes": 945, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -11862,7 +12254,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750313500Z", + "ingested": "2021-09-18T20:35:50.122950835Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", "code": "302014", "kind": "event", @@ -11907,9 +12299,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:V7thSrtXW0EdnGYslsAxp4MBQJg=", + "transport": "tcp", "bytes": 13284, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -11947,7 +12340,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750316100Z", + "ingested": "2021-09-18T20:35:50.122952635Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", "code": "302014", "kind": "event", @@ -11992,8 +12385,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -12030,7 +12424,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750318700Z", + "ingested": "2021-09-18T20:35:50.122954430Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12076,9 +12470,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", + "transport": "udp", "bytes": 104, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -12115,7 +12510,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750321200Z", + "ingested": "2021-09-18T20:35:50.122956172Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -12160,6 +12555,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:miSmRY+o7dxaXJr2hVCFhUH28VM=", "iana_number": "6", "transport": "tcp" }, @@ -12197,7 +12593,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750323900Z", + "ingested": "2021-09-18T20:35:50.122957931Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294", "code": "305011", "kind": "event", @@ -12238,8 +12634,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:zUM1j3IV4jNNZes8sQBR38IRlXw=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -12276,7 +12673,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750326800Z", + "ingested": "2021-09-18T20:35:50.122959688Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", "code": "302013", "kind": "event", @@ -12322,9 +12719,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Q3UpJGev3vN/CT0Tp2lUAhmZGkc=", + "transport": "udp", "bytes": 58512, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -12361,7 +12759,7 @@ "event": { "severity": 6, "duration": 3526000000000, - "ingested": "2021-09-07T09:05:54.750329400Z", + "ingested": "2021-09-18T20:35:50.122961497Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", "code": "302016", "kind": "event", @@ -12392,14 +12790,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8276, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1272, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:Ulz/6OM46zsGEO5vIRQnPFfblng=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -12408,6 +12831,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -12415,20 +12842,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750332Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.122963297Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -12453,8 +12887,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:36nSGI0Y2OY8ALYfZ16OPTb6lmU=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -12491,7 +12926,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750334700Z", + "ingested": "2021-09-18T20:35:50.122965078Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12537,8 +12972,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:0AdR6iUA7g0yOtTw8GJifVbDbLc=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -12575,7 +13011,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750337400Z", + "ingested": "2021-09-18T20:35:50.122966866Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12621,9 +13057,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:36nSGI0Y2OY8ALYfZ16OPTb6lmU=", + "transport": "udp", "bytes": 168, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -12660,7 +13097,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750340100Z", + "ingested": "2021-09-18T20:35:50.122968644Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", "code": "302016", "kind": "event", @@ -12705,8 +13142,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:36nSGI0Y2OY8ALYfZ16OPTb6lmU=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -12743,7 +13181,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750349900Z", + "ingested": "2021-09-18T20:35:50.122970404Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12789,9 +13227,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:0AdR6iUA7g0yOtTw8GJifVbDbLc=", + "transport": "udp", "bytes": 198, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -12828,7 +13267,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750353500Z", + "ingested": "2021-09-18T20:35:50.122972181Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", "code": "302016", "kind": "event", @@ -12873,9 +13312,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:36nSGI0Y2OY8ALYfZ16OPTb6lmU=", + "transport": "udp", "bytes": 150, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -12912,7 +13352,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750357400Z", + "ingested": "2021-09-18T20:35:50.122973974Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", @@ -12957,8 +13397,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:MiKGjdwNGujmPujUEipQ43gH6Rk=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -12995,7 +13436,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750360800Z", + "ingested": "2021-09-18T20:35:50.122975730Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -13041,9 +13482,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:MiKGjdwNGujmPujUEipQ43gH6Rk=", + "transport": "udp", "bytes": 84, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -13080,7 +13522,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750363700Z", + "ingested": "2021-09-18T20:35:50.122977494Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", "code": "302016", "kind": "event", @@ -13125,6 +13567,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:SSBQU7HmeVqvpDuKNAepH+5AL0U=", "iana_number": "6", "transport": "tcp" }, @@ -13162,7 +13605,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750366300Z", + "ingested": "2021-09-18T20:35:50.122979268Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295", "code": "305011", "kind": "event", @@ -13203,8 +13646,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:L794NT6MeGlmEABWZmdTukJ9bwE=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -13241,7 +13685,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750369100Z", + "ingested": "2021-09-18T20:35:50.122981060Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", "code": "302013", "kind": "event", @@ -13287,8 +13731,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:I/WhIF69cR6CjWHtGvBwQ8wA7dc=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -13325,7 +13770,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750372Z", + "ingested": "2021-09-18T20:35:50.122983024Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -13371,9 +13816,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:I/WhIF69cR6CjWHtGvBwQ8wA7dc=", + "transport": "udp", "bytes": 188, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -13410,7 +13856,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750374800Z", + "ingested": "2021-09-18T20:35:50.122984833Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", "code": "302016", "kind": "event", @@ -13455,6 +13901,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:KfzWFNRqq9u0mJhUbFRoAK3rx/k=", "iana_number": "6", "transport": "tcp" }, @@ -13492,7 +13939,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750377400Z", + "ingested": "2021-09-18T20:35:50.122986642Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296", "code": "305011", "kind": "event", @@ -13533,8 +13980,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:DcC5/17iIun7QBeY94629ae/KBw=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -13571,7 +14019,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750380500Z", + "ingested": "2021-09-18T20:35:50.122988453Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", "code": "302013", "kind": "event", @@ -13617,6 +14065,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:0SUyruuy0Jt8r3FaPGxgEY+ck8A=", "iana_number": "6", "transport": "tcp" }, @@ -13654,7 +14103,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750383300Z", + "ingested": "2021-09-18T20:35:50.122990292Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297", "code": "305011", "kind": "event", @@ -13695,8 +14144,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:EMeyPYKr7J0nFwuPUzcxIwiT+xQ=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -13733,7 +14183,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750386200Z", + "ingested": "2021-09-18T20:35:50.122992096Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", "code": "302013", "kind": "event", @@ -13779,6 +14229,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:/jz6rtmBvEznkhogEIbZ5XVyytQ=", "iana_number": "6", "transport": "tcp" }, @@ -13816,7 +14267,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750388900Z", + "ingested": "2021-09-18T20:35:50.122993888Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298", "code": "305011", "kind": "event", @@ -13857,8 +14308,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:G3hWvTFI9YnDxZs6Y5IKRIjGJdw=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -13895,7 +14347,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750392100Z", + "ingested": "2021-09-18T20:35:50.122995687Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", "code": "302013", "kind": "event", @@ -13941,9 +14393,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:EMeyPYKr7J0nFwuPUzcxIwiT+xQ=", + "transport": "tcp", "bytes": 5964, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -13981,7 +14434,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750394900Z", + "ingested": "2021-09-18T20:35:50.122997485Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", "code": "302014", "kind": "event", @@ -14026,6 +14479,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:8y908lK8AtbbGgqNYGPzMYt3uvA=", "iana_number": "6", "transport": "tcp" }, @@ -14063,7 +14517,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750397900Z", + "ingested": "2021-09-18T20:35:50.122999278Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299", "code": "305011", "kind": "event", @@ -14104,8 +14558,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:F34mtxFMjq0ykJqTY+0F+lQUtPs=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -14142,7 +14597,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750400600Z", + "ingested": "2021-09-18T20:35:50.123001124Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", "code": "302013", "kind": "event", @@ -14188,6 +14643,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:PIsj3i/QWG3uUMx3MBj0UfQp+Jc=", "iana_number": "6", "transport": "tcp" }, @@ -14225,7 +14681,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750403600Z", + "ingested": "2021-09-18T20:35:50.123002945Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300", "code": "305011", "kind": "event", @@ -14266,8 +14722,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:SgjaVFOg9vJS9wFSSV7j4l72q5Q=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -14304,7 +14761,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750406400Z", + "ingested": "2021-09-18T20:35:50.123004744Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", "code": "302013", "kind": "event", @@ -14350,9 +14807,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:G3hWvTFI9YnDxZs6Y5IKRIjGJdw=", + "transport": "tcp", "bytes": 6694, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -14390,7 +14848,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750409200Z", + "ingested": "2021-09-18T20:35:50.123006553Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", "code": "302014", "kind": "event", @@ -14435,9 +14893,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:F34mtxFMjq0ykJqTY+0F+lQUtPs=", + "transport": "tcp", "bytes": 1493, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -14475,7 +14934,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750412200Z", + "ingested": "2021-09-18T20:35:50.123008352Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", "code": "302014", "kind": "event", @@ -14520,9 +14979,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:SgjaVFOg9vJS9wFSSV7j4l72q5Q=", + "transport": "tcp", "bytes": 893, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -14560,7 +15020,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750415400Z", + "ingested": "2021-09-18T20:35:50.123010173Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", "code": "302014", "kind": "event", @@ -14605,6 +15065,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:GN5li6LWaG3khjTFgtdHB3UkTbM=", "iana_number": "6", "transport": "tcp" }, @@ -14642,7 +15103,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750418300Z", + "ingested": "2021-09-18T20:35:50.123011990Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301", "code": "305011", "kind": "event", @@ -14683,8 +15144,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:m/F+TF2SIc5ApzH8bR4cZIinTTM=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -14721,7 +15183,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750421Z", + "ingested": "2021-09-18T20:35:50.123013786Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", "code": "302013", "kind": "event", @@ -14767,6 +15229,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:gpdLtgDvmxE4N3mmU6xhesKbPpA=", "iana_number": "6", "transport": "tcp" }, @@ -14804,7 +15267,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750423700Z", + "ingested": "2021-09-18T20:35:50.123015591Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302", "code": "305011", "kind": "event", @@ -14845,8 +15308,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:RL/wWVk4H/YsU2UX/pQ/jdLmM2Q=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -14883,7 +15347,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750426600Z", + "ingested": "2021-09-18T20:35:50.123017387Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", "code": "302013", "kind": "event", @@ -14929,8 +15393,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:d9hGyB6jUJQltb99tzdBar8fxnA=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -14967,7 +15432,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750429700Z", + "ingested": "2021-09-18T20:35:50.123019202Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -15013,9 +15478,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:d9hGyB6jUJQltb99tzdBar8fxnA=", + "transport": "udp", "bytes": 150, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -15052,7 +15518,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750432600Z", + "ingested": "2021-09-18T20:35:50.123021025Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", @@ -15097,9 +15563,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:m/F+TF2SIc5ApzH8bR4cZIinTTM=", + "transport": "tcp", "bytes": 2750, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -15137,7 +15604,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750435400Z", + "ingested": "2021-09-18T20:35:50.123022845Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", "code": "302014", "kind": "event", @@ -15182,6 +15649,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:QDldCQP7xh1OW0YCdjigaOkPzwU=", "iana_number": "6", "transport": "tcp" }, @@ -15219,7 +15687,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750438200Z", + "ingested": "2021-09-18T20:35:50.123024636Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303", "code": "305011", "kind": "event", @@ -15260,8 +15728,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:vKq2cBUy2TDYTPpvRRbyRzW3oqo=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -15298,7 +15767,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750441Z", + "ingested": "2021-09-18T20:35:50.123026443Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", "code": "302013", "kind": "event", @@ -15344,6 +15813,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:80Z72sMi4rJ0D84AE8zo3IcJsy4=", "iana_number": "6", "transport": "tcp" }, @@ -15381,7 +15851,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750444Z", + "ingested": "2021-09-18T20:35:50.123028249Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304", "code": "305011", "kind": "event", @@ -15422,8 +15892,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:aGxYBe0aBN662AuZ5JPVPusjRa0=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -15460,7 +15931,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750446700Z", + "ingested": "2021-09-18T20:35:50.123030047Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", "code": "302013", "kind": "event", @@ -15506,9 +15977,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:RL/wWVk4H/YsU2UX/pQ/jdLmM2Q=", + "transport": "tcp", "bytes": 881, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -15546,7 +16018,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750450200Z", + "ingested": "2021-09-18T20:35:50.123031863Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", "code": "302014", "kind": "event", @@ -15591,9 +16063,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:aGxYBe0aBN662AuZ5JPVPusjRa0=", + "transport": "tcp", "bytes": 2202, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -15631,7 +16104,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:05:54.750452900Z", + "ingested": "2021-09-18T20:35:50.123033679Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", "code": "302014", "kind": "event", @@ -15676,6 +16149,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:bwNtk4MRIaL/7TQcp3pyVe1E+9Q=", "iana_number": "6", "transport": "tcp" }, @@ -15713,7 +16187,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750455600Z", + "ingested": "2021-09-18T20:35:50.123035500Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305", "code": "305011", "kind": "event", @@ -15754,8 +16228,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:3ol8aZxKStrX58/6Vhd4iBAfGaA=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -15792,7 +16267,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750458300Z", + "ingested": "2021-09-18T20:35:50.123037323Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", "code": "302013", "kind": "event", @@ -15838,6 +16313,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:SdzjoTs+01P4hVwwWqHxqPHlXJU=", "iana_number": "6", "transport": "tcp" }, @@ -15875,7 +16351,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750460800Z", + "ingested": "2021-09-18T20:35:50.123039131Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306", "code": "305011", "kind": "event", @@ -15916,8 +16392,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:/M14EpcIygOSzj0EEPGr4zngIO0=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -15954,7 +16431,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750463500Z", + "ingested": "2021-09-18T20:35:50.123040951Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", "code": "302013", "kind": "event", @@ -15986,14 +16463,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8280, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1276, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:BbvA+2xZjkf52lWjSH3HOxxj5hU=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16002,6 +16504,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16009,20 +16515,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750466Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123042764Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16033,14 +16546,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8281, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:xM9jRCoCKsQva+HDcJ8nktupQ/U=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16049,6 +16587,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16056,20 +16598,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750468700Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123044560Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16080,14 +16629,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8282, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1278, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:1P8Fbc8oTceSX9f9YAusY6Mfscc=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16096,6 +16670,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16103,20 +16681,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750472800Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123046354Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16127,14 +16712,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8283, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1279, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:R/Bwq8x4Nfwk474w7odsVLA+w60=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16143,6 +16753,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16150,20 +16764,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750475500Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123048155Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16174,14 +16795,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8284, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1280, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:dTHfo+z9KqY8Iv5a+ZiicBoktu4=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16190,6 +16836,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16197,20 +16847,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750478400Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123049948Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16221,14 +16878,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8285, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1281, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:vzr9XNGDTcZ5SwFWHFUilmbchlo=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16237,6 +16919,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16244,20 +16930,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750481100Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123051760Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16268,14 +16961,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8286, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1282, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:OitMDe3Ye5KVpROuoY8+v8mfvCA=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16284,6 +17002,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16291,20 +17013,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750483800Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123053559Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16315,14 +17044,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8287, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1283, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:3ob7O6L1949whjkG5YUJZf0Gwtk=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16331,6 +17085,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16338,20 +17096,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750486500Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123055361Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16362,14 +17127,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8288, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1284, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:X7DN+XIzlXidhVz1eb1s2EisS8A=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16378,6 +17168,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16385,20 +17179,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750490Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123057255Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16409,14 +17210,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8289, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1285, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:vx/8XNTvkRtAa9BJ9P+Qv+GY6UY=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16425,6 +17251,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16432,20 +17262,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750492800Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123059053Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16456,14 +17293,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8290, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1286, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:PvvylMfsR3ILT1QmY5jfmnXsLwM=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16472,6 +17334,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16479,20 +17345,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750495600Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123060844Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16503,14 +17376,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8291, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1287, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:snPqiF9HMm3IkMvOOBv7JyO0Jr4=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16519,6 +17417,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16526,20 +17428,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750498400Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123062657Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16550,14 +17459,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8292, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1288, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:IJVR+iN4aneACrehGe0SX+IkbqM=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16566,6 +17500,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16573,20 +17511,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750502100Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123064485Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16597,14 +17542,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8297, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1293, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:0SUyruuy0Jt8r3FaPGxgEY+ck8A=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16613,6 +17583,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16620,20 +17594,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750505Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123066287Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16644,14 +17625,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8298, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1294, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:/jz6rtmBvEznkhogEIbZ5XVyytQ=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16660,6 +17666,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16667,20 +17677,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750507700Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123068083Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16705,6 +17722,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:5OaRHwdkLmcpG/32Rp6ATfcmjbc=", "iana_number": "6", "transport": "tcp" }, @@ -16742,7 +17760,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750510200Z", + "ingested": "2021-09-18T20:35:50.123069880Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308", "code": "305011", "kind": "event", @@ -16783,8 +17801,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:Ybu05t/qKFuEcYUe+Tmo/iA+8DU=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -16821,7 +17840,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750512900Z", + "ingested": "2021-09-18T20:35:50.123071671Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", "code": "302013", "kind": "event", @@ -16853,14 +17872,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8299, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1295, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:8y908lK8AtbbGgqNYGPzMYt3uvA=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16869,6 +17913,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16876,20 +17924,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750515500Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123073494Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16900,14 +17955,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8300, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1296, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:PIsj3i/QWG3uUMx3MBj0UfQp+Jc=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16916,6 +17996,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16923,20 +18007,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750518500Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123075294Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16961,8 +18052,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:x0GkFv0YJz9FLMS2/u4yURhmsuM=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -16999,7 +18091,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750521100Z", + "ingested": "2021-09-18T20:35:50.123077092Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -17045,8 +18137,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:NxEUi4VKij1T83hc4lINpweLp3c=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -17083,7 +18176,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750523800Z", + "ingested": "2021-09-18T20:35:50.123078894Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -17129,9 +18222,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:x0GkFv0YJz9FLMS2/u4yURhmsuM=", + "transport": "udp", "bytes": 318, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -17168,7 +18262,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750526400Z", + "ingested": "2021-09-18T20:35:50.123080693Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", "code": "302016", "kind": "event", @@ -17213,9 +18307,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:NxEUi4VKij1T83hc4lINpweLp3c=", + "transport": "udp", "bytes": 104, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -17252,7 +18347,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T09:05:54.750529100Z", + "ingested": "2021-09-18T20:35:50.123082502Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -17297,6 +18392,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:D0OYP16cA27dQ9uGzz5mXOiu9Nw=", "iana_number": "6", "transport": "tcp" }, @@ -17334,7 +18430,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750531800Z", + "ingested": "2021-09-18T20:35:50.123084310Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309", "code": "305011", "kind": "event", @@ -17375,8 +18471,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:W3BHxRRrJKuwQxd5cBkCxKbGjA0=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -17413,7 +18510,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750534500Z", + "ingested": "2021-09-18T20:35:50.123086101Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", "code": "302013", "kind": "event", @@ -17445,14 +18542,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8301, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1297, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:GN5li6LWaG3khjTFgtdHB3UkTbM=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -17461,6 +18583,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -17468,20 +18594,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750537700Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123087907Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -17492,14 +18625,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8302, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1298, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:gpdLtgDvmxE4N3mmU6xhesKbPpA=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -17508,6 +18666,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -17515,20 +18677,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750540300Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123089707Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -17539,14 +18708,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8303, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1299, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:QDldCQP7xh1OW0YCdjigaOkPzwU=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -17555,6 +18749,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -17562,20 +18760,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750543Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123091507Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -17586,14 +18791,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8304, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1300, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:80Z72sMi4rJ0D84AE8zo3IcJsy4=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -17602,6 +18832,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -17609,20 +18843,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750545800Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123093336Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -17633,14 +18874,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8305, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1301, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:bwNtk4MRIaL/7TQcp3pyVe1E+9Q=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -17649,6 +18915,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -17656,20 +18926,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750548800Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123095140Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -17680,14 +18957,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8306, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1302, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:SdzjoTs+01P4hVwwWqHxqPHlXJU=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -17696,6 +18998,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -17703,20 +19009,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750551500Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123096928Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -17727,14 +19040,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8307, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1303, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:SdB8LQRxB6rH0p1mpfjSLAmoGTg=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -17743,6 +19081,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -17750,20 +19092,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750554100Z", + "duration": 30000000000, + "ingested": "2021-09-18T20:35:50.123098725Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "asa": {} + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -17788,9 +19137,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:W3BHxRRrJKuwQxd5cBkCxKbGjA0=", + "transport": "tcp", "bytes": 410333, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -17828,7 +19178,7 @@ "severity": 6, "duration": 4000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T09:05:54.750556700Z", + "ingested": "2021-09-18T20:35:50.123100528Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", "code": "302014", "kind": "event", @@ -17873,6 +19223,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -17910,7 +19261,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750559500Z", + "ingested": "2021-09-18T20:35:50.123102325Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -17954,6 +19305,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -17991,7 +19343,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750562100Z", + "ingested": "2021-09-18T20:35:50.123104147Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18035,6 +19387,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18072,7 +19425,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750564700Z", + "ingested": "2021-09-18T20:35:50.123105946Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18116,6 +19469,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:IkABRnyuIWkRyTo0UDxF7eylXGI=", "iana_number": "6", "transport": "tcp" }, @@ -18153,7 +19507,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750567400Z", + "ingested": "2021-09-18T20:35:50.123107747Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310", "code": "305011", "kind": "event", @@ -18194,8 +19548,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:mxbJgNaP3oErmJ/hBW5f/BmgMmI=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -18232,7 +19587,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:05:54.750570Z", + "ingested": "2021-09-18T20:35:50.123109541Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", "code": "302013", "kind": "event", @@ -18278,6 +19633,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18315,7 +19671,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750572700Z", + "ingested": "2021-09-18T20:35:50.123111335Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18359,6 +19715,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18396,7 +19753,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750575300Z", + "ingested": "2021-09-18T20:35:50.123113155Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18440,6 +19797,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18477,7 +19835,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750578Z", + "ingested": "2021-09-18T20:35:50.123114974Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18521,6 +19879,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18558,7 +19917,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750580600Z", + "ingested": "2021-09-18T20:35:50.123116767Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18602,6 +19961,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18639,7 +19999,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750583300Z", + "ingested": "2021-09-18T20:35:50.123118566Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18683,6 +20043,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18720,7 +20081,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750585900Z", + "ingested": "2021-09-18T20:35:50.123120374Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18764,6 +20125,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18801,7 +20163,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750588500Z", + "ingested": "2021-09-18T20:35:50.123122171Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18845,6 +20207,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18882,7 +20245,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750591200Z", + "ingested": "2021-09-18T20:35:50.123123957Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18926,6 +20289,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18963,7 +20327,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750594300Z", + "ingested": "2021-09-18T20:35:50.123125765Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19007,6 +20371,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19044,7 +20409,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750597Z", + "ingested": "2021-09-18T20:35:50.123127545Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19088,6 +20453,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19125,7 +20491,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750599900Z", + "ingested": "2021-09-18T20:35:50.123129607Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19169,6 +20535,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19206,7 +20573,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750602500Z", + "ingested": "2021-09-18T20:35:50.123131472Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19250,6 +20617,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19287,7 +20655,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750605200Z", + "ingested": "2021-09-18T20:35:50.123133254Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19331,6 +20699,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19368,7 +20737,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750607900Z", + "ingested": "2021-09-18T20:35:50.123135049Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19412,6 +20781,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19449,7 +20819,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750610400Z", + "ingested": "2021-09-18T20:35:50.123136820Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19493,6 +20863,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19530,7 +20901,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750613Z", + "ingested": "2021-09-18T20:35:50.123138589Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19574,6 +20945,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19611,7 +20983,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750615700Z", + "ingested": "2021-09-18T20:35:50.123140359Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19655,6 +21027,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19692,7 +21065,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750618300Z", + "ingested": "2021-09-18T20:35:50.123142162Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19736,6 +21109,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19773,7 +21147,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750620900Z", + "ingested": "2021-09-18T20:35:50.123143964Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19817,6 +21191,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19854,7 +21229,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750623500Z", + "ingested": "2021-09-18T20:35:50.123145751Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19898,6 +21273,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19935,7 +21311,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750626400Z", + "ingested": "2021-09-18T20:35:50.123147569Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19979,6 +21355,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20016,7 +21393,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750629Z", + "ingested": "2021-09-18T20:35:50.123149382Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20060,6 +21437,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20097,7 +21475,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750631700Z", + "ingested": "2021-09-18T20:35:50.123151167Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20141,6 +21519,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20178,7 +21557,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750634300Z", + "ingested": "2021-09-18T20:35:50.123152990Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20222,6 +21601,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20259,7 +21639,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750636900Z", + "ingested": "2021-09-18T20:35:50.123154784Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20303,6 +21683,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20340,7 +21721,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750639600Z", + "ingested": "2021-09-18T20:35:50.123156590Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20384,6 +21765,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20421,7 +21803,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750642200Z", + "ingested": "2021-09-18T20:35:50.123158399Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20465,6 +21847,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20502,7 +21885,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750644700Z", + "ingested": "2021-09-18T20:35:50.123160189Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20546,6 +21929,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20583,7 +21967,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750647400Z", + "ingested": "2021-09-18T20:35:50.123161988Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20627,6 +22011,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20664,7 +22049,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750649900Z", + "ingested": "2021-09-18T20:35:50.123163796Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20708,6 +22093,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20745,7 +22131,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750652600Z", + "ingested": "2021-09-18T20:35:50.123165592Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20789,6 +22175,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20826,7 +22213,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750655200Z", + "ingested": "2021-09-18T20:35:50.123167379Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20870,6 +22257,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20907,7 +22295,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:05:54.750657800Z", + "ingested": "2021-09-18T20:35:50.123169166Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log-expected.json index 875e2f79c65..5676cca02ed 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-dap-records.log-expected.json @@ -39,7 +39,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:16.855895800Z", + "ingested": "2021-09-18T20:37:54.949423560Z", "original": "Feb 20 2020 16:11:11: %ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2", "code": "734001", "kind": "event", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json index 9345931ad27..5c34632af26 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json @@ -31,7 +31,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T09:06:16.962898800Z", + "ingested": "2021-09-18T20:37:55.413350846Z", "original": "Jan 1 01:00:27 beats asa[1234]: %ASA-7-999999: This message is not filtered.", "code": "999999", "kind": "event", @@ -72,7 +72,7 @@ }, "event": { "severity": 8, - "ingested": "2021-09-07T09:06:16.962906400Z", + "ingested": "2021-09-18T20:37:55.413363265Z", "original": "Jan 1 01:00:30 beats asa[1234]: %ASA-8-999999: This phony message is dropped due to log level.", "code": "999999", "kind": "event", @@ -113,8 +113,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:bEmZObpc4rxeHLkGwSyEBNS+Sxg=", "transport": "tcp", + "iana_number": "6", "direction": "inbound" }, "observer": { @@ -146,7 +147,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T09:06:16.962908500Z", + "ingested": "2021-09-18T20:37:55.413366141Z", "original": "Jan 1 01:02:12 beats asa[1234]: %ASA-2-106001: Inbound TCP connection denied from 10.13.12.11/45321 to 192.168.33.12/443 flags URG+SYN+RST on interface eth0", "code": "106001", "kind": "event", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log-expected.json index f0b5fe4ed3e..537fcc50bb4 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-hostnames.log-expected.json @@ -45,7 +45,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.178113300Z", + "ingested": "2021-09-18T20:37:56.471963733Z", "original": "Oct 10 2019 10:21:36 localhost: %ASA-6-302021: Teardown ICMP connection for faddr target.destination.hostname.local/10005 gaddr 10.0.55.66/0 laddr Prod-host.name.addr/0", "code": "302021", "kind": "event", @@ -80,6 +80,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:TIG5OyXflKDSW/Fgd/O5r5A7Zk4=", "iana_number": "1", "transport": "icmp" }, @@ -107,7 +108,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.178121100Z", + "ingested": "2021-09-18T20:37:56.471968742Z", "original": "Jun 04 2011 21:59:52 MYHOSTNAME : %ASA-6-302021: Teardown ICMP connection for faddr 192.0.2.15/0 gaddr 192.0.2.134/57808 laddr 192.0.2.134/57808 type 8 code 0", "code": "302021", "kind": "event", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json index a90922bfa47..2f50f2a8759 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json @@ -55,7 +55,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.331620300Z", + "ingested": "2021-09-18T20:37:57.153107765Z", "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -\u003e OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", @@ -93,6 +93,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:tTzSWYTCd+HV5W2Q/cSW6AszABM=", "iana_number": "1", "transport": "icmp" }, @@ -120,7 +121,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.331627700Z", + "ingested": "2021-09-18T20:37:57.153112782Z", "original": "Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -164,6 +165,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:d9RGgqBro5rzu16MqJQFehDRaKY=", "iana_number": "6", "transport": "tcp" }, @@ -202,7 +204,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:06:17.331629800Z", + "ingested": "2021-09-18T20:37:57.153114834Z", "original": "Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", "code": "338204", "kind": "event", diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log index 73ea89341b0..6945440aa1d 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log @@ -70,3 +70,18 @@ Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username) +Jan 13 2021 19:12:37: %ASA-5-304001: USER001@192.168.0.1(LOCAL\USER001) Accessed URL 172.17.6.211:http://testingserver.com/somewebpage.html +Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\USER001) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (USER001) +Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\user@domain.tld) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (user@domain.tld) +Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\USER001) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER001) type 3 code 3 +Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\user@domain.tld) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (user@domain.tld) type 3 code 3 +Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(AD\USER002) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER002) type 3 code 3 +Jan 15 2021 19:12:37: %ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:192.168.0.1/59677(LOCAL\USER001) to OUTSIDE:75.0.0.1/18449 duration 0:00:00 +Jan 15 2021 19:12:37: %ASA-6-302021: Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::2205:baff:fe9d:f637/0 laddr fe80::2205:baff:fe9d:f637/0 type 134 code 0 +Jan 15 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 251933191 for OUTSIDE:fe00::fede:bbe1/62477 (fe00::fede:bbe1/62477) to OUTSIDE:2a03:2880:f253:cb:face:b00c:0:43fe/443 (2a03:2880:f253:cb:face:b00c:0:43fe/443) (soc@danskecommodities.com) +Jan 15 2021 19:12:37: %ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:81.0.0.1/50120(LOCAL\domain\USER001) to OUTSIDE:181.0.0.1/50120 duration 0:02:05 +Jan 15 2021 19:12:37: %ASA-6-302014: Teardown TCP connection 261246338 for OUTSIDE:81.0.0.1/50120(LOCAL\domain\USER001) to OUTSIDE:40.0.0.1/443 duration 0:02:05 bytes 9610 TCP FINs from OUTSIDE (domain\USER001) +Jan 15 2021 19:12:37: %ASA-6-302015: Built inbound UDP connection 261311655 for OUTSIDE:81.0.0.1/63790 (82.0.0.1/63790)(LOCAL\domain\USER001) to INSIDE:192.168.0.1/53 (192.168.0.1/53) (domain\USER001) +Jan 15 2021 19:12:37: %ASA-6-302016: Teardown UDP connection 261311655 for OUTSIDE:81.0.0.1/63790(LOCAL\domain\USER001) to INSIDE:192.168.0.1/53 duration 0:00:00 bytes 139 (domain\USER001) +Jan 15 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 261246338 for OUTSIDE:81.0.0.1/50120 (82.0.0.1/50120)(LOCAL\domain\USER001) to OUTSIDE:40.0.0.1/443 (40.0.0.1/443) (domain\USER001) +Jul 29 2021 08:35:29: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xABCXYZ) between 12.12.12.12 and 12.12.12.12 (user= john.smith) has been deleted. \ No newline at end of file diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json index b04ba4e7ab7..428fc94b4f3 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json @@ -18,6 +18,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:3NxcSu9jwJUYIYwJ2TO4TSNnPX8=", "iana_number": "6", "transport": "tcp" }, @@ -48,7 +49,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:06:17.593710400Z", + "ingested": "2021-09-18T20:37:58.479574510Z", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", @@ -88,6 +89,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:3NxcSu9jwJUYIYwJ2TO4TSNnPX8=", "iana_number": "6", "transport": "tcp" }, @@ -118,7 +120,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:06:17.593718500Z", + "ingested": "2021-09-18T20:37:58.479579532Z", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", @@ -158,6 +160,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:/AVpSqNe7QhujyFPgKMbMS9Ct44=", "iana_number": "6", "transport": "tcp" }, @@ -188,7 +191,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593721700Z", + "ingested": "2021-09-18T20:37:58.479581663Z", "original": "Apr 15 2014 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -229,6 +232,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:462QRxMFThXYxhSyvR50cIDJegg=", "iana_number": "17", "transport": "udp" }, @@ -266,7 +270,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593723700Z", + "ingested": "2021-09-18T20:37:58.479583739Z", "original": "Apr 24 2013 16:00:28 INT-FW01 : %ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", "code": "106100", "kind": "event", @@ -306,6 +310,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:c8hH08+kxqP8+dYZZFCsPYYf0oo=", "iana_number": "17", "transport": "udp" }, @@ -343,7 +348,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593725400Z", + "ingested": "2021-09-18T20:37:58.479585775Z", "original": "Apr 24 2013 16:00:27 INT-FW01 : %ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", "code": "106100", "kind": "event", @@ -383,6 +388,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:oGT+RQ2PYVsSEX/LuKvEW6O6Jiw=", "iana_number": "6", "transport": "tcp" }, @@ -413,7 +419,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593727100Z", + "ingested": "2021-09-18T20:37:58.479587735Z", "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", "code": "305011", "kind": "event", @@ -453,8 +459,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:4NJbCZhuyrAJcj7S647C7IIhAM8=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -484,7 +491,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593728800Z", + "ingested": "2021-09-18T20:37:58.479589722Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", "code": "302013", "kind": "event", @@ -526,6 +533,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:ay9S7HyVcpV47ArwMPDsxLg6wBU=", "iana_number": "17", "transport": "udp" }, @@ -556,7 +564,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593730500Z", + "ingested": "2021-09-18T20:37:58.479591686Z", "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", "code": "305011", "kind": "event", @@ -599,8 +607,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -631,7 +640,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593733Z", + "ingested": "2021-09-18T20:37:58.479593673Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", "code": "302015", "kind": "event", @@ -673,6 +682,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:fZibb4nXPyoJv3pk+hIlafmMMMY=", "iana_number": "6", "transport": "tcp" }, @@ -703,7 +713,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593734700Z", + "ingested": "2021-09-18T20:37:58.479595677Z", "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", "code": "305011", "kind": "event", @@ -744,8 +754,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:KAOD4KM9MUK44UkzQPDM20+aGPI=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -776,7 +787,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593738200Z", + "ingested": "2021-09-18T20:37:58.479597694Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", "code": "302013", "kind": "event", @@ -818,9 +829,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", + "transport": "udp", "bytes": 140, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -850,7 +862,7 @@ "event": { "severity": 6, "duration": 5025000000000, - "ingested": "2021-09-07T09:06:17.593740200Z", + "ingested": "2021-09-18T20:37:58.479600168Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", "code": "302016", "kind": "event", @@ -878,22 +890,29 @@ "level": "informational" }, "destination": { - "port": 52925, "address": "10.123.1.35", + "port": 52925, + "user": { + "name": "user2" + }, "ip": "10.123.1.35" }, "source": { - "port": 53, "address": "192.0.2.222", + "port": 53, + "user": { + "name": "user1" + }, "ip": "192.0.2.222" }, "tags": [ "preserve_original_event" ], "network": { + "community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", + "transport": "udp", "bytes": 9999999, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -915,6 +934,10 @@ "version": "1.11.0" }, "related": { + "user": [ + "user2", + "user1" + ], "ip": [ "192.0.2.222", "10.123.1.35" @@ -923,7 +946,7 @@ "event": { "severity": 6, "duration": 36000000000000, - "ingested": "2021-09-07T09:06:17.593741800Z", + "ingested": "2021-09-18T20:37:58.479602182Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", "code": "302016", "kind": "event", @@ -946,6 +969,9 @@ "source_interface": "outside", "destination_username": "user2" } + }, + "user": { + "name": "user2" } }, { @@ -964,6 +990,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:tTzSWYTCd+HV5W2Q/cSW6AszABM=", "iana_number": "1", "transport": "icmp" }, @@ -991,7 +1018,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593743500Z", + "ingested": "2021-09-18T20:37:58.479604141Z", "original": "Jun 04 2011 21:59:52 FJSG2NRFW01 : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -1028,6 +1055,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:EsAlPGwbpvnOIWG+1RbOLtWOWaI=", "iana_number": "6", "transport": "tcp" }, @@ -1058,7 +1086,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593745200Z", + "ingested": "2021-09-18T20:37:58.479606169Z", "original": "Apr 29 2013 12:59:50: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", "code": "305011", "kind": "event", @@ -1099,8 +1127,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:m/dSB7tetihSecuyjm6x4Rl/8I8=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -1131,7 +1160,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593746900Z", + "ingested": "2021-09-18T20:37:58.479608155Z", "original": "Apr 29 2013 12:59:50: %ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", "code": "302013", "kind": "event", @@ -1174,6 +1203,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:cjsjwTI1K/FNwJ9mwZX971rPjfo=", "transport": "udp", "iana_number": "17", "direction": "inbound" @@ -1195,7 +1225,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T09:06:17.593748600Z", + "ingested": "2021-09-18T20:37:58.479610291Z", "original": "Apr 30 2013 09:22:33: %ASA-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", "code": "106007", "kind": "event", @@ -1231,6 +1261,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:Zboag8BrI6OW/Oo2vWMZ2CJe4tM=", "iana_number": "6", "transport": "tcp" }, @@ -1261,7 +1292,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593750200Z", + "ingested": "2021-09-18T20:37:58.479612256Z", "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1301,6 +1332,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:Ne/QE55iCFiCg5J75DhSp3KZzQI=", "iana_number": "6", "transport": "tcp" }, @@ -1331,7 +1363,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593751800Z", + "ingested": "2021-09-18T20:37:58.479614204Z", "original": "Apr 30 2013 09:22:38: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1371,6 +1403,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:nVqNkC3HBTw1Le7RJD28aYfCDTg=", "iana_number": "6", "transport": "tcp" }, @@ -1401,7 +1434,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593753300Z", + "ingested": "2021-09-18T20:37:58.479616145Z", "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1441,6 +1474,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:c82bgYlFS2zsrs3He7w3jq7x6jY=", "iana_number": "6", "transport": "tcp" }, @@ -1471,7 +1505,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593754900Z", + "ingested": "2021-09-18T20:37:58.479618155Z", "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1511,6 +1545,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:iQJvtLpa8CzCZimwacqAWJp9sZg=", "iana_number": "6", "transport": "tcp" }, @@ -1541,7 +1576,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593756600Z", + "ingested": "2021-09-18T20:37:58.479620126Z", "original": "Apr 30 2013 09:22:39: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1581,6 +1616,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:CHFAR3iwADiL0sMiLhocbg8YF4o=", "iana_number": "6", "transport": "tcp" }, @@ -1611,7 +1647,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593758300Z", + "ingested": "2021-09-18T20:37:58.479622101Z", "original": "Apr 30 2013 09:22:40: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1651,6 +1687,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:fW9fDNL4osH5ogPXIzh5huGyJLU=", "iana_number": "6", "transport": "tcp" }, @@ -1681,7 +1718,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593760Z", + "ingested": "2021-09-18T20:37:58.479624193Z", "original": "Apr 30 2013 09:22:41: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1721,6 +1758,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:VqbI7AJvRLmCOZAb2tHFFBTeRZ8=", "iana_number": "6", "transport": "tcp" }, @@ -1751,7 +1789,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593761500Z", + "ingested": "2021-09-18T20:37:58.479626169Z", "original": "Apr 30 2013 09:22:47: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1791,6 +1829,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:TUJhCk7pGNvVhgiAnf4YJJaoCpo=", "iana_number": "6", "transport": "tcp" }, @@ -1821,7 +1860,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593763100Z", + "ingested": "2021-09-18T20:37:58.479628131Z", "original": "Apr 30 2013 09:22:48: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1861,6 +1900,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:EItD1g2bG+b/iorMXbZ/3Bvjam8=", "iana_number": "6", "transport": "tcp" }, @@ -1891,7 +1931,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593764700Z", + "ingested": "2021-09-18T20:37:58.479630090Z", "original": "Apr 30 2013 09:22:56: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1931,8 +1971,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:a6VFmKsjwlqdlhQIeSm95/lkWlY=", "transport": "udp", + "iana_number": "17", "direction": "inbound" }, "observer": { @@ -1957,7 +1998,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T09:06:17.593766300Z", + "ingested": "2021-09-18T20:37:58.479632019Z", "original": "Apr 30 2013 09:23:02: %ASA-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", "code": "106006", "kind": "event", @@ -1996,6 +2037,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:96NZ3spb6QBXPZwoL7NadaqTMac=", "transport": "udp", "iana_number": "17", "direction": "inbound" @@ -2017,7 +2059,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T09:06:17.593768400Z", + "ingested": "2021-09-18T20:37:58.479633994Z", "original": "Apr 30 2013 09:23:03: %ASA-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", "code": "106007", "kind": "event", @@ -2053,6 +2095,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:DbXtTF7Tt+LJ0/omdap4K0RmodY=", "iana_number": "6", "transport": "tcp" }, @@ -2083,7 +2126,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593770Z", + "ingested": "2021-09-18T20:37:58.479635951Z", "original": "Apr 30 2013 09:23:06: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2123,6 +2166,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:8enMIE4IqhVXWyyRuJRvdyDxiBA=", "iana_number": "6", "transport": "tcp" }, @@ -2153,7 +2197,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593771600Z", + "ingested": "2021-09-18T20:37:58.479637906Z", "original": "Apr 30 2013 09:23:08: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2193,6 +2237,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:3vGj3wfvZB2f5kZmDflH/qfkWYE=", "iana_number": "6", "transport": "tcp" }, @@ -2223,7 +2268,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593773100Z", + "ingested": "2021-09-18T20:37:58.479639878Z", "original": "Apr 30 2013 09:23:15: %ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2263,6 +2308,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:Wjdn68t3gwpMPxbO1bBTBvMkQKE=", "iana_number": "6", "transport": "tcp" }, @@ -2293,7 +2339,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593774700Z", + "ingested": "2021-09-18T20:37:58.479641854Z", "original": "Apr 30 2013 09:23:24: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2333,6 +2379,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:OHPCPPOkvDP3KMLJodW8pdmntUw=", "iana_number": "6", "transport": "tcp" }, @@ -2363,7 +2410,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593776300Z", + "ingested": "2021-09-18T20:37:58.479643796Z", "original": "Apr 30 2013 09:23:34: %ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2403,6 +2450,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:7ujfPje/XmaZUbijXhcBn7jzz8Y=", "iana_number": "6", "transport": "tcp" }, @@ -2433,7 +2481,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:06:17.593778Z", + "ingested": "2021-09-18T20:37:58.479645825Z", "original": "Apr 30 2013 09:23:40: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", @@ -2473,6 +2521,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:7ujfPje/XmaZUbijXhcBn7jzz8Y=", "iana_number": "6", "transport": "tcp" }, @@ -2503,7 +2552,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:06:17.593779600Z", + "ingested": "2021-09-18T20:37:58.479647774Z", "original": "Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", @@ -2543,6 +2592,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:IOafOGWxFLefP+hvoAc06Z1pBj8=", "iana_number": "6", "transport": "tcp" }, @@ -2573,7 +2623,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593781200Z", + "ingested": "2021-09-18T20:37:58.479649698Z", "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2613,6 +2663,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:89qba0kw6T/uGNWcSzTTYvNoLeY=", "iana_number": "6", "transport": "tcp" }, @@ -2643,7 +2694,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593782900Z", + "ingested": "2021-09-18T20:37:58.479651680Z", "original": "Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2683,6 +2734,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:3EQcjAJCGY7yJRip464V5VZ2h00=", "iana_number": "6", "transport": "tcp" }, @@ -2713,7 +2765,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593784500Z", + "ingested": "2021-09-18T20:37:58.479653620Z", "original": "Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2757,8 +2809,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:xQpx+K3UkeF1wQfNjT+9cuVvkHo=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -2788,7 +2841,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593786100Z", + "ingested": "2021-09-18T20:37:58.479655605Z", "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", "code": "302015", "kind": "event", @@ -2833,6 +2886,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:/lWsjFt8GNAqxtRiPYxbyU20/N8=", "iana_number": "17", "transport": "udp" }, @@ -2863,7 +2917,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:06:17.593787700Z", + "ingested": "2021-09-18T20:37:58.479657588Z", "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", @@ -2906,6 +2960,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:/lWsjFt8GNAqxtRiPYxbyU20/N8=", "iana_number": "17", "transport": "udp" }, @@ -2936,7 +2991,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:06:17.593789200Z", + "ingested": "2021-09-18T20:37:58.479659556Z", "original": "Dec 11 2018 08:01:24 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", @@ -3012,7 +3067,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593790800Z", + "ingested": "2021-09-18T20:37:58.479661490Z", "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", @@ -3090,7 +3145,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593792400Z", + "ingested": "2021-09-18T20:37:58.479663460Z", "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", @@ -3135,9 +3190,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:tVS/eeyng4tH7pSAcq77I2cbedw=", + "transport": "tcp", "bytes": 14804, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -3168,7 +3224,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T09:06:17.593794Z", + "ingested": "2021-09-18T20:37:58.479665372Z", "original": "Dec 11 2018 08:01:31 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", "code": "302014", "kind": "event", @@ -3212,9 +3268,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Tc+oC6fll4kTgOTp2hiirhpXAuQ=", + "transport": "tcp", "bytes": 134781, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -3245,7 +3302,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-09-07T09:06:17.593795500Z", + "ingested": "2021-09-18T20:37:58.479667303Z", "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", @@ -3289,9 +3346,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Tc+oC6fll4kTgOTp2hiirhpXAuQ=", + "transport": "tcp", "bytes": 134781, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -3322,7 +3380,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-09-07T09:06:17.593797100Z", + "ingested": "2021-09-18T20:37:58.479669253Z", "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", @@ -3366,6 +3424,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:BX8uzuuLWZ5TLiZXPqdka12ZHOc=", "iana_number": "6", "transport": "tcp" }, @@ -3391,7 +3450,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593798700Z", + "ingested": "2021-09-18T20:37:58.479671231Z", "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", @@ -3432,6 +3491,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:BX8uzuuLWZ5TLiZXPqdka12ZHOc=", "iana_number": "6", "transport": "tcp" }, @@ -3457,7 +3517,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593800300Z", + "ingested": "2021-09-18T20:37:58.479673199Z", "original": "Dec 11 2018 08:01:38 \u003cIP\u003e: %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", @@ -3498,6 +3558,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:BouUIZD+TqJZdYklL1aMrJfnbQ0=", "iana_number": "17", "transport": "udp" }, @@ -3528,7 +3589,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:06:17.593801800Z", + "ingested": "2021-09-18T20:37:58.479675231Z", "original": "Dec 11 2018 08:01:39 \u003cIP\u003e: %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", "code": "106023", "kind": "event", @@ -3571,8 +3632,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:mUqH1e0FnddfDertRLbskQ9rX5Q=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -3602,7 +3664,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593803500Z", + "ingested": "2021-09-18T20:37:58.479677318Z", "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", @@ -3647,8 +3709,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:mUqH1e0FnddfDertRLbskQ9rX5Q=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -3678,7 +3741,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593805Z", + "ingested": "2021-09-18T20:37:58.479679262Z", "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", @@ -3723,9 +3786,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:kugTIYv6tVeitQAN8XRNgUPvZiw=", + "transport": "tcp", "bytes": 11420, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -3756,7 +3820,7 @@ "severity": 6, "duration": 86399000000000, "reason": "TCP FINs", - "ingested": "2021-09-07T09:06:17.593806600Z", + "ingested": "2021-09-18T20:37:58.479681219Z", "original": "Dec 11 2018 08:01:53 \u003cIP\u003e: %ASA-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", "code": "302014", "kind": "event", @@ -3797,9 +3861,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:n1IQHcbrWLb1u8dflqz8hfEElA0=", + "transport": "udp", "bytes": 1416, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -3829,7 +3894,7 @@ "event": { "severity": 6, "duration": 122000000000, - "ingested": "2021-09-07T09:06:17.593808300Z", + "ingested": "2021-09-18T20:37:58.479683142Z", "original": "Aug 15 2012 23:30:09 : %ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", "code": "302016", "kind": "event", @@ -3896,7 +3961,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T09:06:17.593809900Z", + "ingested": "2021-09-18T20:37:58.479685110Z", "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -3960,7 +4025,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T09:06:17.593811500Z", + "ingested": "2021-09-18T20:37:58.479687051Z", "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4024,7 +4089,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T09:06:17.593813800Z", + "ingested": "2021-09-18T20:37:58.479688997Z", "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4088,7 +4153,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T09:06:17.593815500Z", + "ingested": "2021-09-18T20:37:58.479690947Z", "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4152,7 +4217,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T09:06:17.593817100Z", + "ingested": "2021-09-18T20:37:58.479692918Z", "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4216,7 +4281,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T09:06:17.593818700Z", + "ingested": "2021-09-18T20:37:58.479700994Z", "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4280,7 +4345,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T09:06:17.593820300Z", + "ingested": "2021-09-18T20:37:58.479703661Z", "original": "Sep 12 2014 06:52:48 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4344,7 +4409,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T09:06:17.593822Z", + "ingested": "2021-09-18T20:37:58.479705720Z", "original": "Sep 12 2014 06:53:00 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4382,6 +4447,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:buRYH8vRkdq5apZqKHNDfmztnUo=", "iana_number": "6", "transport": "tcp" }, @@ -4419,7 +4485,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:06:17.593823600Z", + "ingested": "2021-09-18T20:37:58.479707722Z", "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %ASA-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", "code": "106023", "kind": "event", @@ -4484,7 +4550,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-07T09:06:17.593825900Z", + "ingested": "2021-09-18T20:37:58.479709699Z", "original": "Sep 12 2014 06:53:02 GIFRCHN01 : %ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", "code": "313001", "kind": "event", @@ -4522,6 +4588,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:XKWgpeop6LmXORBjS+D+pjammJ4=", "iana_number": "1", "transport": "icmp" }, @@ -4547,7 +4614,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:06:17.593827700Z", + "ingested": "2021-09-18T20:37:58.479711673Z", "original": "Jan 14 2015 13:16:13: %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", "code": "313004", "kind": "event", @@ -4594,6 +4661,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:ZWjuP5bJeA+f0NH342ubXOWI+Lc=", "iana_number": "6", "transport": "tcp" }, @@ -4628,7 +4696,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:06:17.593829300Z", + "ingested": "2021-09-18T20:37:58.479713659Z", "original": "Jan 14 2015 13:16:14: %ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", "code": "338002", "kind": "event", @@ -4675,6 +4743,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:iQUXct+pq5A5+rR869ELbDtnuek=", "iana_number": "6", "transport": "tcp" }, @@ -4706,7 +4775,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:06:17.593830900Z", + "ingested": "2021-09-18T20:37:58.479715653Z", "original": "Jan 14 2015 13:16:14: %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338004", "kind": "event", @@ -4754,6 +4823,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:iQUXct+pq5A5+rR869ELbDtnuek=", "iana_number": "6", "transport": "tcp" }, @@ -4785,7 +4855,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T09:06:17.593832500Z", + "ingested": "2021-09-18T20:37:58.479717632Z", "original": "Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338008", "kind": "event", @@ -4849,7 +4919,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593834100Z", + "ingested": "2021-09-18T20:37:58.479719582Z", "original": "Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", "code": "304001", "kind": "event", @@ -4905,7 +4975,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593835700Z", + "ingested": "2021-09-18T20:37:58.479721502Z", "original": "Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", "code": "304001", "kind": "event", @@ -4967,7 +5037,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T09:06:17.593837300Z", + "ingested": "2021-09-18T20:37:58.479723428Z", "original": "Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", "code": "304002", "kind": "event", @@ -5006,9 +5076,6 @@ }, "address": "1.2.3.4", "port": 80, - "user": { - "name": "username" - }, "ip": "1.2.3.4" }, "source": { @@ -5017,14 +5084,18 @@ }, "address": "10.2.3.4", "port": 49926, + "user": { + "name": "username" + }, "ip": "10.2.3.4" }, "tags": [ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:iwVZPCmO/50L3MVqIW0tC5ED+bg=", "transport": "tcp", + "iana_number": "6", "direction": "inbound" }, "observer": { @@ -5057,7 +5128,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T09:06:17.593838900Z", + "ingested": "2021-09-18T20:37:58.479725357Z", "original": "Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username)", "code": "302013", "kind": "event", @@ -5073,6 +5144,7 @@ "asa": { "destination_interface": "vlan-42", "mapped_source_port": 49926, + "termination_user": "username", "mapped_destination_ip": "1.2.3.4", "mapped_source_ip": "1.2.3.4", "connection_id": "27215708", @@ -5080,9 +5152,1559 @@ "mapped_destination_port": 80, "source_username": "LOCAL\\username" } + } + }, + { + "log": { + "level": "notification" }, - "user": { - "name": "username" + "destination": { + "address": "172.17.6.211", + "ip": "172.17.6.211" + }, + "source": { + "user": { + "name": "USER001" + }, + "address": "192.168.0.1", + "ip": "192.168.0.1" + }, + "url": { + "path": "/somewebpage.html", + "extension": "html", + "original": "http://testingserver.com/somewebpage.html", + "scheme": "http", + "domain": "testingserver.com" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "type": "firewall", + "product": "asa", + "vendor": "Cisco" + }, + "@timestamp": "2021-01-13T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "ip": [ + "192.168.0.1", + "172.17.6.211" + ] + }, + "event": { + "severity": 5, + "ingested": "2021-09-18T20:37:58.479727314Z", + "original": "Jan 13 2021 19:12:37: %ASA-5-304001: USER001@192.168.0.1(LOCAL\\USER001) Accessed URL 172.17.6.211:http://testingserver.com/somewebpage.html", + "code": "304001", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "success" + }, + "cisco": { + "asa": {} + } + }, + { + "log": { + "level": "notification" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "port": 443, + "ip": "81.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "CH-AG", + "city_name": "Kolliken", + "country_iso_code": "CH", + "country_name": "Switzerland", + "region_name": "Aargau", + "location": { + "lon": 8.0264, + "lat": 47.3388 + } + }, + "nat": { + "port": 34534, + "ip": "62.0.0.1" + }, + "as": { + "number": 3303, + "organization": { + "name": "Bluewin" + } + }, + "address": "85.0.0.1", + "port": 12312, + "ip": "85.0.0.1", + "user": { + "name": "USER001" + } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:80+NOqHrJ3D1YMNcnBpJC7S6Pkg=", + "transport": "tcp", + "iana_number": "6", + "direction": "inbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "OUTSIDE" + } + } + }, + "@timestamp": "2021-01-13T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "ip": [ + "85.0.0.1", + "62.0.0.1", + "81.0.0.1" + ] + }, + "event": { + "severity": 5, + "ingested": "2021-09-18T20:37:58.479729252Z", + "original": "Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\\USER001) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (USER001)", + "code": "302013", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "OUTSIDE", + "mapped_source_port": 34534, + "termination_user": "USER001", + "mapped_destination_ip": "81.0.0.1", + "mapped_source_ip": "62.0.0.1", + "connection_id": "195207391", + "source_interface": "OUTSIDE", + "mapped_destination_port": 443, + "source_username": "LOCAL\\USER001" + } + } + }, + { + "log": { + "level": "notification" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "port": 443, + "ip": "81.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "CH-AG", + "city_name": "Kolliken", + "country_iso_code": "CH", + "country_name": "Switzerland", + "region_name": "Aargau", + "location": { + "lon": 8.0264, + "lat": 47.3388 + } + }, + "nat": { + "port": 34534, + "ip": "62.0.0.1" + }, + "as": { + "number": 3303, + "organization": { + "name": "Bluewin" + } + }, + "address": "85.0.0.1", + "port": 12312, + "ip": "85.0.0.1", + "user": { + "name": "user@domain.tld", + "domain": "domain.tld" + } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:80+NOqHrJ3D1YMNcnBpJC7S6Pkg=", + "transport": "tcp", + "iana_number": "6", + "direction": "inbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "OUTSIDE" + } + } + }, + "@timestamp": "2021-01-13T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "user@domain.tld" + ], + "hosts": [ + "domain.tld" + ], + "ip": [ + "85.0.0.1", + "62.0.0.1", + "81.0.0.1" + ] + }, + "event": { + "severity": 5, + "ingested": "2021-09-18T20:37:58.479731313Z", + "original": "Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\\user@domain.tld) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (user@domain.tld)", + "code": "302013", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "OUTSIDE", + "mapped_source_port": 34534, + "termination_user": "user@domain.tld", + "mapped_destination_ip": "81.0.0.1", + "mapped_source_ip": "62.0.0.1", + "connection_id": "195207391", + "source_interface": "OUTSIDE", + "mapped_destination_port": 443, + "source_username": "LOCAL\\user@domain.tld" + } + } + }, + { + "log": { + "level": "notification" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "CH-AG", + "city_name": "Kolliken", + "country_iso_code": "CH", + "country_name": "Switzerland", + "region_name": "Aargau", + "location": { + "lon": 8.0264, + "lat": 47.3388 + } + }, + "as": { + "number": 3303, + "organization": { + "name": "Bluewin" + } + }, + "address": "85.0.0.1", + "user": { + "name": "USER001" + }, + "ip": "85.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "user": { + "name": "USER001" + }, + "ip": "81.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "icmp", + "direction": "inbound" + }, + "observer": { + "type": "firewall", + "product": "asa", + "vendor": "Cisco" + }, + "@timestamp": "2021-01-13T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "ip": [ + "81.0.0.1", + "85.0.0.1" + ] + }, + "event": { + "severity": 5, + "ingested": "2021-09-18T20:37:58.479733245Z", + "original": "Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\\USER001) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER001) type 3 code 3", + "code": "302020", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "source_username": "USER001", + "icmp_type": 3, + "icmp_code": 3, + "mapped_source_ip": "81.0.0.1", + "destination_username": "LOCAL\\USER001" + } + }, + "user": { + "name": "USER001" + } + }, + { + "log": { + "level": "notification" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "CH-AG", + "city_name": "Kolliken", + "country_iso_code": "CH", + "country_name": "Switzerland", + "region_name": "Aargau", + "location": { + "lon": 8.0264, + "lat": 47.3388 + } + }, + "as": { + "number": 3303, + "organization": { + "name": "Bluewin" + } + }, + "address": "85.0.0.1", + "user": { + "name": "user@domain.tld", + "domain": "domain.tld" + }, + "ip": "85.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "user": { + "name": "user@domain.tld", + "domain": "domain.tld" + }, + "ip": "81.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "icmp", + "direction": "inbound" + }, + "observer": { + "type": "firewall", + "product": "asa", + "vendor": "Cisco" + }, + "@timestamp": "2021-01-13T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "user@domain.tld" + ], + "hosts": [ + "domain.tld" + ], + "ip": [ + "81.0.0.1", + "85.0.0.1" + ] + }, + "event": { + "severity": 5, + "ingested": "2021-09-18T20:37:58.479735196Z", + "original": "Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\\user@domain.tld) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (user@domain.tld) type 3 code 3", + "code": "302020", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "source_username": "user@domain.tld", + "icmp_type": 3, + "icmp_code": 3, + "mapped_source_ip": "81.0.0.1", + "destination_username": "LOCAL\\user@domain.tld" + } + }, + "user": { + "name": "user@domain.tld" + } + }, + { + "log": { + "level": "notification" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "CH-AG", + "city_name": "Kolliken", + "country_iso_code": "CH", + "country_name": "Switzerland", + "region_name": "Aargau", + "location": { + "lon": 8.0264, + "lat": 47.3388 + } + }, + "as": { + "number": 3303, + "organization": { + "name": "Bluewin" + } + }, + "address": "85.0.0.1", + "user": { + "name": "USER002", + "domain": "AD" + }, + "ip": "85.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "user": { + "name": "USER002" + }, + "ip": "81.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "icmp", + "direction": "inbound" + }, + "observer": { + "type": "firewall", + "product": "asa", + "vendor": "Cisco" + }, + "@timestamp": "2021-01-13T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER002" + ], + "hosts": [ + "AD" + ], + "ip": [ + "81.0.0.1", + "85.0.0.1" + ] + }, + "event": { + "severity": 5, + "ingested": "2021-09-18T20:37:58.479737158Z", + "original": "Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(AD\\USER002) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER002) type 3 code 3", + "code": "302020", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "source_username": "USER002", + "icmp_type": 3, + "icmp_code": 3, + "mapped_source_ip": "81.0.0.1", + "destination_username": "AD\\USER002" + } + }, + "user": { + "name": "USER002" + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-NV", + "city_name": "Carson City", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Nevada", + "location": { + "lon": -119.7459, + "lat": 39.1507 + } + }, + "as": { + "number": 7018, + "organization": { + "name": "AT\u0026T Services, Inc." + } + }, + "address": "75.0.0.1", + "port": 18449, + "ip": "75.0.0.1" + }, + "source": { + "address": "192.168.0.1", + "port": 59677, + "user": { + "name": "USER001" + }, + "ip": "192.168.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:kOYfvYjW0lZrPxD+ArQ6vDYnS7g=", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "OUTSIDE" + } + } + }, + "@timestamp": "2021-01-15T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "ip": [ + "192.168.0.1", + "75.0.0.1" + ] + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2021-09-18T20:37:58.479739102Z", + "original": "Jan 15 2021 19:12:37: %ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:192.168.0.1/59677(LOCAL\\USER001) to OUTSIDE:75.0.0.1/18449 duration 0:00:00", + "code": "305012", + "kind": "event", + "start": "2021-01-15T19:12:37.000Z", + "action": "flow-expiration", + "end": "2021-01-15T19:12:37.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "source_username": "LOCAL\\USER001", + "destination_interface": "OUTSIDE", + "source_interface": "OUTSIDE" + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "address": "ff02::1", + "ip": "ff02::1" + }, + "source": { + "address": "fe80::2205:baff:fe9d:f637", + "ip": "fe80::2205:baff:fe9d:f637" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:bHWN9qumWIGMl/MbjgS2bQi/Jsw=", + "iana_number": "1", + "transport": "icmp" + }, + "observer": { + "type": "firewall", + "product": "asa", + "vendor": "Cisco" + }, + "@timestamp": "2021-01-15T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "ip": [ + "fe80::2205:baff:fe9d:f637", + "ff02::1" + ] + }, + "event": { + "severity": 6, + "ingested": "2021-09-18T20:37:58.479741063Z", + "original": "Jan 15 2021 19:12:37: %ASA-6-302021: Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::2205:baff:fe9d:f637/0 laddr fe80::2205:baff:fe9d:f637/0 type 134 code 0", + "code": "302021", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "mapped_source_ip": "fe80::2205:baff:fe9d:f637", + "icmp_type": 134, + "icmp_code": 0 + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "country_name": "Ireland", + "location": { + "lon": -8.0, + "lat": 53.0 + }, + "country_iso_code": "IE" + }, + "as": { + "number": 32934, + "organization": { + "name": "Facebook, Inc." + } + }, + "address": "2a03:2880:f253:cb:face:b00c:0:43fe", + "port": 443, + "ip": "2a03:2880:f253:cb:face:b00c:0:43fe" + }, + "source": { + "port": 62477, + "address": "fe00::fede:bbe1", + "ip": "fe00::fede:bbe1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:lOTrEnVpsUc4jukAUBxF/BkD8jE=", + "transport": "tcp", + "iana_number": "6", + "direction": "inbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "OUTSIDE" + } + } + }, + "@timestamp": "2021-01-15T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "ip": [ + "fe00::fede:bbe1", + "2a03:2880:f253:cb:face:b00c:0:43fe" + ] + }, + "event": { + "severity": 6, + "ingested": "2021-09-18T20:37:58.479752920Z", + "original": "Jan 15 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 251933191 for OUTSIDE:fe00::fede:bbe1/62477 (fe00::fede:bbe1/62477) to OUTSIDE:2a03:2880:f253:cb:face:b00c:0:43fe/443 (2a03:2880:f253:cb:face:b00c:0:43fe/443) (soc@danskecommodities.com)", + "code": "302013", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "OUTSIDE", + "mapped_source_port": 62477, + "termination_user": "soc@danskecommodities.com", + "mapped_destination_ip": "2a03:2880:f253:cb:face:b00c:0:43fe", + "mapped_source_ip": "fe00::fede:bbe1", + "connection_id": "251933191", + "source_interface": "OUTSIDE", + "mapped_destination_port": 443 + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "geo": { + "continent_name": "South America", + "country_name": "Argentina", + "location": { + "lon": -58.3817, + "lat": -34.6033 + }, + "country_iso_code": "AR" + }, + "as": { + "number": 7303, + "organization": { + "name": "Telecom Argentina S.A." + } + }, + "address": "181.0.0.1", + "port": 50120, + "ip": "181.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "port": 50120, + "user": { + "name": "USER001", + "domain": "domain" + }, + "ip": "81.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:R7zADbxzUGXOH0O/Hzma4ba6iHU=", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "OUTSIDE" + } + } + }, + "@timestamp": "2021-01-15T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "hosts": [ + "domain" + ], + "ip": [ + "81.0.0.1", + "181.0.0.1" + ] + }, + "event": { + "severity": 6, + "duration": 125000000000, + "ingested": "2021-09-18T20:37:58.479755222Z", + "original": "Jan 15 2021 19:12:37: %ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:81.0.0.1/50120(LOCAL\\domain\\USER001) to OUTSIDE:181.0.0.1/50120 duration 0:02:05", + "code": "305012", + "kind": "event", + "start": "2021-01-15T19:10:32.000Z", + "action": "flow-expiration", + "end": "2021-01-15T19:12:37.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "source_username": "LOCAL\\domain\\USER001", + "destination_interface": "OUTSIDE", + "source_interface": "OUTSIDE" + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 4249, + "organization": { + "name": "Eli Lilly and Company" + } + }, + "address": "40.0.0.1", + "port": 443, + "ip": "40.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "port": 50120, + "user": { + "name": "USER001", + "domain": "domain" + }, + "ip": "81.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:Wki7xXtyiCACPfXpHuQV+NLf33o=", + "transport": "tcp", + "bytes": 9610, + "iana_number": "6" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "OUTSIDE" + } + } + }, + "@timestamp": "2021-01-15T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "hosts": [ + "domain" + ], + "ip": [ + "81.0.0.1", + "40.0.0.1" + ] + }, + "event": { + "severity": 6, + "duration": 125000000000, + "reason": "TCP FINs", + "ingested": "2021-09-18T20:37:58.479757277Z", + "original": "Jan 15 2021 19:12:37: %ASA-6-302014: Teardown TCP connection 261246338 for OUTSIDE:81.0.0.1/50120(LOCAL\\domain\\USER001) to OUTSIDE:40.0.0.1/443 duration 0:02:05 bytes 9610 TCP FINs from OUTSIDE (domain\\USER001)", + "code": "302014", + "kind": "event", + "start": "2021-01-15T19:10:32.000Z", + "action": "flow-expiration", + "end": "2021-01-15T19:12:37.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "termination_initiator": "OUTSIDE", + "source_username": "LOCAL\\domain\\USER001", + "destination_interface": "OUTSIDE", + "termination_user": "domain\\USER001", + "connection_id": "261246338", + "source_interface": "OUTSIDE" + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "port": 53, + "address": "192.168.0.1", + "ip": "192.168.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "nat": { + "ip": "82.0.0.1" + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "port": 63790, + "ip": "81.0.0.1", + "user": { + "name": "USER001", + "domain": "domain" + } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:BIxqdLncXeXXZrNudh3yrj2zmZc=", + "transport": "udp", + "iana_number": "17", + "direction": "inbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "INSIDE" + } + } + }, + "@timestamp": "2021-01-15T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "hosts": [ + "domain" + ], + "ip": [ + "81.0.0.1", + "82.0.0.1", + "192.168.0.1" + ] + }, + "event": { + "severity": 6, + "ingested": "2021-09-18T20:37:58.479759291Z", + "original": "Jan 15 2021 19:12:37: %ASA-6-302015: Built inbound UDP connection 261311655 for OUTSIDE:81.0.0.1/63790 (82.0.0.1/63790)(LOCAL\\domain\\USER001) to INSIDE:192.168.0.1/53 (192.168.0.1/53) (domain\\USER001)", + "code": "302015", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "INSIDE", + "mapped_source_port": 63790, + "termination_user": "domain\\USER001", + "mapped_destination_ip": "192.168.0.1", + "mapped_source_ip": "82.0.0.1", + "connection_id": "261311655", + "source_interface": "OUTSIDE", + "mapped_destination_port": 53, + "source_username": "LOCAL\\domain\\USER001" + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "port": 53, + "address": "192.168.0.1", + "ip": "192.168.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "port": 63790, + "user": { + "name": "USER001", + "domain": "domain" + }, + "ip": "81.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:BIxqdLncXeXXZrNudh3yrj2zmZc=", + "transport": "udp", + "bytes": 139, + "iana_number": "17" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "INSIDE" + } + } + }, + "@timestamp": "2021-01-15T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "hosts": [ + "domain" + ], + "ip": [ + "81.0.0.1", + "192.168.0.1" + ] + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2021-09-18T20:37:58.479761310Z", + "original": "Jan 15 2021 19:12:37: %ASA-6-302016: Teardown UDP connection 261311655 for OUTSIDE:81.0.0.1/63790(LOCAL\\domain\\USER001) to INSIDE:192.168.0.1/53 duration 0:00:00 bytes 139 (domain\\USER001)", + "code": "302016", + "kind": "event", + "start": "2021-01-15T19:12:37.000Z", + "action": "flow-expiration", + "end": "2021-01-15T19:12:37.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "asa": { + "source_username": "LOCAL\\domain\\USER001", + "destination_interface": "INSIDE", + "termination_user": "domain\\USER001", + "connection_id": "261311655", + "source_interface": "OUTSIDE" + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 4249, + "organization": { + "name": "Eli Lilly and Company" + } + }, + "address": "40.0.0.1", + "port": 443, + "ip": "40.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "nat": { + "ip": "82.0.0.1" + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "port": 50120, + "ip": "81.0.0.1", + "user": { + "name": "USER001", + "domain": "domain" + } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:Wki7xXtyiCACPfXpHuQV+NLf33o=", + "transport": "tcp", + "iana_number": "6", + "direction": "inbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "OUTSIDE" + } + } + }, + "@timestamp": "2021-01-15T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "hosts": [ + "domain" + ], + "ip": [ + "81.0.0.1", + "82.0.0.1", + "40.0.0.1" + ] + }, + "event": { + "severity": 6, + "ingested": "2021-09-18T20:37:58.479763284Z", + "original": "Jan 15 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 261246338 for OUTSIDE:81.0.0.1/50120 (82.0.0.1/50120)(LOCAL\\domain\\USER001) to OUTSIDE:40.0.0.1/443 (40.0.0.1/443) (domain\\USER001)", + "code": "302013", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "asa": { + "destination_interface": "OUTSIDE", + "mapped_source_port": 50120, + "termination_user": "domain\\USER001", + "mapped_destination_ip": "40.0.0.1", + "mapped_source_ip": "82.0.0.1", + "connection_id": "261246338", + "source_interface": "OUTSIDE", + "mapped_destination_port": 443, + "source_username": "LOCAL\\domain\\USER001" + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 32328, + "organization": { + "name": "Alascom, Inc." + } + }, + "address": "12.12.12.12", + "ip": "12.12.12.12" + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 32328, + "organization": { + "name": "Alascom, Inc." + } + }, + "address": "12.12.12.12", + "ip": "12.12.12.12" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "type": "ipsec", + "direction": "outbound" + }, + "observer": { + "type": "firewall", + "product": "asa", + "vendor": "Cisco" + }, + "@timestamp": "2021-07-29T08:35:29.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "john.smith" + ], + "ip": [ + "12.12.12.12" + ] + }, + "event": { + "severity": 6, + "ingested": "2021-09-18T20:37:58.479765258Z", + "original": "Jul 29 2021 08:35:29: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xABCXYZ) between 12.12.12.12 and 12.12.12.12 (user= john.smith) has been deleted.", + "code": "602304", + "kind": "event", + "action": "deleted", + "category": [ + "network" + ], + "type": [ + "info", + "deletion", + "user", + "allowed" + ], + "outcome": "success" + }, + "user": { + "name": "john.smith" + }, + "cisco": { + "asa": { + "tunnel_type": "LAN-to-LAN" + } } } ] diff --git a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml index d53d61ae3cf..05aa8799ac2 100644 --- a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -267,7 +267,10 @@ processors: field: "message" description: "106023" patterns: - - ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}" + - ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(\(%{CISCO_USER:_temp_.cisco.source_username}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}" + pattern_definitions: + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) - dissect: if: "ctx._temp_.cisco.message_id == '106027'" field: "message" @@ -328,28 +331,37 @@ processors: field: "message" description: "302013, 302015" patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \\(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\\)(\\(%{NOTSPACE:_temp_.cisco.source_username}\\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \\(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\\)( \\(%{NOTSPACE:destination.user.name}\\))?%{GREEDYDATA}" + - Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER:destination.user.name}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} + pattern_definitions: + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) - dissect: if: "ctx._temp_.cisco.message_id == '303002'" field: "message" description: "303002" pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" - - dissect: - if: "ctx._temp_.cisco.message_id == '302012'" + - grok: + if: "ctx._temp_.cisco.message_id == '305012'" field: "message" - description: "302012" - pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}" + description: "305012" + patterns: + - Teardown %{DATA} %{NOTSPACE:network.transport} translation from %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\s*\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} duration %{DURATION:_temp_.duration_hms} + pattern_definitions: + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) + DURATION: "%{INT}:%{MINUTE}:%{SECOND}" - grok: if: "ctx._temp_.cisco.message_id == '302020'" field: "message" description: "302020" patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" pattern_definitions: NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) - dissect: if: "ctx._temp_.cisco.message_id == '302022'" field: "message" @@ -365,7 +377,7 @@ processors: field: "message" description: "304001" patterns: - - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" + - "(%{NOTSPACE:source.user.name}@)?%{IP:source.address}(\\(%{DATA}\\))? %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" - set: if: "ctx._temp_.cisco.message_id == '304001'" field: "event.outcome" @@ -650,13 +662,14 @@ processors: field: "message" description: "722051" patterns: - - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" - - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" - - dissect: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" + - grok: if: "ctx._temp_.cisco.message_id == '733100'" field: "message" description: "733100" - pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}" + patterns: + - \[(%{SPACE})?%{DATA:_temp_.cisco.burst.object}\] drop %{NOTSPACE:_temp_.cisco.burst.id} exceeded. Current burst rate is %{INT:_temp_.cisco.burst.current_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_rate}; Current average rate is %{INT:_temp_.cisco.burst.avg_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{INT:_temp_.cisco.burst.cumulative_count} - dissect: if: "ctx._temp_.cisco.message_id == '734001'" field: "message" @@ -666,7 +679,7 @@ processors: if: "ctx._temp_.cisco.message_id == '805001'" field: "message" description: "805001" - pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + pattern: "Offloaded %{network.transport} Flow for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - dissect: if: "ctx._temp_.cisco.message_id == '805002'" field: "message" @@ -695,7 +708,7 @@ processors: - dissect: if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' field: "message" - pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." + pattern: "%{network.type}: An %{network.direction} %{_temp_.cisco.tunnel_type} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." - dissect: if: "ctx._temp_.cisco.message_id == '750002'" field: "message" @@ -759,27 +772,29 @@ processors: # Handle 302xxx messages (Flow expiration a.k.a "Teardown") # - set: - if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' + if: '["305012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' field: "event.action" value: "flow-expiration" - description: "302012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002" + description: "305012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002" - grok: field: "message" if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" patterns: - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) - - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.destination_username}\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) + - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{CISCO_USER:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? pattern_definitions: NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" - MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" + MAPPEDSRC: "(?:%{IPORHOST:_temp_.natsrcip}|%{HOSTNAME})" + DURATION: "%{INT}:%{MINUTE}:%{SECOND}" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) # # Decode FTD's Security Event Syslog Messages @@ -1322,26 +1337,61 @@ processors: Instant.parse(end).minusNanos(nanos), ZoneOffset.UTC); # + # Parse Source/Dest Username/Domain + # + - set: + field: source.user.name + value: "{{{ _temp_.cisco.source_username }}}" + if: 'ctx?.source?.user?.name == null && ctx?._temp_?.cisco?.source_username != null' + - set: + field: destination.user.name + value: "{{{ _temp_.cisco.destination_username }}}" + if: 'ctx?.destination?.user?.name == null && ctx?._temp_?.cisco?.destination_username != null' + - grok: + field: "source.user.name" + if: 'ctx?.source?.user?.name != null' + ignore_failure: true + patterns: + - (%{CISCO_DOMAIN})?%{CISCO_USER:source.user.name} + pattern_definitions: + CISCO_USER: "%{USERNAME}(@%{HOSTNAME:source.user.domain})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:source.user.domain}\\)? + - grok: + field: "destination.user.name" + if: 'ctx?.destination?.user?.name != null' + ignore_failure: true + patterns: + - (%{CISCO_DOMAIN})?%{CISCO_USER:destination.user.name} + pattern_definitions: + CISCO_USER: "%{USERNAME}(@%{HOSTNAME:destination.user.domain})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)? + # # Normalize protocol names # - lowercase: field: "network.transport" ignore_failure: true + ignore_missing: true - lowercase: field: "network.protocol" ignore_failure: true + ignore_missing: true - lowercase: field: "network.application" ignore_failure: true + ignore_missing: true - lowercase: field: "file.type" ignore_failure: true + ignore_missing: true - lowercase: field: "network.direction" ignore_failure: true + ignore_missing: true - lowercase: field: "network.type" ignore_failure: true + ignore_missing: true # # Populate network.iana_number from network.transport. Also does reverse # mapping in case network.transport contains the iana_number. @@ -1430,58 +1480,72 @@ processors: field: source.port type: integer ignore_failure: true + ignore_missing: true - convert: field: destination.port type: integer ignore_failure: true + ignore_missing: true - convert: field: source.bytes type: long ignore_failure: true + ignore_missing: true - convert: field: destination.bytes type: long ignore_failure: true + ignore_missing: true - convert: field: network.bytes type: long ignore_failure: true + ignore_missing: true - convert: field: source.packets type: integer ignore_failure: true + ignore_missing: true - convert: field: destination.packets type: integer ignore_failure: true + ignore_missing: true - convert: field: _temp_.cisco.mapped_source_port type: integer ignore_failure: true + ignore_missing: true - convert: field: _temp_.cisco.mapped_destination_port type: integer ignore_failure: true + ignore_missing: true - convert: field: _temp_.cisco.icmp_code type: integer ignore_failure: true + ignore_missing: true - convert: field: _temp_.cisco.icmp_type type: integer ignore_failure: true + ignore_missing: true - convert: field: http.response.status_code type: integer ignore_failure: true + ignore_missing: true - convert: field: file.size type: integer ignore_failure: true + ignore_missing: true - convert: field: network.iana_number type: string ignore_failure: true + ignore_missing: true # # Assign ECS .ip fields from .address is a valid IP address is found, # otherwise set .domain field. @@ -1877,22 +1941,22 @@ processors: allow_duplicates: false - append: field: related.user - value: "{{user.name}}" + value: "{{{user.name}}}" if: ctx?.user?.name != null && ctx?.user?.name != '' allow_duplicates: false - append: field: related.user - value: "{{host.user.name}}" + value: "{{{host.user.name}}}" if: ctx?.host?.user?.name != null && ctx?.host?.user?.name != '' allow_duplicates: false - append: field: related.user - value: "{{source.user.name}}" + value: "{{{source.user.name}}}" if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' allow_duplicates: false - append: field: related.user - value: "{{destination.user.name}}" + value: "{{{destination.user.name}}}" if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' allow_duplicates: false - append: @@ -1920,6 +1984,19 @@ processors: value: "{{source.domain}}" if: ctx.source?.domain != null && ctx.source?.domain != '' allow_duplicates: false + - append: + field: related.hosts + value: "{{source.user.domain}}" + if: ctx.source?.user?.domain != null && ctx.source?.user?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{destination.user.domain}}" + if: ctx.destination?.user?.domain != null && ctx.destination?.user?.domain != '' + allow_duplicates: false + - community_id: + ignore_missing: true + ignore_failure: true - script: lang: painless description: This script processor iterates over the whole document to remove fields with null values. diff --git a/packages/cisco_asa/data_stream/log/fields/ecs.yml b/packages/cisco_asa/data_stream/log/fields/ecs.yml index eaa049445fa..c8ae6587824 100644 --- a/packages/cisco_asa/data_stream/log/fields/ecs.yml +++ b/packages/cisco_asa/data_stream/log/fields/ecs.yml @@ -38,6 +38,8 @@ name: destination.port - external: ecs name: destination.user.name +- external: ecs + name: destination.user.domain - external: ecs name: ecs.version - external: ecs @@ -96,6 +98,8 @@ name: network.transport - external: ecs name: network.type +- external: ecs + name: network.community_id - external: ecs name: observer.egress.interface.name - external: ecs @@ -166,6 +170,8 @@ name: source.port - external: ecs name: source.user.name +- external: ecs + name: source.user.domain - external: ecs name: tags - external: ecs diff --git a/packages/cisco_asa/data_stream/log/fields/fields.yml b/packages/cisco_asa/data_stream/log/fields/fields.yml index 232f2e3f45d..4ef7cfc25ad 100644 --- a/packages/cisco_asa/data_stream/log/fields/fields.yml +++ b/packages/cisco_asa/data_stream/log/fields/fields.yml @@ -177,6 +177,19 @@ type: keyword description: >- AAA name of user requesting termination + + - name: termination_initiator + type: keyword + default_field: false + description: > + Interface name of the side that initiated the teardown + + - name: tunnel_type + type: keyword + default_field: false + description: > + SA type (remote access or L2L) + - name: syslog.facility.code type: long description: Syslog numeric facility of the event. diff --git a/packages/cisco_asa/docs/README.md b/packages/cisco_asa/docs/README.md index b52730a1c10..645689dd6ae 100644 --- a/packages/cisco_asa/docs/README.md +++ b/packages/cisco_asa/docs/README.md @@ -160,9 +160,11 @@ An example event for `log` looks as following: | cisco.asa.source_interface | Source interface for the flow or event. | keyword | | cisco.asa.source_username | Name of the user that is the source for this event. | keyword | | cisco.asa.suffix | Optional suffix after %ASA identifier. | keyword | +| cisco.asa.termination_initiator | Interface name of the side that initiated the teardown | keyword | | cisco.asa.termination_user | AAA name of user requesting termination | keyword | | cisco.asa.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword | | cisco.asa.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword | +| cisco.asa.tunnel_type | SA type (remote access or L2L) | keyword | | cisco.asa.username | | keyword | | cisco.asa.webvpn.group_name | The WebVPN group name the user belongs to | keyword | | client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | @@ -202,6 +204,7 @@ An example event for `log` looks as following: | destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | | destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | | destination.port | Port of the destination. | long | +| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | destination.user.name | Short name or login of the user. | keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | error.message | Error message. | text | @@ -244,6 +247,7 @@ An example event for `log` looks as following: | log.source.address | Source address from which the log event was read / sent from. | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | @@ -288,6 +292,7 @@ An example event for `log` looks as following: | source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | | source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | | source.port | Port of the source. | long | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | source.user.name | Short name or login of the user. | keyword | | syslog.facility.code | Syslog numeric facility of the event. | long | | syslog.priority | Syslog priority of the event. | long | diff --git a/packages/cisco_asa/manifest.yml b/packages/cisco_asa/manifest.yml index 96d57b0c724..f18c5a5e4f6 100644 --- a/packages/cisco_asa/manifest.yml +++ b/packages/cisco_asa/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_asa title: Cisco ASA -version: 1.0.1 +version: 1.0.2 license: basic description: This Elastic integration collects logs from Cisco ASA network devices type: integration diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml index c0654fd47b2..aeba8f52dff 100644 --- a/packages/cisco_ftd/changelog.yml +++ b/packages/cisco_ftd/changelog.yml @@ -1,9 +1,14 @@ # newer versions go on top +- version: "1.0.2" + changes: + - description: sync package with module changes (Beats PR 26879) + type: enhancement + link: https://github.com/elastic/integrations/pull/1740 - version: "1.0.1" changes: - - description: Adding missing ECS fields - type: bugfix - link: https://github.com/elastic/integrations/pull/1731 + - description: sync package with module changes (Beats PR 26879) + type: enhancement + link: https://github.com/elastic/integrations/pull/1740 - version: "1.0.0" changes: - description: Initial version to split Cisco FTD out from the general Cisco package diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log index 00819e8eec1..d279c09d8d1 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log @@ -3,3 +3,10 @@ Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.12 Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group "acl_dmz" [0xe3afb522, 0x0] Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\Elastic) dst Outside:10.123.123.123/57621 by access-group "Inside_access_in" [0x0, 0x0] Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123 +Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny protocol 47 src outside:100.66.124.24 dst inside:172.31.98.44 by access-group "inbound" +Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src OUTSIDE:2a05:d016:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group "OUTSIDE_in" +Apr 27 2020 02:03:03 dev01: %ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:82.0.0.1/500 to identity:85.0.0.1/500 duration 92:24:20 bytes 4671944 +May 5 19:02:25 dev01: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 19269 +May 5 19:02:25 dev01: %ASA-4-733100: [ 192.168.0.1] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6018 +May 5 19:02:25 dev01: %ASA-4-733100: [ Port-5432 5432] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 20 per second, max configured rate is 5; Cumulative total count is 12466 +May 5 19:02:25 dev01: %ASA-4-733100: [ RDP 3389] drop rate-1 exceeded. Current burst rate is 63 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3054 \ No newline at end of file diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json index 50ddab868be..67169583959 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -10,17 +10,21 @@ "ip": "10.233.123.123" }, "source": { - "port": 53723, "address": "10.123.123.123", + "port": 53723, + "user": { + "name": "Elastic" + }, "ip": "10.123.123.123" }, "tags": [ "preserve_original_event" ], "network": { + "community_id": "1:9aBQ+NznvYals1agEGRVJm37dvQ=", + "transport": "udp", "bytes": 148, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -43,6 +47,9 @@ "version": "1.11.0" }, "related": { + "user": [ + "Elastic" + ], "hosts": [ "SNL-ASA-VPN-A01" ], @@ -57,7 +64,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.148637500Z", + "ingested": "2021-09-18T21:19:18.859010714Z", "original": "Apr 17 2020 14:08:08 SNL-ASA-VPN-A01 : %ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", "code": "302016", "kind": "event", @@ -74,7 +81,7 @@ }, "cisco": { "ftd": { - "source_username": "(LOCAL\\Elastic)", + "source_username": "LOCAL\\Elastic", "destination_interface": "Inside", "termination_user": "zzzzzz", "connection_id": "110577675", @@ -98,6 +105,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:kV/6Jt4iMhVyUT1AW+UO0itOhqU=", "iana_number": "1", "transport": "icmp" }, @@ -134,7 +142,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.148665100Z", + "ingested": "2021-09-18T21:19:18.859015356Z", "original": "Apr 17 2020 14:00:31 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -174,6 +182,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:7nrIUULEgk5A+nhbh4kNmEkwL3o=", "iana_number": "6", "transport": "tcp" }, @@ -203,7 +212,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.148702200Z", + "ingested": "2021-09-18T21:19:18.859017513Z", "original": "Apr 15 2013 09:36:50: %ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", "code": "106023", "kind": "event", @@ -235,14 +244,18 @@ "ip": "10.123.123.123" }, "source": { - "port": 57621, "address": "10.123.123.123", + "port": 57621, + "user": { + "name": "Elastic" + }, "ip": "10.123.123.123" }, "tags": [ "preserve_original_event" ], "network": { + "community_id": "1:LM0R4Wi8tEf+1pe2ukofXQKxfMc=", "iana_number": "17", "transport": "udp" }, @@ -267,6 +280,9 @@ "version": "1.11.0" }, "related": { + "user": [ + "Elastic" + ], "hosts": [ "SNL-ASA-VPN-A01" ], @@ -279,7 +295,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.148710300Z", + "ingested": "2021-09-18T21:19:18.859019503Z", "original": "Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -295,7 +311,7 @@ }, "cisco": { "ftd": { - "source_username": "(LOCAL\\Elastic)", + "source_username": "LOCAL\\Elastic", "destination_interface": "Outside", "rule_name": "Inside_access_in", "source_interface": "Inside" @@ -340,7 +356,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:21:32.148716500Z", + "ingested": "2021-09-18T21:19:18.859021447Z", "original": "Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", "code": "106017", "kind": "event", @@ -357,6 +373,501 @@ "cisco": { "ftd": {} } + }, + { + "log": { + "level": "warning" + }, + "destination": { + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, + "source": { + "address": "100.66.124.24", + "ip": "100.66.124.24" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:Uo11LCySQ1S0c9jtHZVIb4Pm/2k=", + "iana_number": "47" + }, + "observer": { + "ingress": { + "interface": { + "name": "outside" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "inside" + } + } + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "100.66.124.24", + "172.31.98.44" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "ingested": "2021-09-18T21:19:18.859023433Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny protocol 47 src outside:100.66.124.24 dst inside:172.31.98.44 by access-group \"inbound\"", + "code": "106023", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "failure" + }, + "cisco": { + "ftd": { + "destination_interface": "inside", + "rule_name": "inbound", + "source_interface": "outside" + } + } + }, + { + "log": { + "level": "warning" + }, + "destination": { + "address": "fe00:afa0::1", + "ip": "fe00:afa0::1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "SE-AB", + "city_name": "Stockholm", + "country_iso_code": "SE", + "country_name": "Sweden", + "region_name": "Stockholm", + "location": { + "lon": 18.05, + "lat": 59.3333 + } + }, + "as": { + "number": 16509, + "organization": { + "name": "Amazon.com, Inc." + } + }, + "address": "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6", + "ip": "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:VA3lwFPBuRus2kxMs1BexFp+gp4=", + "iana_number": "1", + "transport": "icmp" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "OUTSIDE" + } + } + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6", + "fe00:afa0::1" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "ingested": "2021-09-18T21:19:18.859025330Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src OUTSIDE:2a05:d016:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group \"OUTSIDE_in\"", + "code": "106023", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "denied" + ], + "outcome": "failure" + }, + "cisco": { + "ftd": { + "destination_interface": "OUTSIDE", + "rule_name": "OUTSIDE_in", + "source_interface": "OUTSIDE" + } + } + }, + { + "log": { + "level": "warning" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "CH-AG", + "city_name": "Kolliken", + "country_iso_code": "CH", + "country_name": "Switzerland", + "region_name": "Aargau", + "location": { + "lon": 8.0264, + "lat": 47.3388 + } + }, + "as": { + "number": 3303, + "organization": { + "name": "Bluewin" + } + }, + "address": "85.0.0.1", + "port": 500, + "ip": "85.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "country_name": "United Kingdom", + "location": { + "lon": -0.1224, + "lat": 51.4964 + }, + "country_iso_code": "GB" + }, + "as": { + "number": 5089, + "organization": { + "name": "Virgin Media Limited" + } + }, + "address": "82.0.0.1", + "port": 500, + "ip": "82.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:rwM9yFUsWh6N2utKviU7S94dS9U=", + "transport": "udp", + "bytes": 4671944, + "iana_number": "17" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "identity" + } + } + }, + "@timestamp": "2020-04-27T02:03:03.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "hosts": [ + "dev01" + ], + "ip": [ + "82.0.0.1", + "85.0.0.1" + ] + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "duration": 332660000000000, + "ingested": "2021-09-18T21:19:18.859027276Z", + "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:82.0.0.1/500 to identity:85.0.0.1/500 duration 92:24:20 bytes 4671944", + "code": "302016", + "kind": "event", + "start": "2020-04-23T05:38:43.000Z", + "action": "flow-expiration", + "end": "2020-04-27T02:03:03.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "ftd": { + "destination_interface": "identity", + "connection_id": "123364823", + "source_interface": "OUTSIDE" + } + } + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2021-05-05T19:02:25.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "ingested": "2021-09-18T21:19:18.859029164Z", + "original": "May 5 19:02:25 dev01: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 19269", + "code": "733100", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "ftd": { + "burst": { + "configured_avg_rate": "4", + "cumulative_count": "19269", + "configured_rate": "8", + "avg_rate": "5", + "current_rate": "0", + "id": "rate-2", + "object": "Scanning" + } + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2021-05-05T19:02:25.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "ingested": "2021-09-18T21:19:18.859031041Z", + "original": "May 5 19:02:25 dev01: %ASA-4-733100: [ 192.168.0.1] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6018", + "code": "733100", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "ftd": { + "burst": { + "configured_avg_rate": "5", + "cumulative_count": "6018", + "configured_rate": "10", + "avg_rate": "5", + "current_rate": "0", + "id": "rate-1", + "object": "192.168.0.1" + } + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2021-05-05T19:02:25.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "ingested": "2021-09-18T21:19:18.859046764Z", + "original": "May 5 19:02:25 dev01: %ASA-4-733100: [ Port-5432 5432] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 20 per second, max configured rate is 5; Cumulative total count is 12466", + "code": "733100", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "ftd": { + "burst": { + "configured_avg_rate": "5", + "cumulative_count": "12466", + "configured_rate": "10", + "avg_rate": "20", + "current_rate": "8", + "id": "rate-1", + "object": "Port-5432 5432" + } + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "observer": { + "hostname": "dev01", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "@timestamp": "2021-05-05T19:02:25.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "hosts": [ + "dev01" + ] + }, + "log": { + "level": "warning" + }, + "host": { + "hostname": "dev01" + }, + "event": { + "severity": 4, + "ingested": "2021-09-18T21:19:18.859050211Z", + "original": "May 5 19:02:25 dev01: %ASA-4-733100: [ RDP 3389] drop rate-1 exceeded. Current burst rate is 63 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3054", + "code": "733100", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "ftd": { + "burst": { + "configured_avg_rate": "5", + "cumulative_count": "3054", + "configured_rate": "10", + "avg_rate": "5", + "current_rate": "63", + "id": "rate-1", + "object": "RDP 3389" + } + } + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json index 69bce72c4f0..9f9eb82b8e5 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json @@ -22,6 +22,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:ygCOhTlTMVGn+PXlTgyzRveBJ9g=", "iana_number": "6", "transport": "tcp" }, @@ -59,7 +60,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721191900Z", + "ingested": "2021-09-18T21:19:23.831291050Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", "code": "305011", "kind": "event", @@ -100,8 +101,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:aH+Rcp4nenimMGZQ733uys/x0js=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -138,7 +140,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721218700Z", + "ingested": "2021-09-18T21:19:23.831296354Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", "code": "302013", "kind": "event", @@ -184,9 +186,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:nawleoAMDhKg7pshv6H5enEaKV8=", + "transport": "tcp", "bytes": 38110, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -224,7 +227,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721225600Z", + "ingested": "2021-09-18T21:19:23.831298266Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", "code": "302014", "kind": "event", @@ -269,9 +272,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:XqwLVHNEt7Z1fB2ZZXj1piBH4PM=", + "transport": "tcp", "bytes": 44010, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -309,7 +313,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721231Z", + "ingested": "2021-09-18T21:19:23.831300086Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", "code": "302014", "kind": "event", @@ -354,9 +358,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Q18EvtK0EmoGK6hViBJu2B9syjc=", + "transport": "tcp", "bytes": 7652, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -394,7 +399,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721235900Z", + "ingested": "2021-09-18T21:19:23.831301900Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", "code": "302014", "kind": "event", @@ -439,9 +444,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:k3K4xSa45aJwCWLM9eIJsqCydLQ=", + "transport": "tcp", "bytes": 7062, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -479,7 +485,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721240200Z", + "ingested": "2021-09-18T21:19:23.831303631Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", "code": "302014", "kind": "event", @@ -524,9 +530,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Qq/qwMDt7lmCdvQnPYJ86wHp5mY=", + "transport": "tcp", "bytes": 5738, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -564,7 +571,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721244600Z", + "ingested": "2021-09-18T21:19:23.831305330Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", "code": "302014", "kind": "event", @@ -609,9 +616,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:ezm9yQGN1cdh1QEJ2nw19295QfU=", + "transport": "tcp", "bytes": 4176, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -649,7 +657,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721249200Z", + "ingested": "2021-09-18T21:19:23.831307054Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", "code": "302014", "kind": "event", @@ -694,9 +702,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:dV1ILqqOHNIkUwdYUt2iodkCTIg=", + "transport": "tcp", "bytes": 1715, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -734,7 +743,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721254500Z", + "ingested": "2021-09-18T21:19:23.831308809Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", "code": "302014", "kind": "event", @@ -779,9 +788,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:M9jSkRNBaw+CV8aYYGLeh+1c4LQ=", + "transport": "tcp", "bytes": 45595, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -819,7 +829,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721259Z", + "ingested": "2021-09-18T21:19:23.831310530Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", "code": "302014", "kind": "event", @@ -864,9 +874,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:kcIahkhuYMj1cJNDgmYdpgb8b5o=", + "transport": "tcp", "bytes": 27359, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -904,7 +915,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721265Z", + "ingested": "2021-09-18T21:19:23.831312258Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", "code": "302014", "kind": "event", @@ -949,9 +960,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Oll9UOQVtF14Vb1gAqDgbQ8GVN0=", + "transport": "tcp", "bytes": 4457, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -989,7 +1001,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721270300Z", + "ingested": "2021-09-18T21:19:23.831314340Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", "code": "302014", "kind": "event", @@ -1034,9 +1046,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:SRok/PbYRZCXwEJ9MQDvhiR0OZc=", + "transport": "tcp", "bytes": 26709, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -1074,7 +1087,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721275100Z", + "ingested": "2021-09-18T21:19:23.831316079Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", "code": "302014", "kind": "event", @@ -1119,9 +1132,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:agnIkBJhbPXkAM0Ai6Q8vvm22FM=", + "transport": "tcp", "bytes": 22097, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -1159,7 +1173,7 @@ "severity": 6, "duration": 69000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721279800Z", + "ingested": "2021-09-18T21:19:23.831317783Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", "code": "302014", "kind": "event", @@ -1204,9 +1218,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:dyOBaLTo8f2aK6FSqmPQ8iEKQCM=", + "transport": "tcp", "bytes": 2209, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -1244,7 +1259,7 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721284900Z", + "ingested": "2021-09-18T21:19:23.831319543Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", "code": "302014", "kind": "event", @@ -1289,9 +1304,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:JG3x+PLXI8vDNUP0xc2b7cGmtO8=", + "transport": "tcp", "bytes": 10404, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -1329,7 +1345,7 @@ "severity": 6, "duration": 67000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721289900Z", + "ingested": "2021-09-18T21:19:23.831321309Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", "code": "302014", "kind": "event", @@ -1374,9 +1390,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:aVhOiCMAQUL3DYMg+b1hd6++Tsw=", + "transport": "tcp", "bytes": 123694, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -1414,7 +1431,7 @@ "severity": 6, "duration": 70000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721295Z", + "ingested": "2021-09-18T21:19:23.831323178Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", "code": "302014", "kind": "event", @@ -1459,9 +1476,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:yvanaru1i/rrH9fF3MeSmHfJVH0=", + "transport": "tcp", "bytes": 35835, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -1499,7 +1517,7 @@ "severity": 6, "duration": 71000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721301Z", + "ingested": "2021-09-18T21:19:23.831324911Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", "code": "302014", "kind": "event", @@ -1544,9 +1562,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:h36yIuCF0zHqn+9q0Z5lLEIz2FE=", + "transport": "tcp", "bytes": 0, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -1584,7 +1603,7 @@ "severity": 6, "duration": 30000000000, "reason": "SYN Timeout", - "ingested": "2021-09-07T12:21:32.721305600Z", + "ingested": "2021-09-18T21:19:23.831326664Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", "code": "302014", "kind": "event", @@ -1629,6 +1648,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:tCQw5Th130a6dZONq7h6PjILJZY=", "iana_number": "17", "transport": "udp" }, @@ -1666,7 +1686,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721310300Z", + "ingested": "2021-09-18T21:19:23.831328454Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", "code": "305011", "kind": "event", @@ -1707,8 +1727,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:kcCQj9lygM48oLeBgvoRv3KlTuA=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -1745,7 +1766,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721314900Z", + "ingested": "2021-09-18T21:19:23.831330212Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -1791,9 +1812,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:kcCQj9lygM48oLeBgvoRv3KlTuA=", + "transport": "udp", "bytes": 148, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -1830,7 +1852,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721319300Z", + "ingested": "2021-09-18T21:19:23.831331904Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", "code": "302016", "kind": "event", @@ -1875,8 +1897,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:bp0GOEdY1zkuA4pQN1jtkfjom00=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -1913,7 +1936,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721323900Z", + "ingested": "2021-09-18T21:19:23.831333601Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -1959,9 +1982,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:bp0GOEdY1zkuA4pQN1jtkfjom00=", + "transport": "udp", "bytes": 164, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -1998,7 +2022,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721329Z", + "ingested": "2021-09-18T21:19:23.831335467Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", "code": "302016", "kind": "event", @@ -2043,6 +2067,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:IqCv9QrYpJkgySoRM91LE2Ao1Ug=", "iana_number": "6", "transport": "tcp" }, @@ -2080,7 +2105,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721333600Z", + "ingested": "2021-09-18T21:19:23.831337241Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", "code": "305011", "kind": "event", @@ -2121,8 +2146,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:sxPO5rXtxG30Oh+QP2ncQZ0N1U8=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -2159,7 +2185,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721338900Z", + "ingested": "2021-09-18T21:19:23.831338969Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", "code": "302013", "kind": "event", @@ -2205,6 +2231,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:MZcBg2aQ/SdpVmPXf2Ze+Ng4g9Y=", "iana_number": "6", "transport": "tcp" }, @@ -2242,7 +2269,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721344200Z", + "ingested": "2021-09-18T21:19:23.831340694Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", "code": "305011", "kind": "event", @@ -2283,8 +2310,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:G5HU7oEz3i/eGfSUoq5HuDVo7u4=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -2321,7 +2349,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721348500Z", + "ingested": "2021-09-18T21:19:23.831342397Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", "code": "302013", "kind": "event", @@ -2367,8 +2395,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:H8tgP5tPUaaz9Npdxb+q+3ZYoN0=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -2405,7 +2434,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721354500Z", + "ingested": "2021-09-18T21:19:23.831344094Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -2451,8 +2480,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:Sj4w7IG06WsDGSPRXBX9NS6LDEY=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -2489,7 +2519,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721359200Z", + "ingested": "2021-09-18T21:19:23.831345811Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -2535,9 +2565,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:H8tgP5tPUaaz9Npdxb+q+3ZYoN0=", + "transport": "udp", "bytes": 111, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -2574,7 +2605,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721363600Z", + "ingested": "2021-09-18T21:19:23.831363677Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", "code": "302016", "kind": "event", @@ -2619,9 +2650,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Sj4w7IG06WsDGSPRXBX9NS6LDEY=", + "transport": "udp", "bytes": 237, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -2658,7 +2690,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721368Z", + "ingested": "2021-09-18T21:19:23.831367327Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", "code": "302016", "kind": "event", @@ -2703,6 +2735,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:/KJCwT2FUqlgb+8c7f4b8fvqWFE=", "iana_number": "6", "transport": "tcp" }, @@ -2740,7 +2773,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721372300Z", + "ingested": "2021-09-18T21:19:23.831369115Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", "code": "305011", "kind": "event", @@ -2781,8 +2814,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:gFO9U+lgj3sty9R349zScds2rBg=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -2819,7 +2853,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721376500Z", + "ingested": "2021-09-18T21:19:23.831370838Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", "code": "302013", "kind": "event", @@ -2865,6 +2899,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:kpfWE+K4tPLbC1LWM9M8v5zQqyk=", "iana_number": "17", "transport": "udp" }, @@ -2902,7 +2937,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721380700Z", + "ingested": "2021-09-18T21:19:23.831372699Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", "code": "305011", "kind": "event", @@ -2943,8 +2978,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:PmwiqFgdpl13iRx/dI+XAUpFScQ=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -2981,7 +3017,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721384900Z", + "ingested": "2021-09-18T21:19:23.831374444Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3027,8 +3063,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:HgVBFZOMW/jvKdEmq/wc0JyLnZQ=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -3065,7 +3102,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721389100Z", + "ingested": "2021-09-18T21:19:23.831376168Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3111,9 +3148,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:PmwiqFgdpl13iRx/dI+XAUpFScQ=", + "transport": "udp", "bytes": 87, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -3150,7 +3188,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721393500Z", + "ingested": "2021-09-18T21:19:23.831377873Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", "code": "302016", "kind": "event", @@ -3195,9 +3233,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:HgVBFZOMW/jvKdEmq/wc0JyLnZQ=", + "transport": "udp", "bytes": 221, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -3234,7 +3273,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721397700Z", + "ingested": "2021-09-18T21:19:23.831379545Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", "code": "302016", "kind": "event", @@ -3279,6 +3318,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:J8j4D9Hm6tPmF+enIkcOgaYzEg4=", "iana_number": "6", "transport": "tcp" }, @@ -3316,7 +3356,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721402200Z", + "ingested": "2021-09-18T21:19:23.831381220Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", "code": "305011", "kind": "event", @@ -3357,8 +3397,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:2VKYvyM6qODR0XAXnVUFrYSP/IU=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -3395,7 +3436,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721406500Z", + "ingested": "2021-09-18T21:19:23.831385869Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", "code": "302013", "kind": "event", @@ -3441,8 +3482,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -3479,7 +3521,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721418100Z", + "ingested": "2021-09-18T21:19:23.831388030Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3525,8 +3567,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:xuWnph7S4x01QQURwZz62YrNdQQ=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -3563,7 +3606,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721422900Z", + "ingested": "2021-09-18T21:19:23.831389785Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -3609,9 +3652,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", + "transport": "udp", "bytes": 101, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -3648,7 +3692,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721427800Z", + "ingested": "2021-09-18T21:19:23.831391481Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", "code": "302016", "kind": "event", @@ -3693,9 +3737,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:xuWnph7S4x01QQURwZz62YrNdQQ=", + "transport": "udp", "bytes": 126, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -3732,7 +3777,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721436Z", + "ingested": "2021-09-18T21:19:23.831393170Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", "code": "302016", "kind": "event", @@ -3777,6 +3822,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:TO0ui5exOUfDCukU8mR9bJIjkLY=", "iana_number": "6", "transport": "tcp" }, @@ -3814,7 +3860,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721441100Z", + "ingested": "2021-09-18T21:19:23.831394864Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", "code": "305011", "kind": "event", @@ -3855,8 +3901,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:/NBLcipqeKvQyDqtEziGtIMUQTs=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -3893,7 +3940,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721445600Z", + "ingested": "2021-09-18T21:19:23.831396567Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", "code": "302013", "kind": "event", @@ -3939,9 +3986,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:/NBLcipqeKvQyDqtEziGtIMUQTs=", + "transport": "tcp", "bytes": 862, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -3979,7 +4027,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721450400Z", + "ingested": "2021-09-18T21:19:23.831398306Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", "code": "302014", "kind": "event", @@ -4024,8 +4072,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:Aq1WnukJ+GNVqeRryOc0YYsSDos=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -4062,7 +4111,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721454900Z", + "ingested": "2021-09-18T21:19:23.831400035Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -4108,9 +4157,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", + "transport": "udp", "bytes": 104, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -4147,7 +4197,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721459200Z", + "ingested": "2021-09-18T21:19:23.831401728Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -4192,9 +4242,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Aq1WnukJ+GNVqeRryOc0YYsSDos=", + "transport": "udp", "bytes": 176, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -4231,7 +4282,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721463500Z", + "ingested": "2021-09-18T21:19:23.831403596Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", "code": "302016", "kind": "event", @@ -4276,6 +4327,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:Aj/XpM3jpqRdnliZ41V6x4P43+E=", "iana_number": "6", "transport": "tcp" }, @@ -4313,7 +4365,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721468Z", + "ingested": "2021-09-18T21:19:23.831405313Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", "code": "305011", "kind": "event", @@ -4354,8 +4406,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:2YT6PqWSIyoyRYVbl2cIXiGcMsw=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -4392,7 +4445,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721472200Z", + "ingested": "2021-09-18T21:19:23.831407069Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", "code": "302013", "kind": "event", @@ -4438,6 +4491,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:92e0i/+rET9QRb4OJPjo8ombnho=", "iana_number": "6", "transport": "tcp" }, @@ -4475,7 +4529,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721476400Z", + "ingested": "2021-09-18T21:19:23.831408837Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", "code": "305011", "kind": "event", @@ -4516,8 +4570,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:XheyUG03AcgRSOyMnpafZQNi3wY=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -4554,7 +4609,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721480800Z", + "ingested": "2021-09-18T21:19:23.831410554Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", "code": "302013", "kind": "event", @@ -4600,6 +4655,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:zO9YefYViVlpEmjk0y/xJ+kBVQM=", "iana_number": "6", "transport": "tcp" }, @@ -4637,7 +4693,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721485300Z", + "ingested": "2021-09-18T21:19:23.831412244Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", "code": "305011", "kind": "event", @@ -4678,8 +4734,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:cKgOVwHWv3CzYQlpMkVbynKHE30=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -4716,7 +4773,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721489400Z", + "ingested": "2021-09-18T21:19:23.831413931Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", "code": "302013", "kind": "event", @@ -4762,8 +4819,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -4800,7 +4858,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721493600Z", + "ingested": "2021-09-18T21:19:23.831415612Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -4846,9 +4904,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", + "transport": "udp", "bytes": 104, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -4885,7 +4944,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721497600Z", + "ingested": "2021-09-18T21:19:23.831417355Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -4930,6 +4989,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:04tYx55j9tCWtjlaXaCxE2U8b8M=", "iana_number": "6", "transport": "tcp" }, @@ -4967,7 +5027,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721501600Z", + "ingested": "2021-09-18T21:19:23.831419066Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", "code": "305011", "kind": "event", @@ -5008,8 +5068,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:YysjQgUCP64UYIQdnFMFxvopBMw=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -5046,7 +5107,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721505800Z", + "ingested": "2021-09-18T21:19:23.831420761Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", "code": "302013", "kind": "event", @@ -5092,6 +5153,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:1MUBdAvjCABqDQE9IfLWai42OhA=", "iana_number": "6", "transport": "tcp" }, @@ -5129,7 +5191,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721510Z", + "ingested": "2021-09-18T21:19:23.831422648Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", "code": "305011", "kind": "event", @@ -5170,8 +5232,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:wH3OQfGQv6qlex3KDY6fleRZ3W4=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -5208,7 +5271,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721515600Z", + "ingested": "2021-09-18T21:19:23.831424357Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", "code": "302013", "kind": "event", @@ -5254,8 +5317,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:+y5eZK0soO9pFOh5l07R/VVpE0Q=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -5292,7 +5356,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721520Z", + "ingested": "2021-09-18T21:19:23.831426115Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -5338,9 +5402,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:YysjQgUCP64UYIQdnFMFxvopBMw=", + "transport": "tcp", "bytes": 593, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -5378,7 +5443,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721524800Z", + "ingested": "2021-09-18T21:19:23.831427837Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", "code": "302014", "kind": "event", @@ -5423,6 +5488,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:Q4mw5/UOrraSXyucLYyaom31Os4=", "iana_number": "6", "transport": "tcp" }, @@ -5460,7 +5526,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721529300Z", + "ingested": "2021-09-18T21:19:23.831429548Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", "code": "305011", "kind": "event", @@ -5501,8 +5567,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:9aaIbdVfxtctEtHtisDVEKYc8wI=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -5539,7 +5606,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721534200Z", + "ingested": "2021-09-18T21:19:23.831431318Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", "code": "302013", "kind": "event", @@ -5585,9 +5652,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:+y5eZK0soO9pFOh5l07R/VVpE0Q=", + "transport": "udp", "bytes": 375, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -5624,7 +5692,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721538600Z", + "ingested": "2021-09-18T21:19:23.831433015Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", "code": "302016", "kind": "event", @@ -5669,6 +5737,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:4DSy4gkfywR/vYGwMX8ni9L8xNA=", "iana_number": "6", "transport": "tcp" }, @@ -5706,7 +5775,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721543Z", + "ingested": "2021-09-18T21:19:23.831434721Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", "code": "305011", "kind": "event", @@ -5747,8 +5816,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:CUxMKGQ8Da35o4Z5ZJ3cqjyBcjE=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -5785,7 +5855,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721547400Z", + "ingested": "2021-09-18T21:19:23.831436444Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", "code": "302013", "kind": "event", @@ -5817,14 +5887,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8267, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1454, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:Aj/XpM3jpqRdnliZ41V6x4P43+E=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -5833,6 +5928,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -5840,20 +5939,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721551500Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831438145Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -5878,6 +5984,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:24J8khLuXWoetlU/J6WYj+4RnIU=", "iana_number": "6", "transport": "tcp" }, @@ -5915,7 +6022,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721555600Z", + "ingested": "2021-09-18T21:19:23.831439863Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", "code": "305011", "kind": "event", @@ -5956,8 +6063,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:gufBCDdtvRqSstVTarndQuv0AHg=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -5994,7 +6102,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721560300Z", + "ingested": "2021-09-18T21:19:23.831441568Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", "code": "302013", "kind": "event", @@ -6026,14 +6134,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8268, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1455, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:92e0i/+rET9QRb4OJPjo8ombnho=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -6042,6 +6175,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -6049,20 +6186,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721565Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831443283Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -6073,14 +6217,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8269, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1456, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:zO9YefYViVlpEmjk0y/xJ+kBVQM=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -6089,6 +6258,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -6096,20 +6269,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721569600Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831445162Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -6120,14 +6300,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8270, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1457, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:04tYx55j9tCWtjlaXaCxE2U8b8M=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -6136,6 +6341,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -6143,20 +6352,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721574100Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831446901Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -6167,14 +6383,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8271, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1458, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:1MUBdAvjCABqDQE9IfLWai42OhA=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -6183,6 +6424,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -6190,20 +6435,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721578600Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831448598Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -6214,14 +6466,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8272, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1459, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:Q4mw5/UOrraSXyucLYyaom31Os4=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -6230,6 +6507,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -6237,20 +6518,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721583400Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831450316Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -6261,14 +6549,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8273, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1460, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:4DSy4gkfywR/vYGwMX8ni9L8xNA=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -6277,6 +6590,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -6284,20 +6601,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721588600Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831452006Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -6322,9 +6646,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:pux42VCSy7BX42P3cpyd4c/X1M8=", + "transport": "tcp", "bytes": 575, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -6362,7 +6687,7 @@ "severity": 6, "duration": 325000000000, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721593100Z", + "ingested": "2021-09-18T21:19:23.831453691Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", "code": "302014", "kind": "event", @@ -6407,9 +6732,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:gufBCDdtvRqSstVTarndQuv0AHg=", + "transport": "tcp", "bytes": 5391, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -6447,7 +6773,7 @@ "severity": 6, "duration": 0, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.721597800Z", + "ingested": "2021-09-18T21:19:23.831455446Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", "code": "302014", "kind": "event", @@ -6492,6 +6818,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:mWEQuMzgDppOFGfUpnRU2SOVLC4=", "iana_number": "6", "transport": "tcp" }, @@ -6529,7 +6856,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721603600Z", + "ingested": "2021-09-18T21:19:23.831457131Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", "code": "305011", "kind": "event", @@ -6570,8 +6897,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:WPQ7PgW0xK/OsH/dwOA4osO4W+M=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -6608,7 +6936,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721608200Z", + "ingested": "2021-09-18T21:19:23.831458812Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", "code": "302013", "kind": "event", @@ -6654,6 +6982,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -6691,7 +7020,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721613400Z", + "ingested": "2021-09-18T21:19:23.831460492Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6735,6 +7064,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -6772,7 +7102,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721617600Z", + "ingested": "2021-09-18T21:19:23.831462172Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6816,6 +7146,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -6853,7 +7184,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721621900Z", + "ingested": "2021-09-18T21:19:23.831463862Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6897,6 +7228,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -6934,7 +7266,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721627Z", + "ingested": "2021-09-18T21:19:23.831465594Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -6978,6 +7310,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7015,7 +7348,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721631500Z", + "ingested": "2021-09-18T21:19:23.831467286Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7059,6 +7392,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7096,7 +7430,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721635800Z", + "ingested": "2021-09-18T21:19:23.831468982Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7140,6 +7474,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7177,7 +7512,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721640100Z", + "ingested": "2021-09-18T21:19:23.831470663Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7221,6 +7556,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7258,7 +7594,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721644500Z", + "ingested": "2021-09-18T21:19:23.831472351Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7302,6 +7638,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7339,7 +7676,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721648700Z", + "ingested": "2021-09-18T21:19:23.831474048Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7383,6 +7720,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7420,7 +7758,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721652800Z", + "ingested": "2021-09-18T21:19:23.831475742Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7464,6 +7802,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7501,7 +7840,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721656900Z", + "ingested": "2021-09-18T21:19:23.831477421Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7545,6 +7884,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7582,7 +7922,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721661500Z", + "ingested": "2021-09-18T21:19:23.831479096Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7626,6 +7966,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "iana_number": "6", "transport": "tcp" }, @@ -7663,7 +8004,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.721665700Z", + "ingested": "2021-09-18T21:19:23.831480772Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -7707,6 +8048,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:ZuhnndzENnR8d8NKvStxJffM+XM=", "iana_number": "6", "transport": "tcp" }, @@ -7744,7 +8086,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721670100Z", + "ingested": "2021-09-18T21:19:23.831482451Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", "code": "305011", "kind": "event", @@ -7785,8 +8127,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:7t0ua2FV3S8YYwDwaXzw5Tm8M80=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -7823,7 +8166,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721674400Z", + "ingested": "2021-09-18T21:19:23.831484148Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", "code": "302013", "kind": "event", @@ -7869,6 +8212,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:ZhyIop0bR8c1qT9K7cSplqrW0ew=", "iana_number": "17", "transport": "udp" }, @@ -7906,7 +8250,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721678700Z", + "ingested": "2021-09-18T21:19:23.831485843Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", "code": "305011", "kind": "event", @@ -7947,8 +8291,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:vvawE2mM1hKl2WU/GmHBmMoI3G8=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -7985,7 +8330,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721682900Z", + "ingested": "2021-09-18T21:19:23.831487529Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -8031,9 +8376,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:vvawE2mM1hKl2WU/GmHBmMoI3G8=", + "transport": "udp", "bytes": 373, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -8070,7 +8416,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721687200Z", + "ingested": "2021-09-18T21:19:23.831489209Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373", "code": "302016", "kind": "event", @@ -8115,8 +8461,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:EbQL+Bkt/0HhFonc51xiLjU2ULs=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -8153,7 +8500,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721691400Z", + "ingested": "2021-09-18T21:19:23.831490896Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -8199,9 +8546,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:EbQL+Bkt/0HhFonc51xiLjU2ULs=", + "transport": "udp", "bytes": 207, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -8238,7 +8586,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721695700Z", + "ingested": "2021-09-18T21:19:23.831492579Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207", "code": "302016", "kind": "event", @@ -8283,6 +8631,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:BbvA+2xZjkf52lWjSH3HOxxj5hU=", "iana_number": "6", "transport": "tcp" }, @@ -8320,7 +8669,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721699900Z", + "ingested": "2021-09-18T21:19:23.831494288Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280", "code": "305011", "kind": "event", @@ -8361,8 +8710,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:ShbrimWtNV85eRupsVdhYYGjinM=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -8399,7 +8749,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721704200Z", + "ingested": "2021-09-18T21:19:23.831496006Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276)", "code": "302013", "kind": "event", @@ -8445,6 +8795,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:xM9jRCoCKsQva+HDcJ8nktupQ/U=", "iana_number": "6", "transport": "tcp" }, @@ -8482,7 +8833,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721708400Z", + "ingested": "2021-09-18T21:19:23.831497699Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281", "code": "305011", "kind": "event", @@ -8523,8 +8874,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:IcCOLZpFflYj07ZKALUHqkud7Og=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -8561,7 +8913,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721712700Z", + "ingested": "2021-09-18T21:19:23.831499461Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277)", "code": "302013", "kind": "event", @@ -8607,9 +8959,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:ShbrimWtNV85eRupsVdhYYGjinM=", + "transport": "tcp", "bytes": 12853, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -8647,7 +9000,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721716700Z", + "ingested": "2021-09-18T21:19:23.831501155Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs", "code": "302014", "kind": "event", @@ -8692,6 +9045,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:1P8Fbc8oTceSX9f9YAusY6Mfscc=", "iana_number": "6", "transport": "tcp" }, @@ -8729,7 +9083,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721721100Z", + "ingested": "2021-09-18T21:19:23.831502861Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282", "code": "305011", "kind": "event", @@ -8770,8 +9124,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:dhiHohHbIs5hJvTmSlxicfumIG8=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -8808,7 +9163,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721725200Z", + "ingested": "2021-09-18T21:19:23.831504583Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278)", "code": "302013", "kind": "event", @@ -8854,9 +9209,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:IcCOLZpFflYj07ZKALUHqkud7Og=", + "transport": "tcp", "bytes": 5291, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -8894,7 +9250,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721729900Z", + "ingested": "2021-09-18T21:19:23.831506430Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs", "code": "302014", "kind": "event", @@ -8939,6 +9295,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:R/Bwq8x4Nfwk474w7odsVLA+w60=", "iana_number": "6", "transport": "tcp" }, @@ -8976,7 +9333,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721734100Z", + "ingested": "2021-09-18T21:19:23.831508115Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283", "code": "305011", "kind": "event", @@ -9017,8 +9374,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:a8PBN9kFi4P46nWxmgh0bVLBFiI=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -9055,7 +9413,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721738300Z", + "ingested": "2021-09-18T21:19:23.831509782Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279)", "code": "302013", "kind": "event", @@ -9101,9 +9459,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:dhiHohHbIs5hJvTmSlxicfumIG8=", + "transport": "tcp", "bytes": 965, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -9141,7 +9500,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721742600Z", + "ingested": "2021-09-18T21:19:23.831511464Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs", "code": "302014", "kind": "event", @@ -9186,9 +9545,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:a8PBN9kFi4P46nWxmgh0bVLBFiI=", + "transport": "tcp", "bytes": 8605, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -9226,7 +9586,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721747Z", + "ingested": "2021-09-18T21:19:23.831513172Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs", "code": "302014", "kind": "event", @@ -9271,6 +9631,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:dTHfo+z9KqY8Iv5a+ZiicBoktu4=", "iana_number": "6", "transport": "tcp" }, @@ -9308,7 +9669,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721752100Z", + "ingested": "2021-09-18T21:19:23.831514876Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284", "code": "305011", "kind": "event", @@ -9349,8 +9710,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:Zq6+JMxLF2IW+AMDtt69/DrxaV4=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -9387,7 +9749,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721757600Z", + "ingested": "2021-09-18T21:19:23.831516560Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280)", "code": "302013", "kind": "event", @@ -9433,9 +9795,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Zq6+JMxLF2IW+AMDtt69/DrxaV4=", + "transport": "tcp", "bytes": 3428, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -9473,7 +9836,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721762200Z", + "ingested": "2021-09-18T21:19:23.831526603Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs", "code": "302014", "kind": "event", @@ -9518,6 +9881,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:vzr9XNGDTcZ5SwFWHFUilmbchlo=", "iana_number": "6", "transport": "tcp" }, @@ -9555,7 +9919,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721766500Z", + "ingested": "2021-09-18T21:19:23.831528547Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285", "code": "305011", "kind": "event", @@ -9596,8 +9960,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:ouKNG9b/He9jGnG4Ff7BJ3eD+hs=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -9634,7 +9999,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721770700Z", + "ingested": "2021-09-18T21:19:23.831530282Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281)", "code": "302013", "kind": "event", @@ -9680,6 +10045,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:OitMDe3Ye5KVpROuoY8+v8mfvCA=", "iana_number": "6", "transport": "tcp" }, @@ -9717,7 +10083,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721775500Z", + "ingested": "2021-09-18T21:19:23.831532025Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286", "code": "305011", "kind": "event", @@ -9758,8 +10124,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:l/JmkwP7ndSnY7mnopAakIfQfKs=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -9796,7 +10163,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721780900Z", + "ingested": "2021-09-18T21:19:23.831557593Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282)", "code": "302013", "kind": "event", @@ -9842,6 +10209,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:3ob7O6L1949whjkG5YUJZf0Gwtk=", "iana_number": "6", "transport": "tcp" }, @@ -9879,7 +10247,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721786500Z", + "ingested": "2021-09-18T21:19:23.831560886Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287", "code": "305011", "kind": "event", @@ -9920,8 +10288,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:NK/etrnMLqzbSzpHgwOIUFndnDk=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -9958,7 +10327,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721791300Z", + "ingested": "2021-09-18T21:19:23.831562670Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283)", "code": "302013", "kind": "event", @@ -10004,6 +10373,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:X7DN+XIzlXidhVz1eb1s2EisS8A=", "iana_number": "6", "transport": "tcp" }, @@ -10041,7 +10411,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721795700Z", + "ingested": "2021-09-18T21:19:23.831564394Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288", "code": "305011", "kind": "event", @@ -10082,8 +10452,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:dO7q6mue24uZzru3hS2431rHoh0=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -10120,7 +10491,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721800200Z", + "ingested": "2021-09-18T21:19:23.831566144Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284)", "code": "302013", "kind": "event", @@ -10166,9 +10537,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:ouKNG9b/He9jGnG4Ff7BJ3eD+hs=", + "transport": "tcp", "bytes": 2028, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -10206,7 +10578,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721804900Z", + "ingested": "2021-09-18T21:19:23.831567881Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs", "code": "302014", "kind": "event", @@ -10251,9 +10623,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:l/JmkwP7ndSnY7mnopAakIfQfKs=", + "transport": "tcp", "bytes": 1085, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -10291,7 +10664,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721809100Z", + "ingested": "2021-09-18T21:19:23.831569623Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs", "code": "302014", "kind": "event", @@ -10336,9 +10709,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:NK/etrnMLqzbSzpHgwOIUFndnDk=", + "transport": "tcp", "bytes": 868, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -10376,7 +10750,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721813700Z", + "ingested": "2021-09-18T21:19:23.831571324Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs", "code": "302014", "kind": "event", @@ -10421,6 +10795,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:vx/8XNTvkRtAa9BJ9P+Qv+GY6UY=", "iana_number": "6", "transport": "tcp" }, @@ -10458,7 +10833,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721818500Z", + "ingested": "2021-09-18T21:19:23.831573027Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289", "code": "305011", "kind": "event", @@ -10499,8 +10874,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:hJUJWF+Gz6w41EJ8ERCngX/5MhE=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -10537,7 +10913,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721822900Z", + "ingested": "2021-09-18T21:19:23.831574737Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285)", "code": "302013", "kind": "event", @@ -10583,6 +10959,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:PvvylMfsR3ILT1QmY5jfmnXsLwM=", "iana_number": "6", "transport": "tcp" }, @@ -10620,7 +10997,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721827200Z", + "ingested": "2021-09-18T21:19:23.831576525Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290", "code": "305011", "kind": "event", @@ -10661,8 +11038,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:RE8bib2E1+cVRuVn9Z/id5XckGI=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -10699,7 +11077,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721831500Z", + "ingested": "2021-09-18T21:19:23.831578237Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286)", "code": "302013", "kind": "event", @@ -10745,9 +11123,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:dO7q6mue24uZzru3hS2431rHoh0=", + "transport": "tcp", "bytes": 4439, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -10785,7 +11164,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721835700Z", + "ingested": "2021-09-18T21:19:23.831579948Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs", "code": "302014", "kind": "event", @@ -10830,6 +11209,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:snPqiF9HMm3IkMvOOBv7JyO0Jr4=", "iana_number": "6", "transport": "tcp" }, @@ -10867,7 +11247,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721839900Z", + "ingested": "2021-09-18T21:19:23.831581640Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291", "code": "305011", "kind": "event", @@ -10908,8 +11288,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:V7thSrtXW0EdnGYslsAxp4MBQJg=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -10946,7 +11327,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721844200Z", + "ingested": "2021-09-18T21:19:23.831583354Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287)", "code": "302013", "kind": "event", @@ -10992,9 +11373,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:hJUJWF+Gz6w41EJ8ERCngX/5MhE=", + "transport": "tcp", "bytes": 914, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -11032,7 +11414,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721849200Z", + "ingested": "2021-09-18T21:19:23.831585064Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs", "code": "302014", "kind": "event", @@ -11077,9 +11459,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:RE8bib2E1+cVRuVn9Z/id5XckGI=", + "transport": "tcp", "bytes": 871, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -11117,7 +11500,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721853600Z", + "ingested": "2021-09-18T21:19:23.831586841Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs", "code": "302014", "kind": "event", @@ -11162,8 +11545,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:Y27uWNe6ijdkBpClrtKDp5L3mSo=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -11200,7 +11584,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721858700Z", + "ingested": "2021-09-18T21:19:23.831588585Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -11246,6 +11630,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:IJVR+iN4aneACrehGe0SX+IkbqM=", "iana_number": "6", "transport": "tcp" }, @@ -11283,7 +11668,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721863100Z", + "ingested": "2021-09-18T21:19:23.831590298Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292", "code": "305011", "kind": "event", @@ -11324,8 +11709,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:d30dOVDkWdEFkiVN1wosi1HxOGE=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -11362,7 +11748,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721867300Z", + "ingested": "2021-09-18T21:19:23.831592Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288)", "code": "302013", "kind": "event", @@ -11408,9 +11794,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Y27uWNe6ijdkBpClrtKDp5L3mSo=", + "transport": "udp", "bytes": 384, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -11447,7 +11834,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721872100Z", + "ingested": "2021-09-18T21:19:23.831593702Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384", "code": "302016", "kind": "event", @@ -11492,8 +11879,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:9ljUyVL3OcVqZNj7cZTlE7kaFTQ=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -11530,7 +11918,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721876700Z", + "ingested": "2021-09-18T21:19:23.831595421Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -11576,9 +11964,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:9ljUyVL3OcVqZNj7cZTlE7kaFTQ=", + "transport": "udp", "bytes": 94, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -11615,7 +12004,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721881200Z", + "ingested": "2021-09-18T21:19:23.831597168Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94", "code": "302016", "kind": "event", @@ -11660,6 +12049,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:qEan4RAn/LAvHNZD4hESC4XExTA=", "iana_number": "6", "transport": "tcp" }, @@ -11697,7 +12087,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721886100Z", + "ingested": "2021-09-18T21:19:23.831598887Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293", "code": "305011", "kind": "event", @@ -11738,8 +12128,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:B2CFl0/wZgvMfeeRh4a7fZovd5s=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -11776,7 +12167,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721891700Z", + "ingested": "2021-09-18T21:19:23.831600583Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289)", "code": "302013", "kind": "event", @@ -11822,9 +12213,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:d30dOVDkWdEFkiVN1wosi1HxOGE=", + "transport": "tcp", "bytes": 945, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -11862,7 +12254,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721896700Z", + "ingested": "2021-09-18T21:19:23.831602283Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs", "code": "302014", "kind": "event", @@ -11907,9 +12299,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:V7thSrtXW0EdnGYslsAxp4MBQJg=", + "transport": "tcp", "bytes": 13284, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -11947,7 +12340,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.721901600Z", + "ingested": "2021-09-18T21:19:23.831603976Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs", "code": "302014", "kind": "event", @@ -11992,8 +12385,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -12030,7 +12424,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721906Z", + "ingested": "2021-09-18T21:19:23.831605733Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12076,9 +12470,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", + "transport": "udp", "bytes": 104, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -12115,7 +12510,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721910400Z", + "ingested": "2021-09-18T21:19:23.831607488Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -12160,6 +12555,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:miSmRY+o7dxaXJr2hVCFhUH28VM=", "iana_number": "6", "transport": "tcp" }, @@ -12197,7 +12593,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721914400Z", + "ingested": "2021-09-18T21:19:23.831609190Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294", "code": "305011", "kind": "event", @@ -12238,8 +12634,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:zUM1j3IV4jNNZes8sQBR38IRlXw=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -12276,7 +12673,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721918400Z", + "ingested": "2021-09-18T21:19:23.831610918Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290)", "code": "302013", "kind": "event", @@ -12322,9 +12719,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Q3UpJGev3vN/CT0Tp2lUAhmZGkc=", + "transport": "udp", "bytes": 58512, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -12361,7 +12759,7 @@ "event": { "severity": 6, "duration": 3526000000000, - "ingested": "2021-09-07T12:21:32.721922400Z", + "ingested": "2021-09-18T21:19:23.831612613Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512", "code": "302016", "kind": "event", @@ -12392,14 +12790,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8276, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1272, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:Ulz/6OM46zsGEO5vIRQnPFfblng=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -12408,6 +12831,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -12415,20 +12842,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721926800Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831614321Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -12453,8 +12887,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:36nSGI0Y2OY8ALYfZ16OPTb6lmU=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -12491,7 +12926,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721931100Z", + "ingested": "2021-09-18T21:19:23.831616062Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12537,8 +12972,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:0AdR6iUA7g0yOtTw8GJifVbDbLc=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -12575,7 +13011,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721935300Z", + "ingested": "2021-09-18T21:19:23.831617757Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12621,9 +13057,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:36nSGI0Y2OY8ALYfZ16OPTb6lmU=", + "transport": "udp", "bytes": 168, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -12660,7 +13097,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721941300Z", + "ingested": "2021-09-18T21:19:23.831619437Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168", "code": "302016", "kind": "event", @@ -12705,8 +13142,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:36nSGI0Y2OY8ALYfZ16OPTb6lmU=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -12743,7 +13181,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721946500Z", + "ingested": "2021-09-18T21:19:23.831621118Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -12789,9 +13227,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:0AdR6iUA7g0yOtTw8GJifVbDbLc=", + "transport": "udp", "bytes": 198, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -12828,7 +13267,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721951Z", + "ingested": "2021-09-18T21:19:23.831622786Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198", "code": "302016", "kind": "event", @@ -12873,9 +13312,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:36nSGI0Y2OY8ALYfZ16OPTb6lmU=", + "transport": "udp", "bytes": 150, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -12912,7 +13352,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721955200Z", + "ingested": "2021-09-18T21:19:23.831624517Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", @@ -12957,8 +13397,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:MiKGjdwNGujmPujUEipQ43gH6Rk=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -12995,7 +13436,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721959500Z", + "ingested": "2021-09-18T21:19:23.831626220Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -13041,9 +13482,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:MiKGjdwNGujmPujUEipQ43gH6Rk=", + "transport": "udp", "bytes": 84, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -13080,7 +13522,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721963800Z", + "ingested": "2021-09-18T21:19:23.831627928Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84", "code": "302016", "kind": "event", @@ -13125,6 +13567,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:SSBQU7HmeVqvpDuKNAepH+5AL0U=", "iana_number": "6", "transport": "tcp" }, @@ -13162,7 +13605,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721968100Z", + "ingested": "2021-09-18T21:19:23.831629613Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295", "code": "305011", "kind": "event", @@ -13203,8 +13646,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:L794NT6MeGlmEABWZmdTukJ9bwE=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -13241,7 +13685,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721972300Z", + "ingested": "2021-09-18T21:19:23.831631318Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291)", "code": "302013", "kind": "event", @@ -13287,8 +13731,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:I/WhIF69cR6CjWHtGvBwQ8wA7dc=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -13325,7 +13770,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721976700Z", + "ingested": "2021-09-18T21:19:23.831633516Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -13371,9 +13816,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:I/WhIF69cR6CjWHtGvBwQ8wA7dc=", + "transport": "udp", "bytes": 188, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -13410,7 +13856,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.721985Z", + "ingested": "2021-09-18T21:19:23.831635301Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188", "code": "302016", "kind": "event", @@ -13455,6 +13901,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:KfzWFNRqq9u0mJhUbFRoAK3rx/k=", "iana_number": "6", "transport": "tcp" }, @@ -13492,7 +13939,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721989700Z", + "ingested": "2021-09-18T21:19:23.831637007Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296", "code": "305011", "kind": "event", @@ -13533,8 +13980,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:DcC5/17iIun7QBeY94629ae/KBw=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -13571,7 +14019,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721994300Z", + "ingested": "2021-09-18T21:19:23.831642061Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292)", "code": "302013", "kind": "event", @@ -13617,6 +14065,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:0SUyruuy0Jt8r3FaPGxgEY+ck8A=", "iana_number": "6", "transport": "tcp" }, @@ -13654,7 +14103,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.721998600Z", + "ingested": "2021-09-18T21:19:23.831644260Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297", "code": "305011", "kind": "event", @@ -13695,8 +14144,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:EMeyPYKr7J0nFwuPUzcxIwiT+xQ=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -13733,7 +14183,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722002900Z", + "ingested": "2021-09-18T21:19:23.831646082Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293)", "code": "302013", "kind": "event", @@ -13779,6 +14229,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:/jz6rtmBvEznkhogEIbZ5XVyytQ=", "iana_number": "6", "transport": "tcp" }, @@ -13816,7 +14267,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722007300Z", + "ingested": "2021-09-18T21:19:23.831647837Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298", "code": "305011", "kind": "event", @@ -13857,8 +14308,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:G3hWvTFI9YnDxZs6Y5IKRIjGJdw=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -13895,7 +14347,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722011500Z", + "ingested": "2021-09-18T21:19:23.831649559Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294)", "code": "302013", "kind": "event", @@ -13941,9 +14393,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:EMeyPYKr7J0nFwuPUzcxIwiT+xQ=", + "transport": "tcp", "bytes": 5964, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -13981,7 +14434,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.722016300Z", + "ingested": "2021-09-18T21:19:23.831651280Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs", "code": "302014", "kind": "event", @@ -14026,6 +14479,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:8y908lK8AtbbGgqNYGPzMYt3uvA=", "iana_number": "6", "transport": "tcp" }, @@ -14063,7 +14517,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722020600Z", + "ingested": "2021-09-18T21:19:23.831652977Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299", "code": "305011", "kind": "event", @@ -14104,8 +14558,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:F34mtxFMjq0ykJqTY+0F+lQUtPs=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -14142,7 +14597,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722024900Z", + "ingested": "2021-09-18T21:19:23.831654699Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295)", "code": "302013", "kind": "event", @@ -14188,6 +14643,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:PIsj3i/QWG3uUMx3MBj0UfQp+Jc=", "iana_number": "6", "transport": "tcp" }, @@ -14225,7 +14681,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722029300Z", + "ingested": "2021-09-18T21:19:23.831656441Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300", "code": "305011", "kind": "event", @@ -14266,8 +14722,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:SgjaVFOg9vJS9wFSSV7j4l72q5Q=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -14304,7 +14761,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722033900Z", + "ingested": "2021-09-18T21:19:23.831658196Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296)", "code": "302013", "kind": "event", @@ -14350,9 +14807,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:G3hWvTFI9YnDxZs6Y5IKRIjGJdw=", + "transport": "tcp", "bytes": 6694, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -14390,7 +14848,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.722038400Z", + "ingested": "2021-09-18T21:19:23.831659907Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs", "code": "302014", "kind": "event", @@ -14435,9 +14893,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:F34mtxFMjq0ykJqTY+0F+lQUtPs=", + "transport": "tcp", "bytes": 1493, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -14475,7 +14934,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.722042700Z", + "ingested": "2021-09-18T21:19:23.831661619Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs", "code": "302014", "kind": "event", @@ -14520,9 +14979,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:SgjaVFOg9vJS9wFSSV7j4l72q5Q=", + "transport": "tcp", "bytes": 893, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -14560,7 +15020,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.722047Z", + "ingested": "2021-09-18T21:19:23.831663329Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs", "code": "302014", "kind": "event", @@ -14605,6 +15065,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:GN5li6LWaG3khjTFgtdHB3UkTbM=", "iana_number": "6", "transport": "tcp" }, @@ -14642,7 +15103,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722051200Z", + "ingested": "2021-09-18T21:19:23.831665081Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301", "code": "305011", "kind": "event", @@ -14683,8 +15144,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:m/F+TF2SIc5ApzH8bR4cZIinTTM=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -14721,7 +15183,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722055500Z", + "ingested": "2021-09-18T21:19:23.831666821Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297)", "code": "302013", "kind": "event", @@ -14767,6 +15229,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:gpdLtgDvmxE4N3mmU6xhesKbPpA=", "iana_number": "6", "transport": "tcp" }, @@ -14804,7 +15267,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722060Z", + "ingested": "2021-09-18T21:19:23.831668530Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302", "code": "305011", "kind": "event", @@ -14845,8 +15308,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:RL/wWVk4H/YsU2UX/pQ/jdLmM2Q=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -14883,7 +15347,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722064400Z", + "ingested": "2021-09-18T21:19:23.831670226Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298)", "code": "302013", "kind": "event", @@ -14929,8 +15393,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:d9hGyB6jUJQltb99tzdBar8fxnA=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -14967,7 +15432,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722068900Z", + "ingested": "2021-09-18T21:19:23.831671952Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -15013,9 +15478,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:d9hGyB6jUJQltb99tzdBar8fxnA=", + "transport": "udp", "bytes": 150, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -15052,7 +15518,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.722073200Z", + "ingested": "2021-09-18T21:19:23.831673661Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150", "code": "302016", "kind": "event", @@ -15097,9 +15563,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:m/F+TF2SIc5ApzH8bR4cZIinTTM=", + "transport": "tcp", "bytes": 2750, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -15137,7 +15604,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.722077500Z", + "ingested": "2021-09-18T21:19:23.831675419Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs", "code": "302014", "kind": "event", @@ -15182,6 +15649,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:QDldCQP7xh1OW0YCdjigaOkPzwU=", "iana_number": "6", "transport": "tcp" }, @@ -15219,7 +15687,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722081700Z", + "ingested": "2021-09-18T21:19:23.831677152Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303", "code": "305011", "kind": "event", @@ -15260,8 +15728,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:vKq2cBUy2TDYTPpvRRbyRzW3oqo=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -15298,7 +15767,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722086100Z", + "ingested": "2021-09-18T21:19:23.831678867Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299)", "code": "302013", "kind": "event", @@ -15344,6 +15813,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:80Z72sMi4rJ0D84AE8zo3IcJsy4=", "iana_number": "6", "transport": "tcp" }, @@ -15381,7 +15851,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722090500Z", + "ingested": "2021-09-18T21:19:23.831680572Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304", "code": "305011", "kind": "event", @@ -15422,8 +15892,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:aGxYBe0aBN662AuZ5JPVPusjRa0=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -15460,7 +15931,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722095300Z", + "ingested": "2021-09-18T21:19:23.831682279Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300)", "code": "302013", "kind": "event", @@ -15506,9 +15977,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:RL/wWVk4H/YsU2UX/pQ/jdLmM2Q=", + "transport": "tcp", "bytes": 881, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -15546,7 +16018,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.722099500Z", + "ingested": "2021-09-18T21:19:23.831683985Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs", "code": "302014", "kind": "event", @@ -15591,9 +16063,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:aGxYBe0aBN662AuZ5JPVPusjRa0=", + "transport": "tcp", "bytes": 2202, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -15631,7 +16104,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:21:32.722103700Z", + "ingested": "2021-09-18T21:19:23.831685754Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs", "code": "302014", "kind": "event", @@ -15676,6 +16149,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:bwNtk4MRIaL/7TQcp3pyVe1E+9Q=", "iana_number": "6", "transport": "tcp" }, @@ -15713,7 +16187,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722107900Z", + "ingested": "2021-09-18T21:19:23.831687514Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305", "code": "305011", "kind": "event", @@ -15754,8 +16228,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:3ol8aZxKStrX58/6Vhd4iBAfGaA=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -15792,7 +16267,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722112300Z", + "ingested": "2021-09-18T21:19:23.831689243Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301)", "code": "302013", "kind": "event", @@ -15838,6 +16313,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:SdzjoTs+01P4hVwwWqHxqPHlXJU=", "iana_number": "6", "transport": "tcp" }, @@ -15875,7 +16351,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722117600Z", + "ingested": "2021-09-18T21:19:23.831690968Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306", "code": "305011", "kind": "event", @@ -15916,8 +16392,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:/M14EpcIygOSzj0EEPGr4zngIO0=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -15954,7 +16431,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722121900Z", + "ingested": "2021-09-18T21:19:23.831692712Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302)", "code": "302013", "kind": "event", @@ -15986,14 +16463,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8280, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1276, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:BbvA+2xZjkf52lWjSH3HOxxj5hU=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16002,6 +16504,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16009,20 +16515,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722126Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831694430Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16033,14 +16546,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8281, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1277, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:xM9jRCoCKsQva+HDcJ8nktupQ/U=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16049,6 +16587,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16056,20 +16598,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722130Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831696174Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16080,14 +16629,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8282, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1278, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:1P8Fbc8oTceSX9f9YAusY6Mfscc=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16096,6 +16670,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16103,20 +16681,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722134300Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831697927Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16127,14 +16712,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8283, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1279, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:R/Bwq8x4Nfwk474w7odsVLA+w60=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16143,6 +16753,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16150,20 +16764,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722139Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831699638Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16174,14 +16795,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8284, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1280, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:dTHfo+z9KqY8Iv5a+ZiicBoktu4=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16190,6 +16836,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16197,20 +16847,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722143300Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831701344Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16221,14 +16878,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8285, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1281, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:vzr9XNGDTcZ5SwFWHFUilmbchlo=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16237,6 +16919,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16244,20 +16930,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722147600Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831703048Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16268,14 +16961,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8286, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1282, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:OitMDe3Ye5KVpROuoY8+v8mfvCA=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16284,6 +17002,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16291,20 +17013,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722162600Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831704813Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16315,14 +17044,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8287, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1283, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:3ob7O6L1949whjkG5YUJZf0Gwtk=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16331,6 +17085,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16338,20 +17096,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722171100Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831706557Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16362,14 +17127,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8288, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1284, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:X7DN+XIzlXidhVz1eb1s2EisS8A=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16378,6 +17168,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16385,20 +17179,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722176500Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831708268Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16409,14 +17210,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8289, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1285, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:vx/8XNTvkRtAa9BJ9P+Qv+GY6UY=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16425,6 +17251,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16432,20 +17262,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722181600Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831709987Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16456,14 +17293,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8290, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1286, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:PvvylMfsR3ILT1QmY5jfmnXsLwM=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16472,6 +17334,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16479,20 +17345,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722186100Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831711695Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16503,14 +17376,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8291, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1287, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:snPqiF9HMm3IkMvOOBv7JyO0Jr4=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16519,6 +17417,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16526,20 +17428,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722191200Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831713423Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16550,14 +17459,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8292, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1288, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:IJVR+iN4aneACrehGe0SX+IkbqM=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16566,6 +17500,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16573,20 +17511,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722196300Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831715191Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16597,14 +17542,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8297, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1293, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:0SUyruuy0Jt8r3FaPGxgEY+ck8A=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16613,6 +17583,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16620,20 +17594,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722200700Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831716908Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16644,14 +17625,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8298, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1294, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:/jz6rtmBvEznkhogEIbZ5XVyytQ=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16660,6 +17666,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16667,20 +17677,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722205100Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831718609Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16705,6 +17722,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:5OaRHwdkLmcpG/32Rp6ATfcmjbc=", "iana_number": "6", "transport": "tcp" }, @@ -16742,7 +17760,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722209500Z", + "ingested": "2021-09-18T21:19:23.831720347Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308", "code": "305011", "kind": "event", @@ -16783,8 +17801,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:Ybu05t/qKFuEcYUe+Tmo/iA+8DU=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -16821,7 +17840,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722213800Z", + "ingested": "2021-09-18T21:19:23.831722042Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304)", "code": "302013", "kind": "event", @@ -16853,14 +17872,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8299, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1295, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:8y908lK8AtbbGgqNYGPzMYt3uvA=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16869,6 +17913,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16876,20 +17924,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722218700Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831723748Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16900,14 +17955,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8300, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1296, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:PIsj3i/QWG3uUMx3MBj0UfQp+Jc=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -16916,6 +17996,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -16923,20 +18007,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722223100Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831725480Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -16961,8 +18052,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:x0GkFv0YJz9FLMS2/u4yURhmsuM=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -16999,7 +18091,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722227500Z", + "ingested": "2021-09-18T21:19:23.831727194Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -17045,8 +18137,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:NxEUi4VKij1T83hc4lINpweLp3c=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -17083,7 +18176,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722231900Z", + "ingested": "2021-09-18T21:19:23.831728890Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "code": "302015", "kind": "event", @@ -17129,9 +18222,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:x0GkFv0YJz9FLMS2/u4yURhmsuM=", + "transport": "udp", "bytes": 318, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -17168,7 +18262,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.722240800Z", + "ingested": "2021-09-18T21:19:23.831730585Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318", "code": "302016", "kind": "event", @@ -17213,9 +18307,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:NxEUi4VKij1T83hc4lINpweLp3c=", + "transport": "udp", "bytes": 104, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -17252,7 +18347,7 @@ "event": { "severity": 6, "duration": 0, - "ingested": "2021-09-07T12:21:32.722245400Z", + "ingested": "2021-09-18T21:19:23.831732296Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "code": "302016", "kind": "event", @@ -17297,6 +18392,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:D0OYP16cA27dQ9uGzz5mXOiu9Nw=", "iana_number": "6", "transport": "tcp" }, @@ -17334,7 +18430,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722249800Z", + "ingested": "2021-09-18T21:19:23.831734045Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309", "code": "305011", "kind": "event", @@ -17375,8 +18471,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:W3BHxRRrJKuwQxd5cBkCxKbGjA0=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -17413,7 +18510,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722254Z", + "ingested": "2021-09-18T21:19:23.831735775Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305)", "code": "302013", "kind": "event", @@ -17445,14 +18542,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8301, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1297, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:GN5li6LWaG3khjTFgtdHB3UkTbM=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -17461,6 +18583,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -17468,20 +18594,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722259900Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831737478Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -17492,14 +18625,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8302, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1298, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:gpdLtgDvmxE4N3mmU6xhesKbPpA=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -17508,6 +18666,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -17515,20 +18677,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722264500Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831739180Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -17539,14 +18708,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8303, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1299, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:QDldCQP7xh1OW0YCdjigaOkPzwU=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -17555,6 +18749,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -17562,20 +18760,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722268800Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831740899Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -17586,14 +18791,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8304, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1300, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:80Z72sMi4rJ0D84AE8zo3IcJsy4=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -17602,6 +18832,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -17609,20 +18843,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722272800Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831742608Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -17633,14 +18874,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8305, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1301, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:bwNtk4MRIaL/7TQcp3pyVe1E+9Q=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -17649,6 +18915,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -17656,20 +18926,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722276900Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831744391Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -17680,14 +18957,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8306, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1302, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:SdzjoTs+01P4hVwwWqHxqPHlXJU=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -17696,6 +18998,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -17703,20 +19009,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722280800Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831746146Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -17727,14 +19040,39 @@ "log": { "level": "informational" }, + "destination": { + "port": 8307, + "address": "100.66.98.44", + "ip": "100.66.98.44" + }, + "source": { + "port": 1303, + "address": "172.31.98.44", + "ip": "172.31.98.44" + }, "tags": [ "preserve_original_event" ], + "network": { + "community_id": "1:SdB8LQRxB6rH0p1mpfjSLAmoGTg=", + "iana_number": "6", + "transport": "tcp" + }, "observer": { + "ingress": { + "interface": { + "name": "inside" + } + }, "hostname": "localhost", "product": "asa", "type": "firewall", - "vendor": "Cisco" + "vendor": "Cisco", + "egress": { + "interface": { + "name": "outside" + } + } }, "@timestamp": "2018-10-10T12:34:56.000Z", "ecs": { @@ -17743,6 +19081,10 @@ "related": { "hosts": [ "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" ] }, "host": { @@ -17750,20 +19092,27 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722285100Z", + "duration": 30000000000, + "ingested": "2021-09-18T21:19:23.831747901Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30", "code": "305012", "kind": "event", - "action": "firewall-rule", + "start": "2018-10-10T12:34:26.000Z", + "action": "flow-expiration", + "end": "2018-10-10T12:34:56.000Z", "category": [ "network" ], "type": [ - "info" + "connection", + "end" ] }, "cisco": { - "ftd": {} + "ftd": { + "destination_interface": "outside", + "source_interface": "inside" + } } }, { @@ -17788,9 +19137,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:W3BHxRRrJKuwQxd5cBkCxKbGjA0=", + "transport": "tcp", "bytes": 410333, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -17828,7 +19178,7 @@ "severity": 6, "duration": 4000000000, "reason": "TCP Reset-I", - "ingested": "2021-09-07T12:21:32.722290Z", + "ingested": "2021-09-18T21:19:23.831749627Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I", "code": "302014", "kind": "event", @@ -17873,6 +19223,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -17910,7 +19261,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722293900Z", + "ingested": "2021-09-18T21:19:23.831751352Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -17954,6 +19305,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -17991,7 +19343,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722297800Z", + "ingested": "2021-09-18T21:19:23.831753067Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18035,6 +19387,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18072,7 +19425,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722301700Z", + "ingested": "2021-09-18T21:19:23.831754854Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18116,6 +19469,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:IkABRnyuIWkRyTo0UDxF7eylXGI=", "iana_number": "6", "transport": "tcp" }, @@ -18153,7 +19507,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722305500Z", + "ingested": "2021-09-18T21:19:23.831756574Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310", "code": "305011", "kind": "event", @@ -18194,8 +19548,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:mxbJgNaP3oErmJ/hBW5f/BmgMmI=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -18232,7 +19587,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:21:32.722309300Z", + "ingested": "2021-09-18T21:19:23.831758316Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306)", "code": "302013", "kind": "event", @@ -18278,6 +19633,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18315,7 +19671,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722313100Z", + "ingested": "2021-09-18T21:19:23.831760025Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18359,6 +19715,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18396,7 +19753,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722316800Z", + "ingested": "2021-09-18T21:19:23.831761756Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18440,6 +19797,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18477,7 +19835,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722320600Z", + "ingested": "2021-09-18T21:19:23.831763461Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18521,6 +19879,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18558,7 +19917,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722324600Z", + "ingested": "2021-09-18T21:19:23.831765246Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18602,6 +19961,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18639,7 +19999,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722328300Z", + "ingested": "2021-09-18T21:19:23.831766958Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18683,6 +20043,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18720,7 +20081,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722332200Z", + "ingested": "2021-09-18T21:19:23.831768737Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18764,6 +20125,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18801,7 +20163,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722336Z", + "ingested": "2021-09-18T21:19:23.831770505Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18845,6 +20207,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18882,7 +20245,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722340200Z", + "ingested": "2021-09-18T21:19:23.831772264Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -18926,6 +20289,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -18963,7 +20327,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722344200Z", + "ingested": "2021-09-18T21:19:23.831774Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19007,6 +20371,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19044,7 +20409,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722348200Z", + "ingested": "2021-09-18T21:19:23.831775749Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19088,6 +20453,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19125,7 +20491,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722352600Z", + "ingested": "2021-09-18T21:19:23.831777864Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19169,6 +20535,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19206,7 +20573,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722357Z", + "ingested": "2021-09-18T21:19:23.831779656Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19250,6 +20617,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19287,7 +20655,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722361200Z", + "ingested": "2021-09-18T21:19:23.831781418Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19331,6 +20699,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19368,7 +20737,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722365900Z", + "ingested": "2021-09-18T21:19:23.831783180Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19412,6 +20781,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19449,7 +20819,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722370300Z", + "ingested": "2021-09-18T21:19:23.831784892Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19493,6 +20863,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19530,7 +20901,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722375500Z", + "ingested": "2021-09-18T21:19:23.831786600Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19574,6 +20945,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19611,7 +20983,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722380Z", + "ingested": "2021-09-18T21:19:23.831788300Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19655,6 +21027,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19692,7 +21065,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722384200Z", + "ingested": "2021-09-18T21:19:23.831790018Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19736,6 +21109,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19773,7 +21147,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722388400Z", + "ingested": "2021-09-18T21:19:23.831791790Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19817,6 +21191,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19854,7 +21229,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722392600Z", + "ingested": "2021-09-18T21:19:23.831793516Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19898,6 +21273,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -19935,7 +21311,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722397600Z", + "ingested": "2021-09-18T21:19:23.831795228Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -19979,6 +21355,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20016,7 +21393,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722401500Z", + "ingested": "2021-09-18T21:19:23.831796958Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20060,6 +21437,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20097,7 +21475,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722405300Z", + "ingested": "2021-09-18T21:19:23.831798664Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20141,6 +21519,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20178,7 +21557,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722408900Z", + "ingested": "2021-09-18T21:19:23.831800375Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20222,6 +21601,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20259,7 +21639,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722412600Z", + "ingested": "2021-09-18T21:19:23.831802114Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20303,6 +21683,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20340,7 +21721,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722416400Z", + "ingested": "2021-09-18T21:19:23.831803818Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20384,6 +21765,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20421,7 +21803,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722420400Z", + "ingested": "2021-09-18T21:19:23.831805497Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20465,6 +21847,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20502,7 +21885,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722424100Z", + "ingested": "2021-09-18T21:19:23.831807196Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20546,6 +21929,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20583,7 +21967,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722428100Z", + "ingested": "2021-09-18T21:19:23.831808888Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20627,6 +22011,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20664,7 +22049,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722433Z", + "ingested": "2021-09-18T21:19:23.831810645Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20708,6 +22093,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20745,7 +22131,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722436900Z", + "ingested": "2021-09-18T21:19:23.831812375Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20789,6 +22175,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20826,7 +22213,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722441400Z", + "ingested": "2021-09-18T21:19:23.831814068Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", @@ -20870,6 +22257,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:WxAaLQv0eMdveqWgHGSUoj3UC/M=", "iana_number": "6", "transport": "tcp" }, @@ -20907,7 +22295,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:21:32.722445600Z", + "ingested": "2021-09-18T21:19:23.831815743Z", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group \"inbound\" [0x0, 0x0]", "code": "106023", "kind": "event", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json index fddf9135473..21bdcb68aa5 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json @@ -45,6 +45,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:yuD3M7UhwRSNitDpAnWcqzEC85c=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -87,7 +88,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350924300Z", + "ingested": "2021-09-18T21:21:29.964425395Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70", "code": "430003", "kind": "event", @@ -191,6 +192,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:eDcIGG/W1UcwGWzaTgv5mgr2RDw=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -233,7 +235,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350939100Z", + "ingested": "2021-09-18T21:21:29.964430306Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299", "code": "430003", "kind": "event", @@ -339,6 +341,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:nTPeg7DUgB3rjeFwl+cm5VHEdXQ=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -381,7 +384,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350943Z", + "ingested": "2021-09-18T21:21:29.964432417Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", "code": "430003", "kind": "event", @@ -485,6 +488,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:F3IHQYMd3DO1p+rWBITDU1/XCgA=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -527,7 +531,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350945900Z", + "ingested": "2021-09-18T21:21:29.964434402Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12", "code": "430003", "kind": "event", @@ -633,6 +637,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:1SqTqSDG5492OiLhDUMOi+wnDYs=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -675,7 +680,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350948600Z", + "ingested": "2021-09-18T21:21:29.964436375Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error", "code": "430003", "kind": "event", @@ -780,6 +785,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:eXdHUOdHk5dGXusvMEGcWj9ywPM=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -822,7 +828,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350951100Z", + "ingested": "2021-09-18T21:21:29.964438272Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658", "code": "430003", "kind": "event", @@ -926,6 +932,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:rjxS8IH4jqdHiflcG+1txqEFP1M=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -968,7 +975,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350953700Z", + "ingested": "2021-09-18T21:21:29.964440191Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", "code": "430003", "kind": "event", @@ -1075,6 +1082,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:R1FcZHFFvO0mHFfeVXH/CwTGCmU=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -1117,7 +1125,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350956500Z", + "ingested": "2021-09-18T21:21:29.964442076Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", "code": "430003", "kind": "event", @@ -1221,6 +1229,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:0YJqKZXX7VN9W1Gx6txd8TFELHM=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -1263,7 +1272,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350959100Z", + "ingested": "2021-09-18T21:21:29.964443973Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", "code": "430003", "kind": "event", @@ -1368,6 +1377,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:jVTdIEwjG0Eb77jGrcDygrNq9jg=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -1410,7 +1420,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350961600Z", + "ingested": "2021-09-18T21:21:29.964445859Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", "code": "430003", "kind": "event", @@ -1519,6 +1529,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:ZllIE5YNb+12oKtX/tP/gysnSuE=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -1561,7 +1572,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350964100Z", + "ingested": "2021-09-18T21:21:29.964447759Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 205.251.196.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused", "code": "430003", "kind": "event", @@ -1661,6 +1672,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:oGBN4YWsAncmtqDJ1onnQNRAEnw=", "transport": "tcp", "application": "dns client", "iana_number": "6" @@ -1703,7 +1715,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350966900Z", + "ingested": "2021-09-18T21:21:29.964450020Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure", "code": "430003", "kind": "event", @@ -1805,6 +1817,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:+1CCqUYePM8bXFUXWVeSSjL3g58=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -1847,7 +1860,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350969400Z", + "ingested": "2021-09-18T21:21:29.964451961Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900", "code": "430003", "kind": "event", @@ -1952,6 +1965,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:f5P/ntfU9KchCtCfWHT0mYDOHOw=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -1994,7 +2008,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350971800Z", + "ingested": "2021-09-18T21:21:29.964453855Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694", "code": "430003", "kind": "event", @@ -2098,6 +2112,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:wrAm7MmrJHlBQ+ikcQmSwf2JnJM=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -2140,7 +2155,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350974400Z", + "ingested": "2021-09-18T21:21:29.964455776Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946", "code": "430003", "kind": "event", @@ -2245,6 +2260,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:rjxS8IH4jqdHiflcG+1txqEFP1M=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -2287,7 +2303,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350977Z", + "ingested": "2021-09-18T21:21:29.964457671Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", "code": "430003", "kind": "event", @@ -2393,6 +2409,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:0YJqKZXX7VN9W1Gx6txd8TFELHM=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -2435,7 +2452,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350979500Z", + "ingested": "2021-09-18T21:21:29.964459726Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", "code": "430003", "kind": "event", @@ -2539,6 +2556,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:nTPeg7DUgB3rjeFwl+cm5VHEdXQ=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -2581,7 +2599,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350982Z", + "ingested": "2021-09-18T21:21:29.964461646Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", "code": "430003", "kind": "event", @@ -2685,6 +2703,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:R1FcZHFFvO0mHFfeVXH/CwTGCmU=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -2727,7 +2746,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350984400Z", + "ingested": "2021-09-18T21:21:29.964463556Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", "code": "430003", "kind": "event", @@ -2830,6 +2849,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:k5kQaEfpetJ7SxFkG7Ytzzz5ik0=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -2872,7 +2892,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350987100Z", + "ingested": "2021-09-18T21:21:29.964465449Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59", "code": "430003", "kind": "event", @@ -2975,6 +2995,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:jVTdIEwjG0Eb77jGrcDygrNq9jg=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -3017,7 +3038,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:21:56.350989500Z", + "ingested": "2021-09-18T21:21:29.964467330Z", "original": "2019-08-26T23:11:03Z siem-ftd %FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", "code": "430003", "kind": "event", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json index 2fe5d844f8b..a72f8cd1b44 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json @@ -31,7 +31,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.328928600Z", + "ingested": "2021-09-18T21:21:45.480502784Z", "original": "Jan 1 2019 01:00:27 beats asa[1234]: %FTD-7-999999: This message is not filtered.", "code": "999999", "kind": "event", @@ -72,7 +72,7 @@ }, "event": { "severity": 8, - "ingested": "2021-09-07T12:21:59.328938100Z", + "ingested": "2021-09-18T21:21:45.480508032Z", "original": "Jan 1 2019 01:00:30 beats asa[1234]: %FTD-8-999999: This phony message is dropped due to log level.", "code": "999999", "kind": "event", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json index 627554cff71..8f367bc8fe0 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json @@ -29,7 +29,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441041500Z", + "ingested": "2021-09-18T21:21:46.290160824Z", "original": "\u003c14\u003eAug 14 2019 13:56:30 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", "code": "" }, @@ -66,7 +66,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441051800Z", + "ingested": "2021-09-18T21:21:46.290165880Z", "original": "\u003c14\u003eAug 14 2019 13:57:19 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=Banner, Page View\u0000x0a\u0000x00", "code": "" }, @@ -103,7 +103,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441054Z", + "ingested": "2021-09-18T21:21:46.290168005Z", "original": "\u003c14\u003eAug 14 2019 13:57:26 ChangeReconciliation.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/ChangeReconciliation.cgi, Page View\u0000x0a\u0000x00", "code": "" }, @@ -140,7 +140,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441056800Z", + "ingested": "2021-09-18T21:21:46.290170017Z", "original": "\u003c14\u003eAug 14 2019 13:57:34 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=IntrusionPolicyPrefs, Page View\u0000x0a\u0000x00", "code": "" }, @@ -177,7 +177,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441058800Z", + "ingested": "2021-09-18T21:21:46.290171926Z", "original": "\u003c14\u003eAug 14 2019 13:57:43 lights_out_mgmt.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /admin/lights_out_mgmt.cgi, Page View\u0000x0a\u0000x00", "code": "" }, @@ -214,7 +214,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441080100Z", + "ingested": "2021-09-18T21:21:46.290173871Z", "original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View url filtering settings\u0000x0a\u0000x00", "code": "" }, @@ -251,7 +251,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441084200Z", + "ingested": "2021-09-18T21:21:46.290175782Z", "original": "\u003c14\u003eAug 14 2019 13:58:02 mojo_server.pl: siem-management: admin@10.0.255.31, Cloud Services, View amp settings\u0000x0a\u0000x00", "code": "" }, @@ -288,7 +288,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441086400Z", + "ingested": "2021-09-18T21:21:46.290177690Z", "original": "\u003c14\u003eAug 14 2019 13:58:20 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00", "code": "" }, @@ -325,7 +325,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441088200Z", + "ingested": "2021-09-18T21:21:46.290179652Z", "original": "\u003c14\u003eAug 14 2019 13:58:41 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management, Page View\u0000x0a\u0000x00", "code": "" }, @@ -362,7 +362,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441090100Z", + "ingested": "2021-09-18T21:21:46.290181534Z", "original": "\u003c14\u003eAug 14 2019 13:58:47 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Interfaces, Page View\u0000x0a\u0000x00", "code": "" }, @@ -399,7 +399,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441091900Z", + "ingested": "2021-09-18T21:21:46.290183423Z", "original": "\u003c14\u003eAug 14 2019 13:58:52 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00", "code": "" }, @@ -436,7 +436,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441093900Z", + "ingested": "2021-09-18T21:21:46.290185692Z", "original": "\u003c14\u003eAug 14 2019 13:58:54 mojo_server.pl: siem-management: admin@10.0.255.31, Devices \u003e Device Management \u003e NGFW Device Summary, Page View\u0000x0a\u0000x00", "code": "" }, @@ -473,7 +473,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441095700Z", + "ingested": "2021-09-18T21:21:46.290187650Z", "original": "\u003c14\u003eAug 14 2019 13:59:10 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings, Page View\u0000x0a\u0000x00", "code": "" }, @@ -510,7 +510,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441097500Z", + "ingested": "2021-09-18T21:21:46.290189550Z", "original": "\u003c14\u003eAug 14 2019 13:59:15 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", "code": "" }, @@ -547,7 +547,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441099400Z", + "ingested": "2021-09-18T21:21:46.290191440Z", "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", "code": "" }, @@ -584,7 +584,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441101100Z", + "ingested": "2021-09-18T21:21:46.290193343Z", "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", "code": "" }, @@ -621,7 +621,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441103Z", + "ingested": "2021-09-18T21:21:46.290195400Z", "original": "\u003c14\u003eAug 14 2019 14:00:37 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", "code": "" }, @@ -658,7 +658,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441105300Z", + "ingested": "2021-09-18T21:21:46.290197360Z", "original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", "code": "" }, @@ -695,7 +695,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441107Z", + "ingested": "2021-09-18T21:21:46.290199221Z", "original": "\u003c14\u003eAug 14 2019 14:01:12 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", "code": "" }, @@ -732,7 +732,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441108800Z", + "ingested": "2021-09-18T21:21:46.290201132Z", "original": "\u003c14\u003eAug 14 2019 14:01:13 sfdccsm: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Platform Settings Editor, Page View\u0000x0a\u0000x00", "code": "" }, @@ -769,7 +769,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441110500Z", + "ingested": "2021-09-18T21:21:46.290203033Z", "original": "\u003c14\u003eAug 14 2019 14:01:20 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, @@ -806,7 +806,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441112200Z", + "ingested": "2021-09-18T21:21:46.290204902Z", "original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, @@ -843,7 +843,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441114Z", + "ingested": "2021-09-18T21:21:46.290206777Z", "original": "\u003c14\u003eAug 14 2019 14:01:31 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Global Configuration Generation\u0000x0a\u0000x00", "code": "" }, @@ -880,7 +880,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441115900Z", + "ingested": "2021-09-18T21:21:46.290208794Z", "original": "\u003c14\u003eAug 14 2019 14:01:35 ActionQueueScrape.pl: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, @@ -917,7 +917,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441117700Z", + "ingested": "2021-09-18T21:21:46.290210681Z", "original": "\u003c14\u003eAug 14 2019 14:01:36 ActionQueueScrape.pl: siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Device Configuration for siem-ftd\u0000x0a\u0000x00", "code": "" }, @@ -954,7 +954,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441119400Z", + "ingested": "2021-09-18T21:21:46.290212551Z", "original": "\u003c14\u003eAug 14 2019 14:01:55 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00", "code": "" }, @@ -991,7 +991,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441121100Z", + "ingested": "2021-09-18T21:21:46.290214419Z", "original": "\u003c14\u003eAug 14 2019 14:01:56 sfdccsm: siem-management: admin@localhost, Task Queue, Policy Deployment to siem-ftd - SUCCESS\u0000x0a\u0000x00", "code": "" }, @@ -1028,7 +1028,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441122800Z", + "ingested": "2021-09-18T21:21:46.290216273Z", "original": "\u003c14\u003eAug 14 2019 14:01:57 sfdccsm: siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", "code": "" }, @@ -1065,7 +1065,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441124600Z", + "ingested": "2021-09-18T21:21:46.290218125Z", "original": "\u003c14\u003eAug 14 2019 14:02:03 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Syslog, Page View\u0000x0a\u0000x00", "code": "" }, @@ -1102,7 +1102,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441126300Z", + "ingested": "2021-09-18T21:21:46.290219974Z", "original": "\u003c14\u003eAug 14 2019 14:02:11 index.cgi: siem-management: admin@10.0.255.31, System \u003e Monitoring \u003e Audit, Page View\u0000x0a\u0000x00", "code": "" }, @@ -1139,7 +1139,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441128100Z", + "ingested": "2021-09-18T21:21:46.290221837Z", "original": "\u003c14\u003eAug 14 2019 14:02:19 mojo_server.pl: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration, Page View\u0000x0a\u0000x00", "code": "" }, @@ -1176,7 +1176,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441146300Z", + "ingested": "2021-09-18T21:21:46.290223705Z", "original": "\u003c14\u003eAug 14 2019 14:02:31 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System \u003e Configuration \u003e Configuration \u003e /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", "code": "" }, @@ -1213,7 +1213,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441148900Z", + "ingested": "2021-09-18T21:21:46.290225580Z", "original": "\u003c14\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Local System Configuration, Save Local System Configuration\u0000x0a\u0000x00", "code": "" }, @@ -1251,7 +1251,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:21:59.441150700Z", + "ingested": "2021-09-18T21:21:46.290227435Z", "original": "\u003c14.2\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Audit Log Settings \u003e Modified: Send Audit Log to Syslog enabled \u003e Disabled", "code": "" }, diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json index 849239ccbf7..de548cbdcb3 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-intrusion.log-expected.json @@ -20,6 +20,7 @@ ], "network": { "protocol": "http", + "community_id": "1:aVBZLbVEijzexcqIhp/89fLm6Fw=", "transport": "tcp", "application": "firefox", "iana_number": "6" @@ -64,7 +65,7 @@ }, "event": { "severity": 0, - "ingested": "2021-09-07T12:22:00.700724200Z", + "ingested": "2021-09-18T21:21:52.141446819Z", "original": "2019-08-16T09:54:00Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55644, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", @@ -134,6 +135,7 @@ ], "network": { "protocol": "http", + "community_id": "1:T2FxxCvrJYccm7bcw2QZ9tWONIo=", "transport": "tcp", "application": "firefox", "iana_number": "6" @@ -178,7 +180,7 @@ }, "event": { "severity": 0, - "ingested": "2021-09-07T12:22:00.700733Z", + "ingested": "2021-09-18T21:21:52.141451767Z", "original": "2019-08-16T09:57:02Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55868, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", @@ -247,6 +249,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:4Ze3PKactlddzol+s7PbEeCTTlk=", "iana_number": "6", "transport": "tcp" }, @@ -290,7 +293,7 @@ }, "event": { "severity": 0, - "ingested": "2021-09-07T12:22:00.700735200Z", + "ingested": "2021-09-18T21:21:52.141453731Z", "original": "2019-08-16T10:04:44Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 39114, Protocol: tcp, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", @@ -357,6 +360,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:yyUSZl65LfpqAPKtrjT9QRDUlfs=", "iana_number": "6", "transport": "tcp" }, @@ -400,7 +404,7 @@ }, "event": { "severity": 0, - "ingested": "2021-09-07T12:22:00.700737Z", + "ingested": "2021-09-18T21:21:52.141455569Z", "original": "2019-08-16T10:09:47Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 40740, Protocol: 6, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "code": "430001", "kind": "alert", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json index 2f08ae639b9..83335ed4a13 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-no-type-id.log-expected.json @@ -48,7 +48,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:22:01.204979900Z", + "ingested": "2021-09-18T21:21:54.746105973Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: ApplicationProtocol: http, Client: webserver, DstIP: 10.8.12.47, SrcIP: 10.1.123.45, Message: Intrusion attempt", "code": "430001", "kind": "alert", @@ -109,7 +109,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:22:01.204988Z", + "ingested": "2021-09-18T21:21:54.746111011Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2).", "code": "430001", "kind": "alert", @@ -167,7 +167,7 @@ }, "event": { "severity": 7, - "ingested": "2021-09-07T12:22:01.204990200Z", + "ingested": "2021-09-18T21:21:54.746113058Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2), Empty: ,FileCount:, IngressZone:", "code": "430002", "kind": "event", @@ -243,7 +243,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-07T12:22:01.204992Z", + "ingested": "2021-09-18T21:21:54.746115046Z", "original": "Jan 11 2018 01:00:27 beats ftd[1234]: %ASA-3-430005 Message: This one has a type id, HTTPResponse: 404, Message: And two messages, SrcIP: 127.0.0.1, DstIP: 192.168.3.33, SrcPort: 512, DstPort: 64311", "code": "430005", "kind": "alert", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json index f23aee4d175..7eea45ab35c 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json @@ -55,7 +55,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.493447500Z", + "ingested": "2021-09-18T21:21:56.239013640Z", "original": "\u003c165\u003eOct 04 2019 15:27:55: %ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -\u003e OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "code": "106100", "kind": "event", @@ -93,6 +93,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:tTzSWYTCd+HV5W2Q/cSW6AszABM=", "iana_number": "1", "transport": "icmp" }, @@ -120,7 +121,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.493459100Z", + "ingested": "2021-09-18T21:21:56.239018550Z", "original": "Jan 1 2020 10:42:53 localhost : %ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -164,6 +165,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:d9RGgqBro5rzu16MqJQFehDRaKY=", "iana_number": "6", "transport": "tcp" }, @@ -202,7 +204,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.493461200Z", + "ingested": "2021-09-18T21:21:56.239020527Z", "original": "Jan 2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", "code": "338204", "kind": "event", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log index 09da866b488..91998231f58 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log @@ -69,3 +69,18 @@ Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traf Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside +Jan 13 2021 19:12:37: %ASA-5-304001: USER001@192.168.0.1(LOCAL\USER001) Accessed URL 172.17.6.211:http://testingserver.com/somewebpage.html +Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\USER001) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (USER001) +Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\user@domain.tld) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (user@domain.tld) +Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\USER001) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER001) type 3 code 3 +Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\user@domain.tld) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (user@domain.tld) type 3 code 3 +Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(AD\USER002) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER002) type 3 code 3 +Jan 15 2021 19:12:37: %ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:192.168.0.1/59677(LOCAL\USER001) to OUTSIDE:75.0.0.1/18449 duration 0:00:00 +Jan 15 2021 19:12:37: %ASA-6-302021: Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::2205:baff:fe9d:f637/0 laddr fe80::2205:baff:fe9d:f637/0 type 134 code 0 +Jan 15 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 251933191 for OUTSIDE:fe00::fede:bbe1/62477 (fe00::fede:bbe1/62477) to OUTSIDE:2a03:2880:f253:cb:face:b00c:0:43fe/443 (2a03:2880:f253:cb:face:b00c:0:43fe/443) (soc@danskecommodities.com) +Jan 15 2021 19:12:37: %ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:81.0.0.1/50120(LOCAL\domain\USER001) to OUTSIDE:181.0.0.1/50120 duration 0:02:05 +Jan 15 2021 19:12:37: %ASA-6-302014: Teardown TCP connection 261246338 for OUTSIDE:81.0.0.1/50120(LOCAL\domain\USER001) to OUTSIDE:40.0.0.1/443 duration 0:02:05 bytes 9610 TCP FINs from OUTSIDE (domain\USER001) +Jan 15 2021 19:12:37: %ASA-6-302015: Built inbound UDP connection 261311655 for OUTSIDE:81.0.0.1/63790 (82.0.0.1/63790)(LOCAL\domain\USER001) to INSIDE:192.168.0.1/53 (192.168.0.1/53) (domain\USER001) +Jan 15 2021 19:12:37: %ASA-6-302016: Teardown UDP connection 261311655 for OUTSIDE:81.0.0.1/63790(LOCAL\domain\USER001) to INSIDE:192.168.0.1/53 duration 0:00:00 bytes 139 (domain\USER001) +Jan 15 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 261246338 for OUTSIDE:81.0.0.1/50120 (82.0.0.1/50120)(LOCAL\domain\USER001) to OUTSIDE:40.0.0.1/443 (40.0.0.1/443) (domain\USER001) +Jul 29 2021 08:35:29: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xABCXYZ) between 12.12.12.12 and 12.12.12.12 (user= 12.12.12.12) has been deleted. \ No newline at end of file diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json index ad55a7734bf..20b5e4e5a37 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json @@ -18,6 +18,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:3NxcSu9jwJUYIYwJ2TO4TSNnPX8=", "iana_number": "6", "transport": "tcp" }, @@ -48,7 +49,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768609600Z", + "ingested": "2021-09-18T21:21:57.595637326Z", "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", @@ -88,6 +89,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:3NxcSu9jwJUYIYwJ2TO4TSNnPX8=", "iana_number": "6", "transport": "tcp" }, @@ -118,7 +120,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768617500Z", + "ingested": "2021-09-18T21:21:57.595642475Z", "original": "Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "code": "106023", "kind": "event", @@ -158,6 +160,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:/AVpSqNe7QhujyFPgKMbMS9Ct44=", "iana_number": "6", "transport": "tcp" }, @@ -188,7 +191,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768619600Z", + "ingested": "2021-09-18T21:21:57.595644590Z", "original": "Apr 15 2014 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -229,6 +232,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:462QRxMFThXYxhSyvR50cIDJegg=", "iana_number": "17", "transport": "udp" }, @@ -266,7 +270,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768631600Z", + "ingested": "2021-09-18T21:21:57.595646605Z", "original": "Apr 24 2013 16:00:28 INT-FW01 : %FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -\u003e outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", "code": "106100", "kind": "event", @@ -306,6 +310,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:c8hH08+kxqP8+dYZZFCsPYYf0oo=", "iana_number": "17", "transport": "udp" }, @@ -343,7 +348,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768634600Z", + "ingested": "2021-09-18T21:21:57.595648569Z", "original": "Apr 24 2013 16:00:27 INT-FW01 : %FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -\u003e outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", "code": "106100", "kind": "event", @@ -383,6 +388,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:oGT+RQ2PYVsSEX/LuKvEW6O6Jiw=", "iana_number": "6", "transport": "tcp" }, @@ -413,7 +419,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768636600Z", + "ingested": "2021-09-18T21:21:57.595650507Z", "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", "code": "305011", "kind": "event", @@ -453,8 +459,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:4NJbCZhuyrAJcj7S647C7IIhAM8=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -484,7 +491,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768638300Z", + "ingested": "2021-09-18T21:21:57.595652381Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42/12834)", "code": "302013", "kind": "event", @@ -526,6 +533,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:ay9S7HyVcpV47ArwMPDsxLg6wBU=", "iana_number": "17", "transport": "udp" }, @@ -556,7 +564,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768640Z", + "ingested": "2021-09-18T21:21:57.595654293Z", "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", "code": "305011", "kind": "event", @@ -599,8 +607,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -631,7 +640,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768641600Z", + "ingested": "2021-09-18T21:21:57.595656200Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", "code": "302015", "kind": "event", @@ -673,6 +682,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:fZibb4nXPyoJv3pk+hIlafmMMMY=", "iana_number": "6", "transport": "tcp" }, @@ -703,7 +713,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768643100Z", + "ingested": "2021-09-18T21:21:57.595658130Z", "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", "code": "305011", "kind": "event", @@ -744,8 +754,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:KAOD4KM9MUK44UkzQPDM20+aGPI=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -776,7 +787,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768644600Z", + "ingested": "2021-09-18T21:21:57.595660059Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", "code": "302013", "kind": "event", @@ -818,9 +829,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", + "transport": "udp", "bytes": 140, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -850,7 +862,7 @@ "event": { "severity": 6, "duration": 5025000000000, - "ingested": "2021-09-07T12:22:01.768646700Z", + "ingested": "2021-09-18T21:21:57.595662462Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", "code": "302016", "kind": "event", @@ -878,22 +890,29 @@ "level": "informational" }, "destination": { - "port": 52925, "address": "10.123.1.35", + "port": 52925, + "user": { + "name": "user2" + }, "ip": "10.123.1.35" }, "source": { - "port": 53, "address": "192.0.2.222", + "port": 53, + "user": { + "name": "user1" + }, "ip": "192.0.2.222" }, "tags": [ "preserve_original_event" ], "network": { + "community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", + "transport": "udp", "bytes": 9999999, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -915,6 +934,10 @@ "version": "1.11.0" }, "related": { + "user": [ + "user2", + "user1" + ], "ip": [ "192.0.2.222", "10.123.1.35" @@ -923,7 +946,7 @@ "event": { "severity": 6, "duration": 36000000000000, - "ingested": "2021-09-07T12:22:01.768648200Z", + "ingested": "2021-09-18T21:21:57.595664418Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", "code": "302016", "kind": "event", @@ -946,6 +969,9 @@ "source_interface": "outside", "destination_username": "user2" } + }, + "user": { + "name": "user2" } }, { @@ -964,6 +990,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:tTzSWYTCd+HV5W2Q/cSW6AszABM=", "iana_number": "1", "transport": "icmp" }, @@ -991,7 +1018,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768649800Z", + "ingested": "2021-09-18T21:21:57.595666303Z", "original": "Jun 04 2011 21:59:52 FJSG2NRFW01 : %FTD-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", "code": "302021", "kind": "event", @@ -1028,6 +1055,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:EsAlPGwbpvnOIWG+1RbOLtWOWaI=", "iana_number": "6", "transport": "tcp" }, @@ -1058,7 +1086,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768651800Z", + "ingested": "2021-09-18T21:21:57.595668244Z", "original": "Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", "code": "305011", "kind": "event", @@ -1099,8 +1127,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:m/dSB7tetihSecuyjm6x4Rl/8I8=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -1131,7 +1160,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768653300Z", + "ingested": "2021-09-18T21:21:57.595670147Z", "original": "Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", "code": "302013", "kind": "event", @@ -1174,6 +1203,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:cjsjwTI1K/FNwJ9mwZX971rPjfo=", "transport": "udp", "iana_number": "17", "direction": "inbound" @@ -1195,7 +1225,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768654900Z", + "ingested": "2021-09-18T21:21:57.595672208Z", "original": "Apr 30 2013 09:22:33: %FTD-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", "code": "106007", "kind": "event", @@ -1231,6 +1261,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:Zboag8BrI6OW/Oo2vWMZ2CJe4tM=", "iana_number": "6", "transport": "tcp" }, @@ -1261,7 +1292,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768657500Z", + "ingested": "2021-09-18T21:21:57.595674122Z", "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1301,6 +1332,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:Ne/QE55iCFiCg5J75DhSp3KZzQI=", "iana_number": "6", "transport": "tcp" }, @@ -1331,7 +1363,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768659100Z", + "ingested": "2021-09-18T21:21:57.595676012Z", "original": "Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1371,6 +1403,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:nVqNkC3HBTw1Le7RJD28aYfCDTg=", "iana_number": "6", "transport": "tcp" }, @@ -1401,7 +1434,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768660700Z", + "ingested": "2021-09-18T21:21:57.595677902Z", "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1441,6 +1474,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:c82bgYlFS2zsrs3He7w3jq7x6jY=", "iana_number": "6", "transport": "tcp" }, @@ -1471,7 +1505,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768662300Z", + "ingested": "2021-09-18T21:21:57.595679832Z", "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1511,6 +1545,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:iQJvtLpa8CzCZimwacqAWJp9sZg=", "iana_number": "6", "transport": "tcp" }, @@ -1541,7 +1576,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768663800Z", + "ingested": "2021-09-18T21:21:57.595681710Z", "original": "Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1581,6 +1616,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:CHFAR3iwADiL0sMiLhocbg8YF4o=", "iana_number": "6", "transport": "tcp" }, @@ -1611,7 +1647,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768665400Z", + "ingested": "2021-09-18T21:21:57.595683608Z", "original": "Apr 30 2013 09:22:40: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1651,6 +1687,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:fW9fDNL4osH5ogPXIzh5huGyJLU=", "iana_number": "6", "transport": "tcp" }, @@ -1681,7 +1718,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768667400Z", + "ingested": "2021-09-18T21:21:57.595685638Z", "original": "Apr 30 2013 09:22:41: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1721,6 +1758,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:VqbI7AJvRLmCOZAb2tHFFBTeRZ8=", "iana_number": "6", "transport": "tcp" }, @@ -1751,7 +1789,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768669Z", + "ingested": "2021-09-18T21:21:57.595687551Z", "original": "Apr 30 2013 09:22:47: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1791,6 +1829,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:TUJhCk7pGNvVhgiAnf4YJJaoCpo=", "iana_number": "6", "transport": "tcp" }, @@ -1821,7 +1860,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768670600Z", + "ingested": "2021-09-18T21:21:57.595689414Z", "original": "Apr 30 2013 09:22:48: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -\u003e dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1861,6 +1900,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:EItD1g2bG+b/iorMXbZ/3Bvjam8=", "iana_number": "6", "transport": "tcp" }, @@ -1891,7 +1931,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768672200Z", + "ingested": "2021-09-18T21:21:57.595691320Z", "original": "Apr 30 2013 09:22:56: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -1931,8 +1971,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:a6VFmKsjwlqdlhQIeSm95/lkWlY=", "transport": "udp", + "iana_number": "17", "direction": "inbound" }, "observer": { @@ -1957,7 +1998,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768673700Z", + "ingested": "2021-09-18T21:21:57.595693188Z", "original": "Apr 30 2013 09:23:02: %FTD-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", "code": "106006", "kind": "event", @@ -1996,6 +2037,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:96NZ3spb6QBXPZwoL7NadaqTMac=", "transport": "udp", "iana_number": "17", "direction": "inbound" @@ -2017,7 +2059,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768675300Z", + "ingested": "2021-09-18T21:21:57.595695065Z", "original": "Apr 30 2013 09:23:03: %FTD-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", "code": "106007", "kind": "event", @@ -2053,6 +2095,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:DbXtTF7Tt+LJ0/omdap4K0RmodY=", "iana_number": "6", "transport": "tcp" }, @@ -2083,7 +2126,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768677200Z", + "ingested": "2021-09-18T21:21:57.595696925Z", "original": "Apr 30 2013 09:23:06: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2123,6 +2166,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:8enMIE4IqhVXWyyRuJRvdyDxiBA=", "iana_number": "6", "transport": "tcp" }, @@ -2153,7 +2197,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768678800Z", + "ingested": "2021-09-18T21:21:57.595698776Z", "original": "Apr 30 2013 09:23:08: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2193,6 +2237,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:3vGj3wfvZB2f5kZmDflH/qfkWYE=", "iana_number": "6", "transport": "tcp" }, @@ -2223,7 +2268,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768680400Z", + "ingested": "2021-09-18T21:21:57.595700621Z", "original": "Apr 30 2013 09:23:15: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2263,6 +2308,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:Wjdn68t3gwpMPxbO1bBTBvMkQKE=", "iana_number": "6", "transport": "tcp" }, @@ -2293,7 +2339,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768682100Z", + "ingested": "2021-09-18T21:21:57.595702532Z", "original": "Apr 30 2013 09:23:24: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2333,6 +2379,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:OHPCPPOkvDP3KMLJodW8pdmntUw=", "iana_number": "6", "transport": "tcp" }, @@ -2363,7 +2410,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768683600Z", + "ingested": "2021-09-18T21:21:57.595704381Z", "original": "Apr 30 2013 09:23:34: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2403,6 +2450,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:7ujfPje/XmaZUbijXhcBn7jzz8Y=", "iana_number": "6", "transport": "tcp" }, @@ -2433,7 +2481,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768704400Z", + "ingested": "2021-09-18T21:21:57.595706387Z", "original": "Apr 30 2013 09:23:40: %FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", @@ -2473,6 +2521,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:7ujfPje/XmaZUbijXhcBn7jzz8Y=", "iana_number": "6", "transport": "tcp" }, @@ -2503,7 +2552,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768707400Z", + "ingested": "2021-09-18T21:21:57.595708269Z", "original": "Apr 30 2013 09:23:41: %FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "code": "106023", "kind": "event", @@ -2543,6 +2592,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:IOafOGWxFLefP+hvoAc06Z1pBj8=", "iana_number": "6", "transport": "tcp" }, @@ -2573,7 +2623,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768709600Z", + "ingested": "2021-09-18T21:21:57.595710147Z", "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -\u003e outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2613,6 +2663,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:89qba0kw6T/uGNWcSzTTYvNoLeY=", "iana_number": "6", "transport": "tcp" }, @@ -2643,7 +2694,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768711300Z", + "ingested": "2021-09-18T21:21:57.595712054Z", "original": "Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -\u003e outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2683,6 +2734,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:3EQcjAJCGY7yJRip464V5VZ2h00=", "iana_number": "6", "transport": "tcp" }, @@ -2713,7 +2765,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768712900Z", + "ingested": "2021-09-18T21:21:57.595713943Z", "original": "Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -\u003e outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "code": "106100", "kind": "event", @@ -2754,8 +2806,9 @@ "preserve_original_event" ], "network": { - "iana_number": "17", + "community_id": "1:xQpx+K3UkeF1wQfNjT+9cuVvkHo=", "transport": "udp", + "iana_number": "17", "direction": "outbound" }, "observer": { @@ -2792,7 +2845,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768714400Z", + "ingested": "2021-09-18T21:21:57.595715809Z", "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", "code": "302015", "kind": "event", @@ -2834,6 +2887,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:/lWsjFt8GNAqxtRiPYxbyU20/N8=", "iana_number": "17", "transport": "udp" }, @@ -2871,7 +2925,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768717100Z", + "ingested": "2021-09-18T21:21:57.595717704Z", "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", @@ -2911,6 +2965,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:/lWsjFt8GNAqxtRiPYxbyU20/N8=", "iana_number": "17", "transport": "udp" }, @@ -2948,7 +3003,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768718800Z", + "ingested": "2021-09-18T21:21:57.595719628Z", "original": "Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "code": "106023", "kind": "event", @@ -3026,7 +3081,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768723600Z", + "ingested": "2021-09-18T21:21:57.595721544Z", "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", @@ -3106,7 +3161,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768725500Z", + "ingested": "2021-09-18T21:21:57.595723481Z", "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "code": "302013", "kind": "event", @@ -3148,9 +3203,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:tVS/eeyng4tH7pSAcq77I2cbedw=", + "transport": "tcp", "bytes": 14804, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -3188,7 +3244,7 @@ "severity": 6, "duration": 0, "reason": "TCP FINs", - "ingested": "2021-09-07T12:22:01.768727100Z", + "ingested": "2021-09-18T21:21:57.595725361Z", "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", "code": "302014", "kind": "event", @@ -3229,9 +3285,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Tc+oC6fll4kTgOTp2hiirhpXAuQ=", + "transport": "tcp", "bytes": 134781, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -3269,7 +3326,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-09-07T12:22:01.768728900Z", + "ingested": "2021-09-18T21:21:57.595727239Z", "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", @@ -3310,9 +3367,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:Tc+oC6fll4kTgOTp2hiirhpXAuQ=", + "transport": "tcp", "bytes": 134781, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -3350,7 +3408,7 @@ "severity": 6, "duration": 68000000000, "reason": "TCP FINs", - "ingested": "2021-09-07T12:22:01.768730900Z", + "ingested": "2021-09-18T21:21:57.595729138Z", "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "code": "302014", "kind": "event", @@ -3391,6 +3449,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:BX8uzuuLWZ5TLiZXPqdka12ZHOc=", "iana_number": "6", "transport": "tcp" }, @@ -3423,7 +3482,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768732400Z", + "ingested": "2021-09-18T21:21:57.595731113Z", "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", @@ -3461,6 +3520,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:BX8uzuuLWZ5TLiZXPqdka12ZHOc=", "iana_number": "6", "transport": "tcp" }, @@ -3493,7 +3553,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768734Z", + "ingested": "2021-09-18T21:21:57.595733004Z", "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "code": "106015", "kind": "event", @@ -3531,6 +3591,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:BouUIZD+TqJZdYklL1aMrJfnbQ0=", "iana_number": "17", "transport": "udp" }, @@ -3568,7 +3629,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768735700Z", + "ingested": "2021-09-18T21:21:57.595734959Z", "original": "Dec 11 2018 08:01:39 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", "code": "106023", "kind": "event", @@ -3608,8 +3669,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:mUqH1e0FnddfDertRLbskQ9rX5Q=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -3646,7 +3708,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768737500Z", + "ingested": "2021-09-18T21:21:57.595736969Z", "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", @@ -3688,8 +3750,9 @@ "preserve_original_event" ], "network": { - "iana_number": "6", + "community_id": "1:mUqH1e0FnddfDertRLbskQ9rX5Q=", "transport": "tcp", + "iana_number": "6", "direction": "outbound" }, "observer": { @@ -3726,7 +3789,7 @@ }, "event": { "severity": 6, - "ingested": "2021-09-07T12:22:01.768739100Z", + "ingested": "2021-09-18T21:21:57.595738860Z", "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "code": "302013", "kind": "event", @@ -3768,9 +3831,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:kugTIYv6tVeitQAN8XRNgUPvZiw=", + "transport": "tcp", "bytes": 11420, - "iana_number": "6", - "transport": "tcp" + "iana_number": "6" }, "observer": { "ingress": { @@ -3808,7 +3872,7 @@ "severity": 6, "duration": 86399000000000, "reason": "TCP FINs", - "ingested": "2021-09-07T12:22:01.768740700Z", + "ingested": "2021-09-18T21:21:57.595740742Z", "original": "Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", "code": "302014", "kind": "event", @@ -3849,9 +3913,10 @@ "preserve_original_event" ], "network": { + "community_id": "1:n1IQHcbrWLb1u8dflqz8hfEElA0=", + "transport": "udp", "bytes": 1416, - "iana_number": "17", - "transport": "udp" + "iana_number": "17" }, "observer": { "ingress": { @@ -3881,7 +3946,7 @@ "event": { "severity": 6, "duration": 122000000000, - "ingested": "2021-09-07T12:22:01.768742300Z", + "ingested": "2021-09-18T21:21:57.595742655Z", "original": "Aug 15 2012 23:30:09: %FTD-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", "code": "302016", "kind": "event", @@ -3948,7 +4013,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768744400Z", + "ingested": "2021-09-18T21:21:57.595744623Z", "original": "Sep 12 2014 06:50:53 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4012,7 +4077,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768746Z", + "ingested": "2021-09-18T21:21:57.595746586Z", "original": "Sep 12 2014 06:51:01 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4076,7 +4141,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768747500Z", + "ingested": "2021-09-18T21:21:57.595748517Z", "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4140,7 +4205,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768749100Z", + "ingested": "2021-09-18T21:21:57.595750394Z", "original": "Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4204,7 +4269,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768750600Z", + "ingested": "2021-09-18T21:21:57.595752238Z", "original": "Sep 12 2014 06:51:06 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4268,7 +4333,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768752200Z", + "ingested": "2021-09-18T21:21:57.595754107Z", "original": "Sep 12 2014 06:51:17 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4332,7 +4397,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768755200Z", + "ingested": "2021-09-18T21:21:57.595755995Z", "original": "Sep 12 2014 06:52:48 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4396,7 +4461,7 @@ }, "event": { "severity": 2, - "ingested": "2021-09-07T12:22:01.768756900Z", + "ingested": "2021-09-18T21:21:57.595757900Z", "original": "Sep 12 2014 06:53:00 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "code": "106016", "kind": "event", @@ -4434,6 +4499,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:buRYH8vRkdq5apZqKHNDfmztnUo=", "iana_number": "6", "transport": "tcp" }, @@ -4471,7 +4537,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768758500Z", + "ingested": "2021-09-18T21:21:57.595759805Z", "original": "Sep 12 2014 06:53:01 GIFRCHN01 : %FTD-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", "code": "106023", "kind": "event", @@ -4536,7 +4602,7 @@ }, "event": { "severity": 3, - "ingested": "2021-09-07T12:22:01.768760600Z", + "ingested": "2021-09-18T21:21:57.595761699Z", "original": "Sep 12 2014 06:53:02 GIFRCHN01 : %FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", "code": "313001", "kind": "event", @@ -4574,6 +4640,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:XKWgpeop6LmXORBjS+D+pjammJ4=", "iana_number": "1", "transport": "icmp" }, @@ -4599,7 +4666,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768762200Z", + "ingested": "2021-09-18T21:21:57.595763582Z", "original": "Jan 14 2015 13:16:13: %FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", "code": "313004", "kind": "event", @@ -4646,6 +4713,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:ZWjuP5bJeA+f0NH342ubXOWI+Lc=", "iana_number": "6", "transport": "tcp" }, @@ -4680,7 +4748,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768763800Z", + "ingested": "2021-09-18T21:21:57.595765460Z", "original": "Jan 14 2015 13:16:14: %FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", "code": "338002", "kind": "event", @@ -4730,6 +4798,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:iQUXct+pq5A5+rR869ELbDtnuek=", "iana_number": "6", "transport": "tcp" }, @@ -4762,7 +4831,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768765300Z", + "ingested": "2021-09-18T21:21:57.595767359Z", "original": "Jan 14 2015 13:16:14: %FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.225/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338004", "kind": "event", @@ -4813,6 +4882,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:iQUXct+pq5A5+rR869ELbDtnuek=", "iana_number": "6", "transport": "tcp" }, @@ -4844,7 +4914,7 @@ }, "event": { "severity": 4, - "ingested": "2021-09-07T12:22:01.768766800Z", + "ingested": "2021-09-18T21:21:57.595769220Z", "original": "Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/8080), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", "code": "338008", "kind": "event", @@ -4908,7 +4978,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768768300Z", + "ingested": "2021-09-18T21:21:57.595771090Z", "original": "Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", "code": "304001", "kind": "event", @@ -4964,7 +5034,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768783600Z", + "ingested": "2021-09-18T21:21:57.595772994Z", "original": "Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", "code": "304001", "kind": "event", @@ -5026,7 +5096,7 @@ }, "event": { "severity": 5, - "ingested": "2021-09-07T12:22:01.768786400Z", + "ingested": "2021-09-18T21:21:57.595774909Z", "original": "Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", "code": "304002", "kind": "event", @@ -5045,6 +5115,1559 @@ "source_interface": "inside" } } + }, + { + "log": { + "level": "notification" + }, + "destination": { + "address": "172.17.6.211", + "ip": "172.17.6.211" + }, + "source": { + "user": { + "name": "USER001" + }, + "address": "192.168.0.1", + "ip": "192.168.0.1" + }, + "url": { + "path": "/somewebpage.html", + "extension": "html", + "original": "http://testingserver.com/somewebpage.html", + "scheme": "http", + "domain": "testingserver.com" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "type": "firewall", + "product": "asa", + "vendor": "Cisco" + }, + "@timestamp": "2021-01-13T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "ip": [ + "192.168.0.1", + "172.17.6.211" + ] + }, + "event": { + "severity": 5, + "ingested": "2021-09-18T21:21:57.595776810Z", + "original": "Jan 13 2021 19:12:37: %ASA-5-304001: USER001@192.168.0.1(LOCAL\\USER001) Accessed URL 172.17.6.211:http://testingserver.com/somewebpage.html", + "code": "304001", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info", + "allowed" + ], + "outcome": "success" + }, + "cisco": { + "ftd": {} + } + }, + { + "log": { + "level": "notification" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "port": 443, + "ip": "81.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "CH-AG", + "city_name": "Kolliken", + "country_iso_code": "CH", + "country_name": "Switzerland", + "region_name": "Aargau", + "location": { + "lon": 8.0264, + "lat": 47.3388 + } + }, + "nat": { + "port": 34534, + "ip": "62.0.0.1" + }, + "as": { + "number": 3303, + "organization": { + "name": "Bluewin" + } + }, + "address": "85.0.0.1", + "port": 12312, + "ip": "85.0.0.1", + "user": { + "name": "USER001" + } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:80+NOqHrJ3D1YMNcnBpJC7S6Pkg=", + "transport": "tcp", + "iana_number": "6", + "direction": "inbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "OUTSIDE" + } + } + }, + "@timestamp": "2021-01-13T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "ip": [ + "85.0.0.1", + "62.0.0.1", + "81.0.0.1" + ] + }, + "event": { + "severity": 5, + "ingested": "2021-09-18T21:21:57.595778680Z", + "original": "Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\\USER001) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (USER001)", + "code": "302013", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "ftd": { + "destination_interface": "OUTSIDE", + "mapped_source_port": 34534, + "termination_user": "USER001", + "mapped_destination_ip": "81.0.0.1", + "mapped_source_ip": "62.0.0.1", + "connection_id": "195207391", + "source_interface": "OUTSIDE", + "mapped_destination_port": 443, + "source_username": "LOCAL\\USER001" + } + } + }, + { + "log": { + "level": "notification" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "port": 443, + "ip": "81.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "CH-AG", + "city_name": "Kolliken", + "country_iso_code": "CH", + "country_name": "Switzerland", + "region_name": "Aargau", + "location": { + "lon": 8.0264, + "lat": 47.3388 + } + }, + "nat": { + "port": 34534, + "ip": "62.0.0.1" + }, + "as": { + "number": 3303, + "organization": { + "name": "Bluewin" + } + }, + "address": "85.0.0.1", + "port": 12312, + "ip": "85.0.0.1", + "user": { + "name": "user@domain.tld", + "domain": "domain.tld" + } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:80+NOqHrJ3D1YMNcnBpJC7S6Pkg=", + "transport": "tcp", + "iana_number": "6", + "direction": "inbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "OUTSIDE" + } + } + }, + "@timestamp": "2021-01-13T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "user@domain.tld" + ], + "hosts": [ + "domain.tld" + ], + "ip": [ + "85.0.0.1", + "62.0.0.1", + "81.0.0.1" + ] + }, + "event": { + "severity": 5, + "ingested": "2021-09-18T21:21:57.595780535Z", + "original": "Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\\user@domain.tld) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (user@domain.tld)", + "code": "302013", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "ftd": { + "destination_interface": "OUTSIDE", + "mapped_source_port": 34534, + "termination_user": "user@domain.tld", + "mapped_destination_ip": "81.0.0.1", + "mapped_source_ip": "62.0.0.1", + "connection_id": "195207391", + "source_interface": "OUTSIDE", + "mapped_destination_port": 443, + "source_username": "LOCAL\\user@domain.tld" + } + } + }, + { + "log": { + "level": "notification" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "CH-AG", + "city_name": "Kolliken", + "country_iso_code": "CH", + "country_name": "Switzerland", + "region_name": "Aargau", + "location": { + "lon": 8.0264, + "lat": 47.3388 + } + }, + "as": { + "number": 3303, + "organization": { + "name": "Bluewin" + } + }, + "address": "85.0.0.1", + "user": { + "name": "USER001" + }, + "ip": "85.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "user": { + "name": "USER001" + }, + "ip": "81.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "icmp", + "direction": "inbound" + }, + "observer": { + "type": "firewall", + "product": "asa", + "vendor": "Cisco" + }, + "@timestamp": "2021-01-13T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "ip": [ + "81.0.0.1", + "85.0.0.1" + ] + }, + "event": { + "severity": 5, + "ingested": "2021-09-18T21:21:57.595782553Z", + "original": "Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\\USER001) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER001) type 3 code 3", + "code": "302020", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "ftd": { + "source_username": "USER001", + "icmp_type": 3, + "icmp_code": 3, + "mapped_source_ip": "81.0.0.1", + "destination_username": "LOCAL\\USER001" + } + }, + "user": { + "name": "USER001" + } + }, + { + "log": { + "level": "notification" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "CH-AG", + "city_name": "Kolliken", + "country_iso_code": "CH", + "country_name": "Switzerland", + "region_name": "Aargau", + "location": { + "lon": 8.0264, + "lat": 47.3388 + } + }, + "as": { + "number": 3303, + "organization": { + "name": "Bluewin" + } + }, + "address": "85.0.0.1", + "user": { + "name": "user@domain.tld", + "domain": "domain.tld" + }, + "ip": "85.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "user": { + "name": "user@domain.tld", + "domain": "domain.tld" + }, + "ip": "81.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "icmp", + "direction": "inbound" + }, + "observer": { + "type": "firewall", + "product": "asa", + "vendor": "Cisco" + }, + "@timestamp": "2021-01-13T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "user@domain.tld" + ], + "hosts": [ + "domain.tld" + ], + "ip": [ + "81.0.0.1", + "85.0.0.1" + ] + }, + "event": { + "severity": 5, + "ingested": "2021-09-18T21:21:57.595784450Z", + "original": "Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\\user@domain.tld) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (user@domain.tld) type 3 code 3", + "code": "302020", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "ftd": { + "source_username": "user@domain.tld", + "icmp_type": 3, + "icmp_code": 3, + "mapped_source_ip": "81.0.0.1", + "destination_username": "LOCAL\\user@domain.tld" + } + }, + "user": { + "name": "user@domain.tld" + } + }, + { + "log": { + "level": "notification" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "CH-AG", + "city_name": "Kolliken", + "country_iso_code": "CH", + "country_name": "Switzerland", + "region_name": "Aargau", + "location": { + "lon": 8.0264, + "lat": 47.3388 + } + }, + "as": { + "number": 3303, + "organization": { + "name": "Bluewin" + } + }, + "address": "85.0.0.1", + "user": { + "name": "USER002", + "domain": "AD" + }, + "ip": "85.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "user": { + "name": "USER002" + }, + "ip": "81.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "protocol": "icmp", + "direction": "inbound" + }, + "observer": { + "type": "firewall", + "product": "asa", + "vendor": "Cisco" + }, + "@timestamp": "2021-01-13T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER002" + ], + "hosts": [ + "AD" + ], + "ip": [ + "81.0.0.1", + "85.0.0.1" + ] + }, + "event": { + "severity": 5, + "ingested": "2021-09-18T21:21:57.595786307Z", + "original": "Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(AD\\USER002) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER002) type 3 code 3", + "code": "302020", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "ftd": { + "source_username": "USER002", + "icmp_type": 3, + "icmp_code": 3, + "mapped_source_ip": "81.0.0.1", + "destination_username": "AD\\USER002" + } + }, + "user": { + "name": "USER002" + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-NV", + "city_name": "Carson City", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Nevada", + "location": { + "lon": -119.7459, + "lat": 39.1507 + } + }, + "as": { + "number": 7018, + "organization": { + "name": "AT\u0026T Services, Inc." + } + }, + "address": "75.0.0.1", + "port": 18449, + "ip": "75.0.0.1" + }, + "source": { + "address": "192.168.0.1", + "port": 59677, + "user": { + "name": "USER001" + }, + "ip": "192.168.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:kOYfvYjW0lZrPxD+ArQ6vDYnS7g=", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "OUTSIDE" + } + } + }, + "@timestamp": "2021-01-15T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "ip": [ + "192.168.0.1", + "75.0.0.1" + ] + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2021-09-18T21:21:57.595788201Z", + "original": "Jan 15 2021 19:12:37: %ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:192.168.0.1/59677(LOCAL\\USER001) to OUTSIDE:75.0.0.1/18449 duration 0:00:00", + "code": "305012", + "kind": "event", + "start": "2021-01-15T19:12:37.000Z", + "action": "flow-expiration", + "end": "2021-01-15T19:12:37.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "ftd": { + "source_username": "LOCAL\\USER001", + "destination_interface": "OUTSIDE", + "source_interface": "OUTSIDE" + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "address": "ff02::1", + "ip": "ff02::1" + }, + "source": { + "address": "fe80::2205:baff:fe9d:f637", + "ip": "fe80::2205:baff:fe9d:f637" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:bHWN9qumWIGMl/MbjgS2bQi/Jsw=", + "iana_number": "1", + "transport": "icmp" + }, + "observer": { + "type": "firewall", + "product": "asa", + "vendor": "Cisco" + }, + "@timestamp": "2021-01-15T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "ip": [ + "fe80::2205:baff:fe9d:f637", + "ff02::1" + ] + }, + "event": { + "severity": 6, + "ingested": "2021-09-18T21:21:57.595790082Z", + "original": "Jan 15 2021 19:12:37: %ASA-6-302021: Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::2205:baff:fe9d:f637/0 laddr fe80::2205:baff:fe9d:f637/0 type 134 code 0", + "code": "302021", + "kind": "event", + "action": "flow-expiration", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "ftd": { + "mapped_source_ip": "fe80::2205:baff:fe9d:f637", + "icmp_type": 134, + "icmp_code": 0 + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "country_name": "Ireland", + "location": { + "lon": -8.0, + "lat": 53.0 + }, + "country_iso_code": "IE" + }, + "as": { + "number": 32934, + "organization": { + "name": "Facebook, Inc." + } + }, + "address": "2a03:2880:f253:cb:face:b00c:0:43fe", + "port": 443, + "ip": "2a03:2880:f253:cb:face:b00c:0:43fe" + }, + "source": { + "port": 62477, + "address": "fe00::fede:bbe1", + "ip": "fe00::fede:bbe1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:lOTrEnVpsUc4jukAUBxF/BkD8jE=", + "transport": "tcp", + "iana_number": "6", + "direction": "inbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "OUTSIDE" + } + } + }, + "@timestamp": "2021-01-15T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "ip": [ + "fe00::fede:bbe1", + "2a03:2880:f253:cb:face:b00c:0:43fe" + ] + }, + "event": { + "severity": 6, + "ingested": "2021-09-18T21:21:57.595791954Z", + "original": "Jan 15 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 251933191 for OUTSIDE:fe00::fede:bbe1/62477 (fe00::fede:bbe1/62477) to OUTSIDE:2a03:2880:f253:cb:face:b00c:0:43fe/443 (2a03:2880:f253:cb:face:b00c:0:43fe/443) (soc@danskecommodities.com)", + "code": "302013", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "ftd": { + "destination_interface": "OUTSIDE", + "mapped_source_port": 62477, + "termination_user": "soc@danskecommodities.com", + "mapped_destination_ip": "2a03:2880:f253:cb:face:b00c:0:43fe", + "mapped_source_ip": "fe00::fede:bbe1", + "connection_id": "251933191", + "source_interface": "OUTSIDE", + "mapped_destination_port": 443 + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "geo": { + "continent_name": "South America", + "country_name": "Argentina", + "location": { + "lon": -58.3817, + "lat": -34.6033 + }, + "country_iso_code": "AR" + }, + "as": { + "number": 7303, + "organization": { + "name": "Telecom Argentina S.A." + } + }, + "address": "181.0.0.1", + "port": 50120, + "ip": "181.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "port": 50120, + "user": { + "name": "USER001", + "domain": "domain" + }, + "ip": "81.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:R7zADbxzUGXOH0O/Hzma4ba6iHU=", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "OUTSIDE" + } + } + }, + "@timestamp": "2021-01-15T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "hosts": [ + "domain" + ], + "ip": [ + "81.0.0.1", + "181.0.0.1" + ] + }, + "event": { + "severity": 6, + "duration": 125000000000, + "ingested": "2021-09-18T21:21:57.595793843Z", + "original": "Jan 15 2021 19:12:37: %ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:81.0.0.1/50120(LOCAL\\domain\\USER001) to OUTSIDE:181.0.0.1/50120 duration 0:02:05", + "code": "305012", + "kind": "event", + "start": "2021-01-15T19:10:32.000Z", + "action": "flow-expiration", + "end": "2021-01-15T19:12:37.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "ftd": { + "source_username": "LOCAL\\domain\\USER001", + "destination_interface": "OUTSIDE", + "source_interface": "OUTSIDE" + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 4249, + "organization": { + "name": "Eli Lilly and Company" + } + }, + "address": "40.0.0.1", + "port": 443, + "ip": "40.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "port": 50120, + "user": { + "name": "USER001", + "domain": "domain" + }, + "ip": "81.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:Wki7xXtyiCACPfXpHuQV+NLf33o=", + "transport": "tcp", + "bytes": 9610, + "iana_number": "6" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "OUTSIDE" + } + } + }, + "@timestamp": "2021-01-15T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "hosts": [ + "domain" + ], + "ip": [ + "81.0.0.1", + "40.0.0.1" + ] + }, + "event": { + "severity": 6, + "duration": 125000000000, + "reason": "TCP FINs", + "ingested": "2021-09-18T21:21:57.595795778Z", + "original": "Jan 15 2021 19:12:37: %ASA-6-302014: Teardown TCP connection 261246338 for OUTSIDE:81.0.0.1/50120(LOCAL\\domain\\USER001) to OUTSIDE:40.0.0.1/443 duration 0:02:05 bytes 9610 TCP FINs from OUTSIDE (domain\\USER001)", + "code": "302014", + "kind": "event", + "start": "2021-01-15T19:10:32.000Z", + "action": "flow-expiration", + "end": "2021-01-15T19:12:37.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "ftd": { + "termination_initiator": "OUTSIDE", + "source_username": "LOCAL\\domain\\USER001", + "destination_interface": "OUTSIDE", + "termination_user": "domain\\USER001", + "connection_id": "261246338", + "source_interface": "OUTSIDE" + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "port": 53, + "address": "192.168.0.1", + "ip": "192.168.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "nat": { + "ip": "82.0.0.1" + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "port": 63790, + "ip": "81.0.0.1", + "user": { + "name": "USER001", + "domain": "domain" + } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:BIxqdLncXeXXZrNudh3yrj2zmZc=", + "transport": "udp", + "iana_number": "17", + "direction": "inbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "INSIDE" + } + } + }, + "@timestamp": "2021-01-15T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "hosts": [ + "domain" + ], + "ip": [ + "81.0.0.1", + "82.0.0.1", + "192.168.0.1" + ] + }, + "event": { + "severity": 6, + "ingested": "2021-09-18T21:21:57.595797862Z", + "original": "Jan 15 2021 19:12:37: %ASA-6-302015: Built inbound UDP connection 261311655 for OUTSIDE:81.0.0.1/63790 (82.0.0.1/63790)(LOCAL\\domain\\USER001) to INSIDE:192.168.0.1/53 (192.168.0.1/53) (domain\\USER001)", + "code": "302015", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "ftd": { + "destination_interface": "INSIDE", + "mapped_source_port": 63790, + "termination_user": "domain\\USER001", + "mapped_destination_ip": "192.168.0.1", + "mapped_source_ip": "82.0.0.1", + "connection_id": "261311655", + "source_interface": "OUTSIDE", + "mapped_destination_port": 53, + "source_username": "LOCAL\\domain\\USER001" + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "port": 53, + "address": "192.168.0.1", + "ip": "192.168.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "port": 63790, + "user": { + "name": "USER001", + "domain": "domain" + }, + "ip": "81.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:BIxqdLncXeXXZrNudh3yrj2zmZc=", + "transport": "udp", + "bytes": 139, + "iana_number": "17" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "INSIDE" + } + } + }, + "@timestamp": "2021-01-15T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "hosts": [ + "domain" + ], + "ip": [ + "81.0.0.1", + "192.168.0.1" + ] + }, + "event": { + "severity": 6, + "duration": 0, + "ingested": "2021-09-18T21:21:57.595799809Z", + "original": "Jan 15 2021 19:12:37: %ASA-6-302016: Teardown UDP connection 261311655 for OUTSIDE:81.0.0.1/63790(LOCAL\\domain\\USER001) to INSIDE:192.168.0.1/53 duration 0:00:00 bytes 139 (domain\\USER001)", + "code": "302016", + "kind": "event", + "start": "2021-01-15T19:12:37.000Z", + "action": "flow-expiration", + "end": "2021-01-15T19:12:37.000Z", + "category": [ + "network" + ], + "type": [ + "connection", + "end" + ] + }, + "cisco": { + "ftd": { + "source_username": "LOCAL\\domain\\USER001", + "destination_interface": "INSIDE", + "termination_user": "domain\\USER001", + "connection_id": "261311655", + "source_interface": "OUTSIDE" + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 4249, + "organization": { + "name": "Eli Lilly and Company" + } + }, + "address": "40.0.0.1", + "port": 443, + "ip": "40.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-M", + "city_name": "Madrid", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Madrid", + "location": { + "lon": -3.7016, + "lat": 40.4143 + } + }, + "nat": { + "ip": "82.0.0.1" + }, + "as": { + "number": 15704, + "organization": { + "name": "Xtra Telecom S.A." + } + }, + "address": "81.0.0.1", + "port": 50120, + "ip": "81.0.0.1", + "user": { + "name": "USER001", + "domain": "domain" + } + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "community_id": "1:Wki7xXtyiCACPfXpHuQV+NLf33o=", + "transport": "tcp", + "iana_number": "6", + "direction": "inbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "OUTSIDE" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco", + "egress": { + "interface": { + "name": "OUTSIDE" + } + } + }, + "@timestamp": "2021-01-15T19:12:37.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "USER001" + ], + "hosts": [ + "domain" + ], + "ip": [ + "81.0.0.1", + "82.0.0.1", + "40.0.0.1" + ] + }, + "event": { + "severity": 6, + "ingested": "2021-09-18T21:21:57.595801671Z", + "original": "Jan 15 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 261246338 for OUTSIDE:81.0.0.1/50120 (82.0.0.1/50120)(LOCAL\\domain\\USER001) to OUTSIDE:40.0.0.1/443 (40.0.0.1/443) (domain\\USER001)", + "code": "302013", + "kind": "event", + "action": "firewall-rule", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "cisco": { + "ftd": { + "destination_interface": "OUTSIDE", + "mapped_source_port": 50120, + "termination_user": "domain\\USER001", + "mapped_destination_ip": "40.0.0.1", + "mapped_source_ip": "82.0.0.1", + "connection_id": "261246338", + "source_interface": "OUTSIDE", + "mapped_destination_port": 443, + "source_username": "LOCAL\\domain\\USER001" + } + } + }, + { + "log": { + "level": "informational" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 32328, + "organization": { + "name": "Alascom, Inc." + } + }, + "address": "12.12.12.12", + "ip": "12.12.12.12" + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 32328, + "organization": { + "name": "Alascom, Inc." + } + }, + "address": "12.12.12.12", + "ip": "12.12.12.12" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "type": "ipsec", + "direction": "outbound" + }, + "observer": { + "type": "firewall", + "product": "asa", + "vendor": "Cisco" + }, + "@timestamp": "2021-07-29T08:35:29.000Z", + "ecs": { + "version": "1.11.0" + }, + "related": { + "user": [ + "12.12.12.12" + ], + "ip": [ + "12.12.12.12" + ] + }, + "event": { + "severity": 6, + "ingested": "2021-09-18T21:21:57.595803496Z", + "original": "Jul 29 2021 08:35:29: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xABCXYZ) between 12.12.12.12 and 12.12.12.12 (user= 12.12.12.12) has been deleted.", + "code": "602304", + "kind": "event", + "action": "deleted", + "category": [ + "network" + ], + "type": [ + "info", + "deletion", + "user", + "allowed" + ], + "outcome": "success" + }, + "user": { + "name": "12.12.12.12" + }, + "cisco": { + "ftd": { + "tunnel_type": "LAN-to-LAN" + } + } } ] } \ No newline at end of file diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json index 7586010937b..263620c7f01 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-connection.log-expected.json @@ -21,6 +21,7 @@ ], "network": { "protocol": "icmp", + "community_id": "1:Lc5Ybc+aBSwS/2nqgn+rGxqrgck=", "transport": "icmp", "application": "icmp client", "iana_number": "1" @@ -62,7 +63,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:07.428840500Z", + "ingested": "2021-09-18T21:22:34.429286145Z", "original": "2019-08-15T16:03:31Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", @@ -136,6 +137,7 @@ ], "network": { "protocol": "icmp", + "community_id": "1:Lc5Ybc+aBSwS/2nqgn+rGxqrgck=", "transport": "icmp", "application": "icmp client", "iana_number": "1" @@ -178,7 +180,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:22:07.428852900Z", + "ingested": "2021-09-18T21:22:34.429291015Z", "original": "2019-08-15T16:05:33Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity", "code": "430003", "kind": "event", @@ -279,6 +281,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:LrHhMjRxI8XLokucnZO43cq3wJ0=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -320,7 +323,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:07.428854200Z", + "ingested": "2021-09-18T21:22:34.429292963Z", "original": "2019-08-15T16:05:37Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address", "code": "430002", "kind": "event", @@ -420,6 +423,7 @@ ], "network": { "protocol": "dns", + "community_id": "1:/cLFaau3XcCC0NUtxHnt+rWlO6A=", "transport": "udp", "application": "dns client", "iana_number": "17" @@ -462,7 +466,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:22:07.428855300Z", + "ingested": "2021-09-18T21:22:34.429313915Z", "original": "2019-08-15T16:07:00Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395", "code": "430003", "kind": "event", @@ -562,6 +566,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:L+Ul/KflTuC9qM1HyJ2hOk2/NSM=", "iana_number": "6", "transport": "tcp" }, @@ -602,7 +607,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:07.428856300Z", + "ingested": "2021-09-18T21:22:34.429317200Z", "original": "2019-08-15T16:07:18Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", @@ -701,6 +706,7 @@ ], "network": { "protocol": "http", + "community_id": "1:L+Ul/KflTuC9qM1HyJ2hOk2/NSM=", "transport": "tcp", "application": [ "advanced packaging tool", @@ -751,7 +757,7 @@ "event": { "severity": 1, "duration": 1000000000, - "ingested": "2021-09-07T12:22:07.428857300Z", + "ingested": "2021-09-18T21:22:34.429318949Z", "original": "2019-08-15T16:07:19Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", "code": "430003", "kind": "event", @@ -856,6 +862,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:TE/czajXLfyOntGRUMlWpOamN+I=", "iana_number": "6", "transport": "tcp" }, @@ -896,7 +903,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:07.428858300Z", + "ingested": "2021-09-18T21:22:34.429320751Z", "original": "2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", @@ -995,6 +1002,7 @@ ], "network": { "protocol": "http", + "community_id": "1:TE/czajXLfyOntGRUMlWpOamN+I=", "transport": "tcp", "application": "curl", "iana_number": "6" @@ -1042,7 +1050,7 @@ "event": { "severity": 1, "duration": 0, - "ingested": "2021-09-07T12:22:07.428859400Z", + "ingested": "2021-09-18T21:22:34.429322686Z", "original": "2019-08-16T09:33:15Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip", "code": "430003", "kind": "event", @@ -1126,6 +1134,7 @@ "preserve_original_event" ], "network": { + "community_id": "1:Lc5Ybc+aBSwS/2nqgn+rGxqrgck=", "iana_number": "1", "transport": "icmp" }, @@ -1166,7 +1175,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:07.428860400Z", + "ingested": "2021-09-18T21:22:34.429324453Z", "original": "2019-08-16T09:35:15Z firepower %FTD-1-430002: AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Block-inbound-ICMP, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", "code": "430002", "kind": "event", @@ -1251,6 +1260,7 @@ ], "network": { "protocol": "http", + "community_id": "1:EX7LDhHq0D9ez/OeVOOW5FWakkI=", "transport": "tcp", "application": "curl", "iana_number": "6" @@ -1298,7 +1308,7 @@ "event": { "severity": 1, "duration": 1000000000, - "ingested": "2021-09-07T12:22:07.428861400Z", + "ingested": "2021-09-18T21:22:34.429326178Z", "original": "Aug 14 2019 15:09:41 siem-ftd %FTD-1-430003: AccessControlRuleAction: Block, AccessControlRuleReason: File Block, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, IngressInterface: input, EgressInterface: output, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 1, FileCount: 1, InitiatorPackets: 4, ResponderPackets: 7, InitiatorBytes: 365, ResponderBytes: 1927, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: 10.0.100.30:8000, URL: http://10.0.100.30:8000/eicar_com.zip", "code": "430003", "kind": "event", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json index d5d14f81d89..9030e10e544 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json @@ -27,6 +27,7 @@ ], "network": { "protocol": "http", + "community_id": "1:ICpzATq4Q7ls9bAGqEmf+eAOtFc=", "transport": "tcp", "application": "curl", "iana_number": "6" @@ -61,7 +62,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902870600Z", + "ingested": "2021-09-18T21:22:41.439753022Z", "original": "Aug 14 2019 14:54:25 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41522, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:54:24Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", "code": "430004", "kind": "alert", @@ -129,6 +130,7 @@ ], "network": { "protocol": "http", + "community_id": "1:1P/UJpeT0HuAQ0Zj36VUw3NWrms=", "transport": "tcp", "application": "curl", "iana_number": "6" @@ -163,7 +165,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902876600Z", + "ingested": "2021-09-18T21:22:41.439757806Z", "original": "Aug 14 2019 14:55:02 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41526, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:55:01Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", "code": "430004", "kind": "alert", @@ -231,6 +233,7 @@ ], "network": { "protocol": "http", + "community_id": "1:k9jZpiIYklqnW5VrPKZ36zGCfpw=", "transport": "tcp", "application": "curl", "iana_number": "6" @@ -265,7 +268,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902877800Z", + "ingested": "2021-09-18T21:22:41.439759774Z", "original": "Aug 14 2019 15:00:29 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41530, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:00:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com", "code": "430004", "kind": "alert", @@ -333,6 +336,7 @@ ], "network": { "protocol": "http", + "community_id": "1:1O6Tg+zlE975TFeaA0Qa6QBRfBs=", "transport": "tcp", "application": "curl", "iana_number": "6" @@ -367,7 +371,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902878900Z", + "ingested": "2021-09-18T21:22:41.439761581Z", "original": "Aug 14 2019 15:01:41 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41534, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com.txt, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:01:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com.txt", "code": "430004", "kind": "alert", @@ -435,6 +439,7 @@ ], "network": { "protocol": "http", + "community_id": "1:9k57JmGIU8Cd4FcndffJHSuGmHg=", "transport": "tcp", "application": "curl", "iana_number": "6" @@ -476,7 +481,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902879800Z", + "ingested": "2021-09-18T21:22:41.439763371Z", "original": "Aug 14 2019 15:03:28 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41540, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430004", "kind": "alert", @@ -548,6 +553,7 @@ ], "network": { "protocol": "http", + "community_id": "1:eJqjWMIqoBPiagsWFCmeQAhxZaM=", "transport": "tcp", "application": "curl", "iana_number": "6" @@ -589,7 +595,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902880800Z", + "ingested": "2021-09-18T21:22:41.439765150Z", "original": "Aug 14 2019 15:03:33 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41542, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:31Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430004", "kind": "alert", @@ -661,6 +667,7 @@ ], "network": { "protocol": "http", + "community_id": "1:EX7LDhHq0D9ez/OeVOOW5FWakkI=", "transport": "tcp", "application": "curl", "iana_number": "6" @@ -702,7 +709,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902881800Z", + "ingested": "2021-09-18T21:22:41.439766879Z", "original": "Aug 14 2019 15:09:43 siem-ftd %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Malware Block, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, ThreatScore: 76, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:09:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "code": "430005", "kind": "alert", @@ -795,6 +802,7 @@ ], "network": { "protocol": "http", + "community_id": "1:idXjLwb9WD2+SkGKCxynJU8imAk=", "transport": "tcp", "application": "curl", "iana_number": "6" @@ -836,7 +844,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902882800Z", + "ingested": "2021-09-18T21:22:41.439768601Z", "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", "code": "430005", "kind": "alert", @@ -909,6 +917,7 @@ ], "network": { "protocol": "http", + "community_id": "1:nOd4Q0QVZ1CGu/nTE/uuQ/52Q3A=", "transport": "tcp", "application": "curl", "iana_number": "6" @@ -950,7 +959,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902883800Z", + "ingested": "2021-09-18T21:22:41.439770337Z", "original": "2019-08-16T09:40:45Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "code": "430005", "kind": "alert", @@ -1041,6 +1050,7 @@ ], "network": { "protocol": "http", + "community_id": "1:NJVenFV6VTdZygfzWuC08PwZc84=", "transport": "tcp", "application": "curl", "iana_number": "6" @@ -1082,7 +1092,7 @@ }, "event": { "severity": 1, - "ingested": "2021-09-07T12:22:08.902884700Z", + "ingested": "2021-09-18T21:22:41.439772088Z", "original": "2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 18.197.225.123, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "code": "430005", "kind": "alert", diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json index d496f1baff4..dcb78519952 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-malware-site.log-expected.json @@ -63,6 +63,7 @@ ], "network": { "protocol": "http", + "community_id": "1:IpM6MLWKXk42SgVki5Wy5/6cTfk=", "transport": "tcp", "application": "chrome", "iana_number": "6" @@ -110,7 +111,7 @@ "event": { "severity": 0, "duration": 20000000000, - "ingested": "2021-09-07T12:22:10.459282500Z", + "ingested": "2021-09-18T21:22:48.998488877Z", "original": "2020-03-01T01:02:36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 3.3.3.3, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico", "code": "430003", "kind": "event", diff --git a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 0a8043f9736..305984cbf24 100644 --- a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -267,7 +267,10 @@ processors: field: "message" description: "106023" patterns: - - ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}" + - ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(\(%{CISCO_USER:_temp_.cisco.source_username}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}" + pattern_definitions: + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) - dissect: if: "ctx._temp_.cisco.message_id == '106027'" field: "message" @@ -328,28 +331,37 @@ processors: field: "message" description: "302013, 302015" patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \\(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\\)(\\(%{NOTSPACE:_temp_.cisco.source_username}\\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \\(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\\)( \\(%{NOTSPACE:destination.user.name}\\))?%{GREEDYDATA}" + - Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER:destination.user.name}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} + pattern_definitions: + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) - dissect: if: "ctx._temp_.cisco.message_id == '303002'" field: "message" description: "303002" pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" - - dissect: - if: "ctx._temp_.cisco.message_id == '302012'" - field: "message" - description: "302012" - pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}" + - grok: + if: "ctx._temp_.cisco.message_id == '305012'" + field: "message" + description: "305012" + patterns: + - Teardown %{DATA} %{NOTSPACE:network.transport} translation from %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\s*\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} duration %{DURATION:_temp_.duration_hms} + pattern_definitions: + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) + DURATION: "%{INT}:%{MINUTE}:%{SECOND}" - grok: if: "ctx._temp_.cisco.message_id == '302020'" field: "message" description: "302020" patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" pattern_definitions: NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) - dissect: if: "ctx._temp_.cisco.message_id == '302022'" field: "message" @@ -365,7 +377,7 @@ processors: field: "message" description: "304001" patterns: - - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" + - "(%{NOTSPACE:source.user.name}@)?%{IP:source.address}(\\(%{DATA}\\))? %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" - set: if: "ctx._temp_.cisco.message_id == '304001'" field: "event.outcome" @@ -652,11 +664,12 @@ processors: patterns: - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" - - dissect: + - grok: if: "ctx._temp_.cisco.message_id == '733100'" field: "message" description: "733100" - pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}" + patterns: + - \[(%{SPACE})?%{DATA:_temp_.cisco.burst.object}\] drop %{NOTSPACE:_temp_.cisco.burst.id} exceeded. Current burst rate is %{INT:_temp_.cisco.burst.current_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_rate}; Current average rate is %{INT:_temp_.cisco.burst.avg_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{INT:_temp_.cisco.burst.cumulative_count} - dissect: if: "ctx._temp_.cisco.message_id == '734001'" field: "message" @@ -666,7 +679,7 @@ processors: if: "ctx._temp_.cisco.message_id == '805001'" field: "message" description: "805001" - pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + pattern: "Offloaded %{network.transport} Flow for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - dissect: if: "ctx._temp_.cisco.message_id == '805002'" field: "message" @@ -695,7 +708,7 @@ processors: - dissect: if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' field: "message" - pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." + pattern: "%{network.type}: An %{network.direction} %{_temp_.cisco.tunnel_type} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." - dissect: if: "ctx._temp_.cisco.message_id == '750002'" field: "message" @@ -759,27 +772,29 @@ processors: # Handle 302xxx messages (Flow expiration a.k.a "Teardown") # - set: - if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' + if: '["305012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' field: "event.action" value: "flow-expiration" - description: "302012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002" + description: "305012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002" - grok: field: "message" if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" patterns: - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) - - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.destination_username}\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) + - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{CISCO_USER:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? pattern_definitions: NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" - MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" + MAPPEDSRC: "(?:%{IPORHOST:_temp_.natsrcip}|%{HOSTNAME})" + DURATION: "%{INT}:%{MINUTE}:%{SECOND}" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) # # Decode FTD's Security Event Syslog Messages @@ -1322,26 +1337,61 @@ processors: Instant.parse(end).minusNanos(nanos), ZoneOffset.UTC); # + # Parse Source/Dest Username/Domain + # + - set: + field: source.user.name + value: "{{{ _temp_.cisco.source_username }}}" + if: 'ctx?.source?.user?.name == null && ctx?._temp_?.cisco?.source_username != null' + - set: + field: destination.user.name + value: "{{{ _temp_.cisco.destination_username }}}" + if: 'ctx?.destination?.user?.name == null && ctx?._temp_?.cisco?.destination_username != null' + - grok: + field: "source.user.name" + if: 'ctx?.source?.user?.name != null' + ignore_failure: true + patterns: + - (%{CISCO_DOMAIN})?%{CISCO_USER:source.user.name} + pattern_definitions: + CISCO_USER: "%{USERNAME}(@%{HOSTNAME:source.user.domain})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:source.user.domain}\\)? + - grok: + field: "destination.user.name" + if: 'ctx?.destination?.user?.name != null' + ignore_failure: true + patterns: + - (%{CISCO_DOMAIN})?%{CISCO_USER:destination.user.name} + pattern_definitions: + CISCO_USER: "%{USERNAME}(@%{HOSTNAME:destination.user.domain})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)? + # # Normalize protocol names # - lowercase: field: "network.transport" ignore_failure: true + ignore_missing: true - lowercase: field: "network.protocol" ignore_failure: true + ignore_missing: true - lowercase: field: "network.application" ignore_failure: true + ignore_missing: true - lowercase: field: "file.type" ignore_failure: true + ignore_missing: true - lowercase: field: "network.direction" ignore_failure: true + ignore_missing: true - lowercase: field: "network.type" ignore_failure: true + ignore_missing: true # # Populate network.iana_number from network.transport. Also does reverse # mapping in case network.transport contains the iana_number. @@ -1430,58 +1480,72 @@ processors: field: source.port type: integer ignore_failure: true + ignore_missing: true - convert: field: destination.port type: integer ignore_failure: true + ignore_missing: true - convert: field: source.bytes type: long ignore_failure: true + ignore_missing: true - convert: field: destination.bytes type: long ignore_failure: true + ignore_missing: true - convert: field: network.bytes type: long ignore_failure: true + ignore_missing: true - convert: field: source.packets type: integer ignore_failure: true + ignore_missing: true - convert: field: destination.packets type: integer ignore_failure: true + ignore_missing: true - convert: field: _temp_.cisco.mapped_source_port type: integer ignore_failure: true + ignore_missing: true - convert: field: _temp_.cisco.mapped_destination_port type: integer ignore_failure: true + ignore_missing: true - convert: field: _temp_.cisco.icmp_code type: integer ignore_failure: true + ignore_missing: true - convert: field: _temp_.cisco.icmp_type type: integer ignore_failure: true + ignore_missing: true - convert: field: http.response.status_code type: integer ignore_failure: true + ignore_missing: true - convert: field: file.size type: integer ignore_failure: true + ignore_missing: true - convert: field: network.iana_number type: string ignore_failure: true + ignore_missing: true # # Assign ECS .ip fields from .address is a valid IP address is found, # otherwise set .domain field. @@ -1877,22 +1941,22 @@ processors: allow_duplicates: false - append: field: related.user - value: "{{user.name}}" + value: "{{{user.name}}}" if: ctx?.user?.name != null && ctx?.user?.name != '' allow_duplicates: false - append: field: related.user - value: "{{host.user.name}}" + value: "{{{host.user.name}}}" if: ctx?.host?.user?.name != null && ctx?.host?.user?.name != '' allow_duplicates: false - append: field: related.user - value: "{{source.user.name}}" + value: "{{{source.user.name}}}" if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' allow_duplicates: false - append: field: related.user - value: "{{destination.user.name}}" + value: "{{{destination.user.name}}}" if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' allow_duplicates: false - append: @@ -1919,7 +1983,20 @@ processors: field: related.hosts value: "{{source.domain}}" if: ctx.source?.domain != null && ctx.source?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{source.user.domain}}" + if: ctx.source?.user?.domain != null && ctx.source?.user?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{destination.user.domain}}" + if: ctx.destination?.user?.domain != null && ctx.destination?.user?.domain != '' allow_duplicates: false + - community_id: + ignore_missing: true + ignore_failure: true - script: lang: painless description: This script processor iterates over the whole document to remove fields with null values. diff --git a/packages/cisco_ftd/data_stream/log/fields/ecs.yml b/packages/cisco_ftd/data_stream/log/fields/ecs.yml index 6914e98ef9d..5efc56b6287 100644 --- a/packages/cisco_ftd/data_stream/log/fields/ecs.yml +++ b/packages/cisco_ftd/data_stream/log/fields/ecs.yml @@ -40,6 +40,8 @@ name: destination.port - external: ecs name: destination.user.name +- external: ecs + name: destination.user.domain - external: ecs name: dns.question.name - external: ecs @@ -116,6 +118,8 @@ name: network.transport - external: ecs name: network.type +- external: ecs + name: network.community_id - external: ecs name: observer.egress.interface.name - external: ecs @@ -192,6 +196,8 @@ name: source.port - external: ecs name: source.user.name +- external: ecs + name: source.user.domain - external: ecs name: tags - external: ecs diff --git a/packages/cisco_ftd/data_stream/log/fields/fields.yml b/packages/cisco_ftd/data_stream/log/fields/fields.yml index cd3a6b2e3ab..f08c22e043a 100644 --- a/packages/cisco_ftd/data_stream/log/fields/fields.yml +++ b/packages/cisco_ftd/data_stream/log/fields/fields.yml @@ -147,6 +147,18 @@ type: keyword description: |- AAA name of user requesting termination + - name: termination_initiator + type: keyword + default_field: false + description: > + Interface name of the side that initiated the teardown + + - name: tunnel_type + type: keyword + default_field: false + description: > + SA type (remote access or L2L) + - name: syslog.facility.code type: long description: Syslog numeric facility of the event. diff --git a/packages/cisco_ftd/docs/README.md b/packages/cisco_ftd/docs/README.md index 785d9590df9..082bb34a2e1 100644 --- a/packages/cisco_ftd/docs/README.md +++ b/packages/cisco_ftd/docs/README.md @@ -215,9 +215,11 @@ An example event for `log` looks as following: | cisco.ftd.source_interface | Source interface for the flow or event. | keyword | | cisco.ftd.source_username | Name of the user that is the source for this event. | keyword | | cisco.ftd.suffix | Optional suffix after %FTD identifier. | keyword | +| cisco.ftd.termination_initiator | Interface name of the side that initiated the teardown | keyword | | cisco.ftd.termination_user | AAA name of user requesting termination | keyword | | cisco.ftd.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword | | cisco.ftd.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword | +| cisco.ftd.tunnel_type | SA type (remote access or L2L) | keyword | | cisco.ftd.username | | keyword | | cisco.ftd.webvpn.group_name | The WebVPN group name the user belongs to | keyword | | client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | @@ -258,6 +260,7 @@ An example event for `log` looks as following: | destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | | destination.packets | Packets sent from the destination to the source. | long | | destination.port | Port of the destination. | long | +| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | destination.user.name | Short name or login of the user. | keyword | | dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | | dns.question.type | The type of record being queried. | keyword | @@ -309,6 +312,7 @@ An example event for `log` looks as following: | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | | network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | @@ -356,6 +360,7 @@ An example event for `log` looks as following: | source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | | source.packets | Packets sent from the source to the destination. | long | | source.port | Port of the source. | long | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | source.user.name | Short name or login of the user. | keyword | | syslog.facility.code | Syslog numeric facility of the event. | long | | syslog.priority | Syslog priority of the event. | long | diff --git a/packages/cisco_ftd/manifest.yml b/packages/cisco_ftd/manifest.yml index 98209521eb6..29759904c66 100644 --- a/packages/cisco_ftd/manifest.yml +++ b/packages/cisco_ftd/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_ftd title: Cisco FTD -version: 1.0.1 +version: 1.0.2 license: basic description: This Elastic integration collects logs from Cisco Firepower Threat Defence (FTD) type: integration From ca25f775bedf6338a680792334a9c3231c673af1 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Mon, 20 Sep 2021 12:06:23 +0000 Subject: [PATCH 2/2] fix formatting --- packages/cisco_asa/data_stream/log/fields/fields.yml | 1 - packages/cisco_asa/docs/README.md | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/packages/cisco_asa/data_stream/log/fields/fields.yml b/packages/cisco_asa/data_stream/log/fields/fields.yml index 4ef7cfc25ad..b724811e3e3 100644 --- a/packages/cisco_asa/data_stream/log/fields/fields.yml +++ b/packages/cisco_asa/data_stream/log/fields/fields.yml @@ -177,7 +177,6 @@ type: keyword description: >- AAA name of user requesting termination - - name: termination_initiator type: keyword default_field: false diff --git a/packages/cisco_asa/docs/README.md b/packages/cisco_asa/docs/README.md index 645689dd6ae..85df3900275 100644 --- a/packages/cisco_asa/docs/README.md +++ b/packages/cisco_asa/docs/README.md @@ -129,7 +129,7 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cisco.asa.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | | cisco.asa.burst.avg_rate | The current average burst rate seen | keyword | | cisco.asa.burst.configured_avg_rate | The current configured average burst rate allowed | keyword |