[Cisco ASA] Loosen time parsing and add group and session type capture

packages/cisco_asa/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.2.1"
+ changes:
+ - description: Relax time parsing and capture group and session type in Cisco ASA module
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1891
 - version: "1.2.0"
  changes:
  - description: Add support for Cisco ASA SIP events

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log

@@ -0,0 +1,5 @@
+Jun 08 2020 12:59:57: %ASA-4-113019: Group = TheBeatles, Username = Ringo, IP = 234.56.12.87, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:01m:52s, Bytes xmt: 32452, Bytes rcv: 0, Reason: User Requested
+Oct 20 2019 15:42:53: %ASA-4-113019: Group = TheBeatles, Username = John, IP = 234.28.45.42, Session disconnected. Session Type: SSL, Duration: 2h:27m:34s, Bytes xmt: 45323434, Bytes rcv: 43252324, Reason: Idle Timeout
+Oct 20 2019 15:42:54: %ASA-4-722037: Group <GroupPolicy_TheBeatles> User <Paul> IP <83.212.241.149> SVC closing connection: DPD failure.
+Aug 6 2020 11:01:37: %ASA-4-722037: Group <GroupPolicy_TheBeatles> User <Brian> IP <234.63.56.32> SVC closing connection: Transport closing.
+Aug 6 2020 11:01:38: %ASA-4-722051: Group <GroupPolicy_TheBeatles> User <George> IP <234.24.156.94> IPv4 Address <234.56.47.98> IPv6 address <::> assigned to session

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json

@@ -0,0 +1,250 @@
+{
+ "expected": [
+ {
+ "log": {
+ "level": "warning"
+ },
+ "destination": {
+ "bytes": 0,
+ "address": "234.56.12.87",
+ "ip": "234.56.12.87"
+ },
+ "source": {
+ "user": {
+ "name": "Ringo",
+ "group": {
+ "name": "TheBeatles"
+ }
+ },
+ "bytes": 32452
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "observer": {
+ "type": "firewall",
+ "product": "asa",
+ "vendor": "Cisco"
+ },
+ "@timestamp": "2020-06-08T12:59:57.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "related": {
+ "user": [
+ "Ringo"
+ ],
+ "ip": [
+ "234.56.12.87"
+ ]
+ },
+ "event": {
+ "severity": 4,
+ "duration": 112000000000,
+ "reason": "User Requested",
+ "ingested": "2021-10-11T11:16:23.841932100Z",
+ "original": "Jun 08 2020 12:59:57: %ASA-4-113019: Group = TheBeatles, Username = Ringo, IP = 234.56.12.87, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:01m:52s, Bytes xmt: 32452, Bytes rcv: 0, Reason: User Requested",
+ "code": "113019",
+ "kind": "event",
+ "start": "2020-06-08T12:58:05.000Z",
+ "action": "firewall-rule",
+ "end": "2020-06-08T12:59:57.000Z",
+ "category": [
+ "network"
+ ],
+ "type": [
+ "info"
+ ]
+ },
+ "cisco": {
+ "asa": {
+ "session_type": "AnyConnect-Parent"
+ }
+ }
+ },
+ {
+ "log": {
+ "level": "warning"
+ },
+ "destination": {
+ "bytes": 43252324,
+ "address": "234.28.45.42",
+ "ip": "234.28.45.42"
+ },
+ "source": {
+ "user": {
+ "name": "John",
+ "group": {
+ "name": "TheBeatles"
+ }
+ },
+ "bytes": 45323434
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "observer": {
+ "type": "firewall",
+ "product": "asa",
+ "vendor": "Cisco"
+ },
+ "@timestamp": "2019-10-20T15:42:53.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "related": {
+ "user": [
+ "John"
+ ],
+ "ip": [
+ "234.28.45.42"
+ ]
+ },
+ "event": {
+ "severity": 4,
+ "duration": 8854000000000,
+ "reason": "Idle Timeout",
+ "ingested": "2021-10-11T11:16:23.841946100Z",
+ "original": "Oct 20 2019 15:42:53: %ASA-4-113019: Group = TheBeatles, Username = John, IP = 234.28.45.42, Session disconnected. Session Type: SSL, Duration: 2h:27m:34s, Bytes xmt: 45323434, Bytes rcv: 43252324, Reason: Idle Timeout",
+ "code": "113019",
+ "kind": "event",
+ "start": "2019-10-20T13:15:19.000Z",
+ "action": "firewall-rule",
+ "end": "2019-10-20T15:42:53.000Z",
+ "category": [
+ "network"
+ ],
+ "type": [
+ "info"
+ ]
+ },
+ "cisco": {
+ "asa": {
+ "session_type": "SSL"
+ }
+ }
+ },
+ {
+ "observer": {
+ "type": "firewall",
+ "product": "asa",
+ "vendor": "Cisco"
+ },
+ "@timestamp": "2019-10-20T15:42:54.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "log": {
+ "level": "warning"
+ },
+ "event": {
+ "severity": 4,
+ "ingested": "2021-10-11T11:16:23.841954400Z",
+ "original": "Oct 20 2019 15:42:54: %ASA-4-722037: Group \u003cGroupPolicy_TheBeatles\u003e User \u003cPaul\u003e IP \u003c83.212.241.149\u003e SVC closing connection: DPD failure.",
+ "code": "722037",
+ "kind": "event",
+ "action": "firewall-rule",
+ "category": [
+ "network"
+ ],
+ "type": [
+ "info"
+ ]
+ },
+ "cisco": {
+ "asa": {}
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "observer": {
+ "type": "firewall",
+ "product": "asa",
+ "vendor": "Cisco"
+ },
+ "@timestamp": "2020-08-06T11:01:37.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "log": {
+ "level": "warning"
+ },
+ "event": {
+ "severity": 4,
+ "ingested": "2021-10-11T11:16:23.841961900Z",
+ "original": "Aug 6 2020 11:01:37: %ASA-4-722037: Group \u003cGroupPolicy_TheBeatles\u003e User \u003cBrian\u003e IP \u003c234.63.56.32\u003e SVC closing connection: Transport closing.",
+ "code": "722037",
+ "kind": "event",
+ "action": "firewall-rule",
+ "category": [
+ "network"
+ ],
+ "type": [
+ "info"
+ ]
+ },
+ "cisco": {
+ "asa": {}
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "observer": {
+ "type": "firewall",
+ "product": "asa",
+ "vendor": "Cisco"
+ },
+ "@timestamp": "2020-08-06T11:01:38.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "related": {
+ "user": [
+ "George"
+ ],
+ "ip": [
+ "234.24.156.94"
+ ]
+ },
+ "log": {
+ "level": "warning"
+ },
+ "source": {
+ "user": {
+ "name": "George"
+ },
+ "address": "234.24.156.94",
+ "ip": "234.24.156.94"
+ },
+ "event": {
+ "severity": 4,
+ "ingested": "2021-10-11T11:16:23.841969400Z",
+ "original": "Aug 6 2020 11:01:38: %ASA-4-722051: Group \u003cGroupPolicy_TheBeatles\u003e User \u003cGeorge\u003e IP \u003c234.24.156.94\u003e IPv4 Address \u003c234.56.47.98\u003e IPv6 address \u003c::\u003e assigned to session",
+ "code": "722051",
+ "kind": "event",
+ "action": "firewall-rule",
+ "category": [
+ "network"
+ ],
+ "type": [
+ "info"
+ ]
+ },
+ "cisco": {
+ "asa": {
+ "webvpn": {
+ "group_name": "GroupPolicy_TheBeatles"
+ },
+ "assigned_ip": "234.56.47.98"
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}

packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -322,7 +322,7 @@ processors:
  if: "ctx._temp_.cisco.message_id == '113019'"
  field: "message"
  description: "113019"
- pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}"
+ pattern: "Group = %{source.user.group.name}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{_temp_.cisco.session_type}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{event.reason}"
  - grok:
  if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)'
  field: "message"
@@ -1321,7 +1321,7 @@ processors:
  } else if (c == (char)':') {
  total = (total + cur) * 60;
  cur = 0;
- } else {
+ } else if (c != (char)'h' && c == (char)'m' && c == (char)'s') {
  return 0;
  }
  }

packages/cisco_asa/data_stream/log/fields/ecs.yml

@@ -166,6 +166,8 @@
  name: source.port
 - external: ecs
  name: source.user.name
+- external: ecs
+ name: source.user.group.name
 - external: ecs
  name: tags
 - external: ecs

packages/cisco_asa/data_stream/log/fields/fields.yml

@@ -86,6 +86,12 @@
  description: >
  The VPN connection type
 
+ - name: session_type
+ type: keyword
+ default_field: false
+ description: >
+ Session type (for example, IPsec or UDP).
+
  - name: dap_records
  type: keyword
  description: >

packages/cisco_asa/docs/README.md

@@ -158,6 +158,7 @@ An example event for `log` looks as following:
 | cisco.asa.privilege.old | When a users privilege is changed this is the old value | keyword |
 | cisco.asa.rule_name | Name of the Access Control List rule that matched this event. | keyword |
 | cisco.asa.security | Cisco FTD security event fields. | flattened |
+| cisco.asa.session_type | Session type (for example, IPsec or UDP). | keyword |
 | cisco.asa.source_interface | Source interface for the flow or event. | keyword |
 | cisco.asa.source_username | Name of the user that is the source for this event. | keyword |
 | cisco.asa.suffix | Optional suffix after %ASA identifier. | keyword |
@@ -289,6 +290,7 @@ An example event for `log` looks as following:
 | source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
 | source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
 | source.port | Port of the source. | long |
+| source.user.group.name | Name of the group. | keyword |
 | source.user.name | Short name or login of the user. | keyword |
 | syslog.facility.code | Syslog numeric facility of the event. | long |
 | syslog.priority | Syslog priority of the event. | long |

packages/cisco_asa/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: cisco_asa
 title: Cisco ASA
-version: 1.2.0
+version: 1.2.1
 license: basic
 description: This Elastic integration collects logs from Cisco ASA network devices
 type: integration