[Filebeat] [SIEM] Fileset for Cisco FTD logs

This adds a new `ftd` fileset to the `cisco` module for parsing Firepower Threat Defense logs. As the FTD logs are a superset of the Cisco ASA logs, this PR introduces a shared ingest pipeline that is used both by the new `ftd` and the existing `asa` filesets. As a side effect of this, it improves the existing ASA fileset so that it uses custom syslog message decoding instead of relying on Filebeat's syslog input, which has caused compatibility problems with some ASA devices. Closes elastic#12690
adriansr · Aug 28, 2019 · 7ac9cdd · 7ac9cdd
1 parent 67fe9fd
commit 7ac9cdd
Show file tree

Hide file tree

Showing 39 changed files with 10,114 additions and 745 deletions.
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -1501,6 +1501,212 @@ type: short
 
 --
 
+[float]
+=== ftd
+
+Fields for Cisco Firepower Threat Defense Firewall.
+
+
+
+*`cisco.ftd.message_id`*::
++
+--
+The Cisco FTD message identifier.
+
+
+type: keyword
+
+--
+
+*`cisco.ftd.suffix`*::
++
+--
+Optional suffix after %FTD identifier.
+
+
+type: keyword
+
+example: session
+
+--
+
+*`cisco.ftd.source_interface`*::
++
+--
+Source interface for the flow or event.
+
+
+type: keyword
+
+--
+
+*`cisco.ftd.destination_interface`*::
++
+--
+Destination interface for the flow or event.
+
+
+type: keyword
+
+--
+
+*`cisco.ftd.list_id`*::
++
+--
+Name of the Access Control List that matched this event.
+
+
+type: keyword
+
+--
+
+*`cisco.ftd.source_username`*::
++
+--
+Name of the user that is the source for this event.
+
+
+type: keyword
+
+--
+
+*`cisco.ftd.destination_username`*::
++
+--
+Name of the user that is the destination for this event.
+
+
+type: keyword
+
+--
+
+*`cisco.ftd.mapped_source_ip`*::
++
+--
+The translated source IP address.
+
+
+type: ip
+
+--
+
+*`cisco.ftd.mapped_source_port`*::
++
+--
+The translated source port.
+
+
+type: long
+
+--
+
+*`cisco.ftd.mapped_destination_ip`*::
++
+--
+The translated destination IP address.
+
+
+type: ip
+
+--
+
+*`cisco.ftd.mapped_destination_port`*::
++
+--
+The translated destination port.
+
+
+type: long
+
+--
+
+*`cisco.ftd.threat_level`*::
++
+--
+Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.
+
+
+type: keyword
+
+--
+
+*`cisco.ftd.threat_category`*::
++
+--
+Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.
+
+
+type: keyword
+
+--
+
+*`cisco.ftd.connection_id`*::
++
+--
+Unique identifier for a flow.
+
+
+type: keyword
+
+--
+
+*`cisco.ftd.icmp_type`*::
++
+--
+ICMP type.
+
+
+type: short
+
+--
+
+*`cisco.ftd.icmp_code`*::
++
+--
+ICMP code.
+
+
+type: short
+
+--
+
+*`cisco.ftd.security`*::
++
+--
+Raw fields for Security Events.
+
+type: object
+
+--
+
+*`cisco.ftd.dns.question.name`*::
++
+--
+type: keyword
+
+--
+
+*`cisco.ftd.dns.question.type`*::
++
+--
+type: keyword
+
+--
+
+*`cisco.ftd.dns.answers.ttl`*::
++
+--
+type: long
+
+--
+
+*`cisco.ftd.dns.answers.type`*::
++
+--
+type: keyword
+
+--
+
 [float]
 === ios
 

diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc
@@ -12,10 +12,12 @@ This file is generated! See scripts/docs_collector.py
 
 beta[]
 
-This is a module for Cisco network device's logs. The `asa` fileset supports
-Cisco ASA firewall logs received over syslog or read from a file. And the `ios`
-fileset supports Cisco IOS router and switch logs received over syslog or read
-from a file.
+This is a module for Cisco network device's logs. It includes the following
+filesets for receiving logs over syslog or read from a file:
+
+- `asa` fileset: supports Cisco ASA firewall logs.
+- `ftd` fileset: supports Cisco Firepower Threat Defense logs.
+- `ios` fileset: supports Cisco IOS router and switch logs.
 
 Cisco ASA devices also support exporting flow records using NetFlow, which is
 supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in
@@ -103,6 +105,149 @@ The UDP port to listen for syslog traffic. Defaults to 9001.
 
 :fileset_ex!:
 
+[float]
+==== `ftd` fileset settings
+
+The Cisco FTD fileset primarily supports parsing IPv4 and IPv6 access list log
+messages similar to that of ASA devices as well as Security Event Syslog
+Messages for Intrusion, Connection, File and Malware events.
+
+*ECS Field mapping*
+
+The `ftd` fileset maps Security Event Syslog Messages to the Elastic Common
+Schema (ECS) format. The following table illustrates the mapping from
+Security Event fields to ECS. The `cisco.ftd` prefix is used when there is no
+corresponding ECS field available.
+
+Mappings for Intrusion events fields:
+[options="header"]
+|====================================
+| FTD Field | Mapped fields
+| ApplicationProtocol | network.protocol
+| DstIP | destination.ip
+| DstPort | destination.port
+| EgressInterface | cisco.ftd.destination_interface
+| GID | service.id
+| HTTPResponse | http.response.status_code
+| IngressInterface | cisco.ftd.source_interface
+| InlineResult | event.outcome
+| IntrusionPolicy | cisco.ftd.list_id
+| Message | message
+| Protocol | network.transport
+| SrcIP | source.ip
+| SrcPort | source.port
+| User | user.id, user.name
+| WebApplication | network.application
+|====================================
+
+Mappings for Connection and Security Intelligence events fields:
+[options="header"]
+|====================================
+| FTD Field | Mapped fields
+| ACPolicy | cisco.ftd.list_id
+| AccessControlRuleAction | event.outcome
+| AccessControlRuleName | cisco.ftd.list_id
+| ApplicationProtocol | network.protocol
+| ConnectionDuration | event.duration
+| DNSQuery | cisco.ftd.dns.question.name
+| DNSRecordType | cisco.ftd.dns.question.type
+| DNSResponseType | cisco.ftd.dns.answers.type
+| DNS_TTL | cisco.ftd.dns.answers.ttl
+| DstIP | destination.ip
+| DstPort | destination.port
+| EgressInterface | cisco.ftd.destination_interface
+| HTTPReferer | http.request.referrer
+| HTTPResponse | http.response.status_code
+| IngressInterface | cisco.ftd.source_interface
+| InitiatorBytes | source.bytes
+| InitiatorPackets | source.packets
+| NetBIOSDomain | host.hostname
+| Protocol | network.transport
+| ReferencedHost | url.domain
+| ResponderBytes | destination.bytes
+| ResponderPackets | destination.packets
+| SSLActualAction | event.outcome
+| SSLServerName | server.domain
+| SrcIP | source.ip
+| SrcPort | source.port
+| URL | url.original
+| User | user.name
+| UserAgent | user_agent.original
+| WebApplication | network.application
+| originalClientSrcIP | client.ip
+|====================================
+
+Mappings for File and Malware events fields:
+[options="header"]
+|====================================
+| FTD Field | Mapped fields
+| ApplicationProtocol | network.protocol
+| ArchiveFileName | file.path
+| ArchiveSHA256 | file.hash
+| Client | network.application
+| DstIP | destination.ip
+| DstPort | destination.port
+| FileName | file.path
+| FilePolicy | cisco.ftd.list_id
+| FileSize | file.size
+| FileType | file.type
+| FirstPacketSecond | event.start
+| Protocol | network.transport
+| SrcIP | source.ip
+| SrcPort | source.port
+| URI | url.original
+| User | user.name
+| WebApplication | network.application
+|====================================
+
+*Example configuration:*
+
+[source,yaml]
+----
+- module: cisco
+  ftd:
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 9003
+    var.log_level: 5
+----
+
+include::../include/var-paths.asciidoc[]
+
+*`var.log_level`*::
+
+An integer between 1 and 7 that allows to filter messages based on the
+severity level. The different severity levels supported by the Cisco ASA are:
+
+[width="30%",cols="^1,2",options="header"]
+|===========================
+| log_level | severity
+|     1     | Alert
+|     2     | Critical
+|     3     | Error
+|     4     | Warning
+|     5     | Notification
+|     6     | Informational
+|     7     | Debugging
+|===========================
+
+A value of 7 (default) will not filter any messages. A lower value will drop
+any messages with a severity level higher than the specified value. For
+example, `var.log_level: 3` will allow messages of level 1 (Alert), 2 (Critical)
+and 3 (Error). All other messages will be dropped.
+
+*`var.syslog_host`*::
+
+The interface to listen to UDP based syslog traffic. Defaults to localhost.
+Set to 0.0.0.0 to bind to all available interfaces.
+
+*`var.syslog_port`*::
+
+The UDP port to listen for syslog traffic. Defaults to 9003.
+
+:has-dashboards!:
+
+:fileset_ex!:
+
 [float]
 ==== `ios` fileset settings