diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 2740d86e0e90..51647af264ae 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -1501,6 +1501,212 @@ type: short -- +[float] +=== ftd + +Fields for Cisco Firepower Threat Defense Firewall. + + + +*`cisco.ftd.message_id`*:: ++ +-- +The Cisco FTD message identifier. + + +type: keyword + +-- + +*`cisco.ftd.suffix`*:: ++ +-- +Optional suffix after %FTD identifier. + + +type: keyword + +example: session + +-- + +*`cisco.ftd.source_interface`*:: ++ +-- +Source interface for the flow or event. + + +type: keyword + +-- + +*`cisco.ftd.destination_interface`*:: ++ +-- +Destination interface for the flow or event. + + +type: keyword + +-- + +*`cisco.ftd.list_id`*:: ++ +-- +Name of the Access Control List that matched this event. + + +type: keyword + +-- + +*`cisco.ftd.source_username`*:: ++ +-- +Name of the user that is the source for this event. + + +type: keyword + +-- + +*`cisco.ftd.destination_username`*:: ++ +-- +Name of the user that is the destination for this event. + + +type: keyword + +-- + +*`cisco.ftd.mapped_source_ip`*:: ++ +-- +The translated source IP address. + + +type: ip + +-- + +*`cisco.ftd.mapped_source_port`*:: ++ +-- +The translated source port. + + +type: long + +-- + +*`cisco.ftd.mapped_destination_ip`*:: ++ +-- +The translated destination IP address. + + +type: ip + +-- + +*`cisco.ftd.mapped_destination_port`*:: ++ +-- +The translated destination port. + + +type: long + +-- + +*`cisco.ftd.threat_level`*:: ++ +-- +Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. + + +type: keyword + +-- + +*`cisco.ftd.threat_category`*:: ++ +-- +Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. + + +type: keyword + +-- + +*`cisco.ftd.connection_id`*:: ++ +-- +Unique identifier for a flow. + + +type: keyword + +-- + +*`cisco.ftd.icmp_type`*:: ++ +-- +ICMP type. + + +type: short + +-- + +*`cisco.ftd.icmp_code`*:: ++ +-- +ICMP code. + + +type: short + +-- + +*`cisco.ftd.security`*:: ++ +-- +Raw fields for Security Events. + +type: object + +-- + +*`cisco.ftd.dns.question.name`*:: ++ +-- +type: keyword + +-- + +*`cisco.ftd.dns.question.type`*:: ++ +-- +type: keyword + +-- + +*`cisco.ftd.dns.answers.ttl`*:: ++ +-- +type: long + +-- + +*`cisco.ftd.dns.answers.type`*:: ++ +-- +type: keyword + +-- + [float] === ios diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc index 5c6441e556f3..39c26f7e2ab1 100644 --- a/filebeat/docs/modules/cisco.asciidoc +++ b/filebeat/docs/modules/cisco.asciidoc @@ -12,10 +12,12 @@ This file is generated! See scripts/docs_collector.py beta[] -This is a module for Cisco network device's logs. The `asa` fileset supports -Cisco ASA firewall logs received over syslog or read from a file. And the `ios` -fileset supports Cisco IOS router and switch logs received over syslog or read -from a file. +This is a module for Cisco network device's logs. It includes the following +filesets for receiving logs over syslog or read from a file: + +- `asa` fileset: supports Cisco ASA firewall logs. +- `ftd` fileset: supports Cisco Firepower Threat Defense logs. +- `ios` fileset: supports Cisco IOS router and switch logs. Cisco ASA devices also support exporting flow records using NetFlow, which is supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in @@ -103,6 +105,149 @@ The UDP port to listen for syslog traffic. Defaults to 9001. :fileset_ex!: +[float] +==== `ftd` fileset settings + +The Cisco FTD fileset primarily supports parsing IPv4 and IPv6 access list log +messages similar to that of ASA devices as well as Security Event Syslog +Messages for Intrusion, Connection, File and Malware events. + +*ECS Field mapping* + +The `ftd` fileset maps Security Event Syslog Messages to the Elastic Common +Schema (ECS) format. The following table illustrates the mapping from +Security Event fields to ECS. The `cisco.ftd` prefix is used when there is no +corresponding ECS field available. + +Mappings for Intrusion events fields: +[options="header"] +|==================================== +| FTD Field | Mapped fields +| ApplicationProtocol | network.protocol +| DstIP | destination.ip +| DstPort | destination.port +| EgressInterface | cisco.ftd.destination_interface +| GID | service.id +| HTTPResponse | http.response.status_code +| IngressInterface | cisco.ftd.source_interface +| InlineResult | event.outcome +| IntrusionPolicy | cisco.ftd.list_id +| Message | message +| Protocol | network.transport +| SrcIP | source.ip +| SrcPort | source.port +| User | user.id, user.name +| WebApplication | network.application +|==================================== + +Mappings for Connection and Security Intelligence events fields: +[options="header"] +|==================================== +| FTD Field | Mapped fields +| ACPolicy | cisco.ftd.list_id +| AccessControlRuleAction | event.outcome +| AccessControlRuleName | cisco.ftd.list_id +| ApplicationProtocol | network.protocol +| ConnectionDuration | event.duration +| DNSQuery | cisco.ftd.dns.question.name +| DNSRecordType | cisco.ftd.dns.question.type +| DNSResponseType | cisco.ftd.dns.answers.type +| DNS_TTL | cisco.ftd.dns.answers.ttl +| DstIP | destination.ip +| DstPort | destination.port +| EgressInterface | cisco.ftd.destination_interface +| HTTPReferer | http.request.referrer +| HTTPResponse | http.response.status_code +| IngressInterface | cisco.ftd.source_interface +| InitiatorBytes | source.bytes +| InitiatorPackets | source.packets +| NetBIOSDomain | host.hostname +| Protocol | network.transport +| ReferencedHost | url.domain +| ResponderBytes | destination.bytes +| ResponderPackets | destination.packets +| SSLActualAction | event.outcome +| SSLServerName | server.domain +| SrcIP | source.ip +| SrcPort | source.port +| URL | url.original +| User | user.name +| UserAgent | user_agent.original +| WebApplication | network.application +| originalClientSrcIP | client.ip +|==================================== + +Mappings for File and Malware events fields: +[options="header"] +|==================================== +| FTD Field | Mapped fields +| ApplicationProtocol | network.protocol +| ArchiveFileName | file.path +| ArchiveSHA256 | file.hash +| Client | network.application +| DstIP | destination.ip +| DstPort | destination.port +| FileName | file.path +| FilePolicy | cisco.ftd.list_id +| FileSize | file.size +| FileType | file.type +| FirstPacketSecond | event.start +| Protocol | network.transport +| SrcIP | source.ip +| SrcPort | source.port +| URI | url.original +| User | user.name +| WebApplication | network.application +|==================================== + +*Example configuration:* + +[source,yaml] +---- +- module: cisco + ftd: + var.syslog_host: 0.0.0.0 + var.syslog_port: 9003 + var.log_level: 5 +---- + +include::../include/var-paths.asciidoc[] + +*`var.log_level`*:: + +An integer between 1 and 7 that allows to filter messages based on the +severity level. The different severity levels supported by the Cisco ASA are: + +[width="30%",cols="^1,2",options="header"] +|=========================== +| log_level | severity +| 1 | Alert +| 2 | Critical +| 3 | Error +| 4 | Warning +| 5 | Notification +| 6 | Informational +| 7 | Debugging +|=========================== + +A value of 7 (default) will not filter any messages. A lower value will drop +any messages with a severity level higher than the specified value. For +example, `var.log_level: 3` will allow messages of level 1 (Alert), 2 (Critical) +and 3 (Error). All other messages will be dropped. + +*`var.syslog_host`*:: + +The interface to listen to UDP based syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The UDP port to listen for syslog traffic. Defaults to 9003. + +:has-dashboards!: + +:fileset_ex!: + [float] ==== `ios` fileset settings diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 83a944f7eedf..d9450fffe7ac 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -107,6 +107,24 @@ filebeat.modules: # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html #var.log_level: 7 + ftd: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9003. + #var.syslog_port: 9003 + + # Set the log level from 1 (alerts only) to 7 (include all messages). + # Messages with a log level higher than the specified will be dropped. + # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html + #var.log_level: 7 + ios: enabled: true diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml index 8a42d938a2d1..b5d555b03b51 100644 --- a/x-pack/filebeat/module/cisco/_meta/config.yml +++ b/x-pack/filebeat/module/cisco/_meta/config.yml @@ -17,6 +17,24 @@ # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html #var.log_level: 7 + ftd: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9003. + #var.syslog_port: 9003 + + # Set the log level from 1 (alerts only) to 7 (include all messages). + # Messages with a log level higher than the specified will be dropped. + # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html + #var.log_level: 7 + ios: enabled: true diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc index 2b19673057fa..e1da26a618a1 100644 --- a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc @@ -7,10 +7,12 @@ beta[] -This is a module for Cisco network device's logs. The `asa` fileset supports -Cisco ASA firewall logs received over syslog or read from a file. And the `ios` -fileset supports Cisco IOS router and switch logs received over syslog or read -from a file. +This is a module for Cisco network device's logs. It includes the following +filesets for receiving logs over syslog or read from a file: + +- `asa` fileset: supports Cisco ASA firewall logs. +- `ftd` fileset: supports Cisco Firepower Threat Defense logs. +- `ios` fileset: supports Cisco IOS router and switch logs. Cisco ASA devices also support exporting flow records using NetFlow, which is supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in @@ -98,6 +100,149 @@ The UDP port to listen for syslog traffic. Defaults to 9001. :fileset_ex!: +[float] +==== `ftd` fileset settings + +The Cisco FTD fileset primarily supports parsing IPv4 and IPv6 access list log +messages similar to that of ASA devices as well as Security Event Syslog +Messages for Intrusion, Connection, File and Malware events. + +*ECS Field mapping* + +The `ftd` fileset maps Security Event Syslog Messages to the Elastic Common +Schema (ECS) format. The following table illustrates the mapping from +Security Event fields to ECS. The `cisco.ftd` prefix is used when there is no +corresponding ECS field available. + +Mappings for Intrusion events fields: +[options="header"] +|==================================== +| FTD Field | Mapped fields +| ApplicationProtocol | network.protocol +| DstIP | destination.ip +| DstPort | destination.port +| EgressInterface | cisco.ftd.destination_interface +| GID | service.id +| HTTPResponse | http.response.status_code +| IngressInterface | cisco.ftd.source_interface +| InlineResult | event.outcome +| IntrusionPolicy | cisco.ftd.list_id +| Message | message +| Protocol | network.transport +| SrcIP | source.ip +| SrcPort | source.port +| User | user.id, user.name +| WebApplication | network.application +|==================================== + +Mappings for Connection and Security Intelligence events fields: +[options="header"] +|==================================== +| FTD Field | Mapped fields +| ACPolicy | cisco.ftd.list_id +| AccessControlRuleAction | event.outcome +| AccessControlRuleName | cisco.ftd.list_id +| ApplicationProtocol | network.protocol +| ConnectionDuration | event.duration +| DNSQuery | cisco.ftd.dns.question.name +| DNSRecordType | cisco.ftd.dns.question.type +| DNSResponseType | cisco.ftd.dns.answers.type +| DNS_TTL | cisco.ftd.dns.answers.ttl +| DstIP | destination.ip +| DstPort | destination.port +| EgressInterface | cisco.ftd.destination_interface +| HTTPReferer | http.request.referrer +| HTTPResponse | http.response.status_code +| IngressInterface | cisco.ftd.source_interface +| InitiatorBytes | source.bytes +| InitiatorPackets | source.packets +| NetBIOSDomain | host.hostname +| Protocol | network.transport +| ReferencedHost | url.domain +| ResponderBytes | destination.bytes +| ResponderPackets | destination.packets +| SSLActualAction | event.outcome +| SSLServerName | server.domain +| SrcIP | source.ip +| SrcPort | source.port +| URL | url.original +| User | user.name +| UserAgent | user_agent.original +| WebApplication | network.application +| originalClientSrcIP | client.ip +|==================================== + +Mappings for File and Malware events fields: +[options="header"] +|==================================== +| FTD Field | Mapped fields +| ApplicationProtocol | network.protocol +| ArchiveFileName | file.path +| ArchiveSHA256 | file.hash +| Client | network.application +| DstIP | destination.ip +| DstPort | destination.port +| FileName | file.path +| FilePolicy | cisco.ftd.list_id +| FileSize | file.size +| FileType | file.type +| FirstPacketSecond | event.start +| Protocol | network.transport +| SrcIP | source.ip +| SrcPort | source.port +| URI | url.original +| User | user.name +| WebApplication | network.application +|==================================== + +*Example configuration:* + +[source,yaml] +---- +- module: cisco + ftd: + var.syslog_host: 0.0.0.0 + var.syslog_port: 9003 + var.log_level: 5 +---- + +include::../include/var-paths.asciidoc[] + +*`var.log_level`*:: + +An integer between 1 and 7 that allows to filter messages based on the +severity level. The different severity levels supported by the Cisco ASA are: + +[width="30%",cols="^1,2",options="header"] +|=========================== +| log_level | severity +| 1 | Alert +| 2 | Critical +| 3 | Error +| 4 | Warning +| 5 | Notification +| 6 | Informational +| 7 | Debugging +|=========================== + +A value of 7 (default) will not filter any messages. A lower value will drop +any messages with a severity level higher than the specified value. For +example, `var.log_level: 3` will allow messages of level 1 (Alert), 2 (Critical) +and 3 (Error). All other messages will be dropped. + +*`var.syslog_host`*:: + +The interface to listen to UDP based syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The UDP port to listen for syslog traffic. Defaults to 9003. + +:has-dashboards!: + +:fileset_ex!: + [float] ==== `ios` fileset settings diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml index 32e87abc8388..68e985ae5448 100644 --- a/x-pack/filebeat/module/cisco/asa/config/input.yml +++ b/x-pack/filebeat/module/cisco/asa/config/input.yml @@ -1,8 +1,8 @@ {{ if eq .input "syslog" }} -type: syslog -protocol.udp: - host: "{{.syslog_host}}:{{.syslog_port}}" +type: udp +udp: +host: "{{.syslog_host}}:{{.syslog_port}}" {{ else if eq .input "file" }} diff --git a/x-pack/filebeat/module/cisco/asa/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/asa/ingest/pipeline.yml deleted file mode 100644 index d117cdcb94ec..000000000000 --- a/x-pack/filebeat/module/cisco/asa/ingest/pipeline.yml +++ /dev/null @@ -1,511 +0,0 @@ -description: "Pipeline for Cisco ASA" -processors: - - - grok: - field: message - patterns: - - "(:?%{ASA_DATE:_temp_.raw_date})?%{ASA_PREFIX}-(:?%{ASA_SUFFIX:cisco.asa.suffix}-)?%{POSINT:event.severity:int}-%{POSINT:cisco.asa.message_id}:?\\s*%{GREEDYDATA:log.original}" - pattern_definitions: - ASA_PREFIX: "%{DATA}%ASA" - ASA_SUFFIX: "[^0-9-]+" - ASA_DATE: "(:?%{DAY} )?%{MONTH} *%{MONTHDAY}(:? %{YEAR})? %{TIME}(:? %{TZ})?" - -# -# Drop messages above configured log_level -# - - drop: - if: "ctx.event.severity > {< .log_level >}" - -# -# Parse the date included in ASA logs -# - - date: - field: "_temp_.raw_date" - ignore_failure: true - formats: - - "MMM d HH:mm:ss" - - "MMM dd HH:mm:ss" - - "EEE MMM d HH:mm:ss" - - "EEE MMM dd HH:mm:ss" - - "MMM d HH:mm:ss z" - - "MMM dd HH:mm:ss z" - - "EEE MMM d HH:mm:ss z" - - "EEE MMM dd HH:mm:ss z" - - "MMM d yyyy HH:mm:ss" - - "MMM dd yyyy HH:mm:ss" - - "EEE MMM d yyyy HH:mm:ss" - - "EEE MMM dd yyyy HH:mm:ss" - - "MMM d yyyy HH:mm:ss z" - - "MMM dd yyyy HH:mm:ss z" - - "EEE MMM d yyyy HH:mm:ss z" - - "EEE MMM dd yyyy HH:mm:ss z" - - date: - if: "ctx.event.timezone != null" - field: "@timestamp" - formats: ["ISO8601"] - timezone: "{{ event.timezone }}" - on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - -# -# Set log.level -# - - set: - field: "log.level" - if: "ctx.event.severity == 1" - value: alert - - set: - field: "log.level" - if: "ctx.event.severity == 2" - value: critical - - set: - field: "log.level" - if: "ctx.event.severity == 3" - value: error - - set: - field: "log.level" - if: "ctx.event.severity == 4" - value: warning - - set: - field: "log.level" - if: "ctx.event.severity == 5" - value: notification - - set: - field: "log.level" - if: "ctx.event.severity == 6" - value: informational - - set: - field: "log.level" - if: "ctx.event.severity == 7" - value: debug - -# -# Firewall messages -# - - set: - field: "event.action" - value: "firewall-rule" - - dissect: - if: "ctx.cisco.asa.message_id == '106001'" - field: "log.original" - pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} flags %{} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '106002'" - field: "log.original" - pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{cisco.asa.list_id} src %{source.ip} dest %{destination.ip}" - - dissect: - if: "ctx.cisco.asa.message_id == '106006'" - field: "log.original" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '106007'" - field: "log.original" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} due to %{network.protocol} %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '106010'" - field: "log.original" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{cisco.asa.source_interface}:%{source.ip}/%{source.port} %{} dst %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '106013'" - field: "log.original" - pattern: "Dropping echo request from %{source.ip} to PAT address %{destination.ip}" - - set: - if: "ctx.cisco.asa.message_id == '106013'" - field: "network.transport" - value: icmp - - set: - if: "ctx.cisco.asa.message_id == '106013'" - field: "network.direction" - value: inbound - - dissect: - if: "ctx.cisco.asa.message_id == '106014'" - field: "log.original" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{cisco.asa.source_interface}:%{source.ip} %{}dst %{cisco.asa.destination_interface}:%{destination.ip} %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '106015'" - field: "log.original" - pattern: "%{event.outcome} %{network.transport} (no connection) from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} flags %{} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '106016'" - field: "log.original" - pattern: "%{event.outcome} IP spoof from (%{source.ip}) to %{destination.ip} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '106017'" - field: "log.original" - pattern: "%{event.outcome} IP due to Land Attack from %{source.ip} to %{destination.ip}" - - dissect: - if: "ctx.cisco.asa.message_id == '106018'" - field: "log.original" - pattern: "%{network.transport} packet type %{cisco.asa.icmp_type} %{event.outcome} by %{network.direction} list %{cisco.asa.list_id} src %{source.ip} dest %{destination.ip}" - - dissect: - if: "ctx.cisco.asa.message_id == '106020'" - field: "log.original" - pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.ip} to %{destination.ip}" - - dissect: - if: "ctx.cisco.asa.message_id == '106021'" - field: "log.original" - pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.ip} to %{destination.ip} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '106022'" - field: "log.original" - pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.ip} to %{destination.ip} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '106023'" - field: "log.original" - pattern: "%{event.outcome} %{network.transport} src %{cisco.asa.source_interface}:%{source.ip}/%{source.port} dst %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} %{} access%{}group \"%{cisco.asa.list_id}\"%{}" - - dissect: - if: "ctx.cisco.asa.message_id == '106027'" - field: "log.original" - pattern: "%{} %{event.outcome} src %{source.ip} dst %{destination.ip} by access-group \"%{cisco.asa.list_id}\"" - - dissect: - if: "ctx.cisco.asa.message_id == '106100'" - field: "log.original" - pattern: "access-list %{cisco.asa.list_id} %{event.outcome} %{network.transport} %{cisco.asa.source_interface}/%{source.ip}(%{source.port}) -> %{cisco.asa.destination_interface}/%{destination.ip}(%{destination.port}) %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '106102'" - field: "log.original" - pattern: "access-list %{cisco.asa.list_id} %{event.outcome} %{network.transport} for user %{cisco.asa.username} %{cisco.asa.source_interface}/%{source.ip} %{source.port} %{cisco.asa.destination_interface}/%{destination.ip} %{destination.port} %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '106103'" - field: "log.original" - pattern: "access-list %{cisco.asa.list_id} %{event.outcome} %{network.transport} for user %{cisco.asa.username} %{cisco.asa.source_interface}/%{source.ip} %{source.port} %{cisco.asa.destination_interface}/%{destination.ip} %{destination.port} %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '304001'" - field: "log.original" - pattern: "%{source.ip} %{}ccessed URL %{destination.ip}:%{url.original}" - - set: - if: "ctx.cisco.asa.message_id == '304001'" - field: "event.outcome" - value: allow - - dissect: - if: "ctx.cisco.asa.message_id == '304002'" - field: "log.original" - pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.ip} %{}EST %{destination.ip} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '313001'" - field: "log.original" - pattern: "%{event.outcome} %{network.transport} type=%{cisco.asa.icmp_type}, code=%{cisco.asa.icmp_code} from %{source.ip} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '313004'" - field: "log.original" - pattern: "%{event.outcome} %{network.transport} type=%{cisco.asa.icmp_type}, from%{}addr %{source.ip} on interface %{cisco.asa.source_interface} to %{destination.ip}: no matching session" - - dissect: - if: "ctx.cisco.asa.message_id == '313005'" - field: "log.original" - pattern: "No matching connection for %{network.transport} error message: %{} on %{cisco.asa.source_interface} interface.%{}riginal IP payload: %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '313008'" - field: "log.original" - pattern: "%{event.outcome} %{network.transport} type=%{cisco.asa.icmp_type} , code=%{cisco.asa.icmp_code} from %{source.ip} on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '313009'" - field: "log.original" - pattern: "%{event.outcome} invalid %{network.transport} code %{cisco.asa.icmp_code} , for %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}" - - dissect: - if: "ctx.cisco.asa.message_id == '322001'" - field: "log.original" - pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{cisco.asa.source_interface}" - - dissect: - if: "ctx.cisco.asa.message_id == '338001'" - field: "log.original" - pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{source.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - set: - if: "ctx.cisco.asa.message_id == '338001'" - field: "server.domain" - value: "{{source.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338002'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{destination.domain}" - - set: - if: "ctx.cisco.asa.message_id == '338002'" - field: "server.domain" - value: "{{destination.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338003'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - dissect: - if: "ctx.cisco.asa.message_id == '338004'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - dissect: - if: "ctx.cisco.asa.message_id == '338005'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{source.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - set: - if: "ctx.cisco.asa.message_id == '338005'" - field: "server.domain" - value: "{{source.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338006'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{destination.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - set: - if: "ctx.cisco.asa.message_id == '338006'" - field: "server.domain" - value: "{{destination.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338007'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - dissect: - if: "ctx.cisco.asa.message_id == '338008'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - dissect: - if: "ctx.cisco.asa.message_id == '338101'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{source.domain}" - - set: - if: "ctx.cisco.asa.message_id == '338101'" - field: "server.domain" - value: "{{source.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338102'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{destination.domain}" - - set: - if: "ctx.cisco.asa.message_id == '338102'" - field: "server.domain" - value: "{{destination.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338103'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '338104'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{}" - - dissect: - if: "ctx.cisco.asa.message_id == '338201'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{source.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - set: - if: "ctx.cisco.asa.message_id == '338201'" - field: "server.domain" - value: "{{source.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338202'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{destination.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - set: - if: "ctx.cisco.asa.message_id == '338202'" - field: "server.domain" - value: "{{destination.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338203'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}source %{} resolved from %{cisco.asa.list_id} list: %{source.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - set: - if: "ctx.cisco.asa.message_id == '338203'" - field: "server.domain" - value: "{{source.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338204'" - field: "log.original" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} (%{cisco.asa.mapped_source_ip}/%{cisco.asa.mapped_source_port}) to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port} (%{cisco.asa.mapped_destination_ip}/%{cisco.asa.mapped_destination_port})%{}destination %{} resolved from %{cisco.asa.list_id} list: %{destination.domain}, threat-level: %{cisco.asa.threat_level}, category: %{cisco.asa.threat_category}" - - set: - if: "ctx.cisco.asa.message_id == '338204'" - field: "server.domain" - value: "{{destination.domain}}" - - dissect: - if: "ctx.cisco.asa.message_id == '338301'" - field: "log.original" - pattern: "Intercepted DNS reply for domain %{source.domain} from %{cisco.asa.source_interface}:%{source.ip}/%{source.port} to %{cisco.asa.destination_interface}:%{destination.ip}/%{destination.port}, matched %{cisco.asa.list_id}" - - set: - if: "ctx.cisco.asa.message_id == '338301'" - field: "client.ip" - value: "{{destination.ip}}" - - set: - if: "ctx.cisco.asa.message_id == '338301'" - field: "client.port" - value: "{{destination.port}}" - - set: - if: "ctx.cisco.asa.message_id == '338301'" - field: "server.ip" - value: "{{source.ip}}" - - set: - if: "ctx.cisco.asa.message_id == '338301'" - field: "server.port" - value: "{{source.port}}" - -# -# Handle 302xxx messages (Flow expiration a.k.a "Teardown") -# - - set: - if: "[\"302014\", \"302016\", \"302018\", \"302021\", \"302036\", \"302304\", \"302306\"].contains(ctx.cisco.asa.message_id)" - field: "event.action" - value: "flow-expiration" - - grok: - field: "log.original" - if: "[\"302014\", \"302016\", \"302018\", \"302021\", \"302036\", \"302304\", \"302306\"].contains(ctx.cisco.asa.message_id)" - patterns: - - "Teardown %{NOTSPACE:network.transport} (:?state-bypass )?connection %{NOTSPACE:cisco.asa.connection_id} (:?for|from) %{NOTCOLON:cisco.asa.source_interface}:%{IP:source.ip}/%{NUMBER:source.port:int} (:?%{NOTSPACE:cisco.asa.source_username} )?to %{NOTCOLON:cisco.asa.destination_interface}:%{IP:destination.ip}/%{NUMBER:destination.port:int} (:?%{NOTSPACE:cisco.asa.destination_username} )?(:?duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA}" - - "Teardown %{NOTSPACE:network.transport} connection for faddr (:?%{NOTCOLON:cisco.asa.source_interface}:)?%{IP:source.ip}/%{NUMBER:source.port:int} (:?%{NOTSPACE:cisco.asa.source_username} )?gaddr (:?%{NOTCOLON}:)?%{IP}/%{NUMBER} laddr (:?%{NOTCOLON:cisco.asa.destination_interface}:)?%{IP:destination.ip}/%{NUMBER:destination.port:int}(:? %{NOTSPACE:cisco.asa.destination_username})?%{GREEDYDATA}" - pattern_definitions: - NOTCOLON: "[^:]*" - -# -# Process the flow duration "hh:mm:ss" present in some messages -# This will fill event.start, event.end and event.duration -# - - script: - lang: painless - if: "ctx?._temp_?.duration_hms != null" - source: > - long parse_hms(String s) { - long cur = 0, total = 0; - for (char c: s.toCharArray()) { - if (c >= (char)'0' && c <= (char)'9') { - cur = (cur*10) + (long)c - (char)'0'; - } else if (c == (char)':') { - total = (total + cur) * 60; - cur = 0; - } else { - return 0; - } - } - return total + cur; - } - if (ctx?.event == null) { - ctx['event'] = new HashMap(); - } - String end = ctx['@timestamp']; - ctx.event['end'] = end; - long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; - ctx.event['duration'] = nanos; - ctx.event['start'] = ZonedDateTime.ofInstant( - Instant.parse(end).minusNanos(nanos), - ZoneOffset.UTC); - -# -# Normalize protocol names -# - - lowercase: - field: "network.transport" - ignore_missing: true - - lowercase: - field: "network.protocol" - ignore_missing: true - -# -# Normalize event.outcome -# - - lowercase: - field: "event.outcome" - ignore_missing: true - - set: - field: "event.outcome" - if: "ctx.event?.outcome == \"est-allowed\"" - value: allow - - set: - field: "event.outcome" - if: "ctx.event?.outcome == \"permitted\"" - value: allow - - set: - field: "event.outcome" - if: "ctx.event?.outcome == \"denied\"" - value: deny - - set: - field: "event.outcome" - if: "ctx.event?.outcome == \"dropped\"" - value: deny - - - set: - field: "network.transport" - if: "ctx.network?.transport == \"icmpv6\"" - value: "ipv6-icmp" - -# -# Convert integer fields, as output of dissect processor is always a string -# - - convert: - field: "source.port" - type: integer - ignore_failure: true - - convert: - field: "destination.port" - type: integer - ignore_failure: true - - convert: - field: "cisco.asa.mapped_source_port" - type: integer - ignore_failure: true - - convert: - field: "cisco.asa.mapped_destination_port" - type: integer - ignore_failure: true - - convert: - field: "cisco.asa.icmp_code" - type: integer - ignore_failure: true - - convert: - field: "cisco.asa.icmp_type" - type: integer - ignore_failure: true - -# -# Geolocation for source and destination addresses -# - - geoip: - field: "source.ip" - target_field: "source.geo" - ignore_missing: true - - geoip: - field: "destination.ip" - target_field: "destination.geo" - ignore_missing: true - -# -# IP Autonomous System (AS) Lookup -# - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -# -# Remove temporary fields -# - - remove: - field: - - message - - _temp_ - ignore_missing: true - -on_failure: - - set: - field: "error.message" - value: "{{ _ingest.on_failure_message }}" - - remove: - field: - - _temp_ - ignore_missing: true diff --git a/x-pack/filebeat/module/cisco/asa/manifest.yml b/x-pack/filebeat/module/cisco/asa/manifest.yml index 0366432ca7a6..9a87696d0237 100644 --- a/x-pack/filebeat/module/cisco/asa/manifest.yml +++ b/x-pack/filebeat/module/cisco/asa/manifest.yml @@ -19,8 +19,13 @@ var: min_elasticsearch_version: version: 6.1.0 value: false + # These flags are used internally by the shared pipeline + - name: internal_prefix + default: asa + - name: internal_PREFIX + default: ASA -ingest_pipeline: ingest/pipeline.yml +ingest_pipeline: ../shared/ingest/asa-ftd-pipeline.yml input: config/input.yml requires.processors: diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index c404a1420d74..c2712ff51f84 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -8,10 +8,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 0, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -26,10 +29,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 150, - "log.original": "Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -52,12 +58,16 @@ "event.start": "2018-10-10T12:33:49.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 345, - "log.original": "Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", + "log.original": "%ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", "network.bytes": 38110, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.211.242", "source.port": 80, @@ -82,12 +92,16 @@ "event.start": "2018-10-10T12:33:49.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 535, - "log.original": "Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", + "log.original": "%ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", "network.bytes": 44010, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.211.242", "source.port": 80, @@ -112,12 +126,16 @@ "event.start": "2018-10-10T12:33:49.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 725, - "log.original": "Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", + "log.original": "%ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", "network.bytes": 7652, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.185.90", "source.port": 80, @@ -142,12 +160,16 @@ "event.start": "2018-10-10T12:33:49.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 913, - "log.original": "Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", + "log.original": "%ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", "network.bytes": 7062, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.185.90", "source.port": 80, @@ -172,12 +194,16 @@ "event.start": "2018-10-10T12:33:48.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 1101, - "log.original": "Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", + "log.original": "%ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", "network.bytes": 5738, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.160.197", "source.port": 80, @@ -202,12 +228,16 @@ "event.start": "2018-10-10T12:33:48.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 1290, - "log.original": "Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", + "log.original": "%ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", "network.bytes": 4176, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.205.14", "source.port": 80, @@ -232,12 +262,16 @@ "event.start": "2018-10-10T12:33:48.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 1478, - "log.original": "Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", + "log.original": "%ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", "network.bytes": 1715, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.124.33", "source.port": 80, @@ -262,12 +296,16 @@ "event.start": "2018-10-10T12:33:47.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 1666, - "log.original": "Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", + "log.original": "%ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", "network.bytes": 45595, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.35.9", "source.port": 80, @@ -292,12 +330,16 @@ "event.start": "2018-10-10T12:33:47.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 1853, - "log.original": "Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", + "log.original": "%ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", "network.bytes": 27359, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.211.242", "source.port": 80, @@ -322,12 +364,16 @@ "event.start": "2018-10-10T12:33:47.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 2043, - "log.original": "Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", + "log.original": "%ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", "network.bytes": 4457, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.218.21", "source.port": 80, @@ -352,12 +398,16 @@ "event.start": "2018-10-10T12:33:47.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 2231, - "log.original": "Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", + "log.original": "%ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", "network.bytes": 26709, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.198.27", "source.port": 80, @@ -382,12 +432,16 @@ "event.start": "2018-10-10T12:33:47.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 2420, - "log.original": "Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", + "log.original": "%ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", "network.bytes": 22097, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.198.27", "source.port": 80, @@ -412,12 +466,16 @@ "event.start": "2018-10-10T12:33:46.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 2609, - "log.original": "Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", + "log.original": "%ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", "network.bytes": 2209, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.202.211", "source.port": 80, @@ -442,12 +500,16 @@ "event.start": "2018-10-10T12:33:49.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 2798, - "log.original": "Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", + "log.original": "%ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", "network.bytes": 10404, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.124.15", "source.port": 80, @@ -472,12 +534,16 @@ "event.start": "2018-10-10T12:33:46.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 2987, - "log.original": "Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", + "log.original": "%ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", "network.bytes": 123694, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.124.15", "source.port": 80, @@ -502,12 +568,16 @@ "event.start": "2018-10-10T12:33:45.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 3177, - "log.original": "Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", + "log.original": "%ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", "network.bytes": 35835, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.209.247", "source.port": 80, @@ -532,12 +602,16 @@ "event.start": "2018-10-10T12:34:26.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 3367, - "log.original": "Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", + "log.original": "%ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", "network.bytes": 0, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.35.162", "source.port": 80, @@ -554,10 +628,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 3552, - "log.original": "Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", + "log.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -572,10 +649,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 3703, - "log.original": "Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "log.original": "%ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -598,12 +678,16 @@ "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 3896, - "log.original": "Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", + "log.original": "%ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", "network.bytes": 148, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.80.32", "source.port": 53, @@ -620,10 +704,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 4071, - "log.original": "Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "log.original": "%ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -646,12 +733,16 @@ "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 4264, - "log.original": "Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", + "log.original": "%ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", "network.bytes": 164, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.252.6", "source.port": 53, @@ -668,10 +759,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 4439, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -686,10 +780,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 4589, - "log.original": "Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -704,10 +801,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 4784, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -722,10 +822,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 4934, - "log.original": "Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -740,10 +843,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 5129, - "log.original": "Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "log.original": "%ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -758,10 +864,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 5326, - "log.original": "Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "log.original": "%ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -784,12 +893,16 @@ "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 5519, - "log.original": "Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", + "log.original": "%ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", "network.bytes": 111, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.238.126", "source.port": 53, @@ -814,12 +927,16 @@ "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 5696, - "log.original": "Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", + "log.original": "%ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", "network.bytes": 237, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.93.51", "source.port": 53, @@ -836,10 +953,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 5871, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -854,10 +974,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 6021, - "log.original": "Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -872,10 +995,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 6218, - "log.original": "Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", + "log.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -890,10 +1016,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 6369, - "log.original": "Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "log.original": "%ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -908,10 +1037,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 6566, - "log.original": "Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "log.original": "%ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -934,12 +1066,16 @@ "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 6759, - "log.original": "Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", + "log.original": "%ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", "network.bytes": 87, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.240.126", "source.port": 53, @@ -964,12 +1100,16 @@ "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 6935, - "log.original": "Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", + "log.original": "%ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", "network.bytes": 221, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.44.45", "source.port": 53, @@ -986,10 +1126,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 7110, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1004,10 +1147,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 7260, - "log.original": "Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1022,10 +1168,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 7455, - "log.original": "Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "log.original": "%ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1040,10 +1189,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 7652, - "log.original": "Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "log.original": "%ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1066,12 +1218,16 @@ "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 7849, - "log.original": "Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", + "log.original": "%ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", "network.bytes": 101, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.157.232", "source.port": 53, @@ -1096,12 +1252,16 @@ "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 8026, - "log.original": "Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", + "log.original": "%ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", "network.bytes": 126, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.178.133", "source.port": 53, @@ -1118,10 +1278,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 8203, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1136,10 +1299,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 8353, - "log.original": "Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1162,12 +1328,16 @@ "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 8548, - "log.original": "Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", + "log.original": "%ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", "network.bytes": 862, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.133.112", "source.port": 80, @@ -1184,10 +1354,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 8733, - "log.original": "Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "log.original": "%ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1210,12 +1383,16 @@ "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 8930, - "log.original": "Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "log.original": "%ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "network.bytes": 104, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.157.232", "source.port": 53, @@ -1240,12 +1417,16 @@ "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 9107, - "log.original": "Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", + "log.original": "%ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", "network.bytes": 176, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.204.197", "source.port": 53, @@ -1262,10 +1443,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 9284, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1280,10 +1464,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 9434, - "log.original": "Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1298,10 +1485,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 9625, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1316,10 +1506,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 9775, - "log.original": "Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1334,10 +1527,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 9966, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1352,10 +1548,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 10116, - "log.original": "Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1370,10 +1569,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 10307, - "log.original": "Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "log.original": "%ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1396,12 +1598,16 @@ "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 10500, - "log.original": "Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "log.original": "%ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "network.bytes": 104, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.100.4", "source.port": 53, @@ -1418,10 +1624,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 10675, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1436,10 +1645,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 10825, - "log.original": "Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1454,10 +1666,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 11018, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1472,10 +1687,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 11168, - "log.original": "Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1490,10 +1708,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 11361, - "log.original": "Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "log.original": "%ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1516,12 +1737,16 @@ "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 11554, - "log.original": "Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", + "log.original": "%ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", "network.bytes": 593, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.198.40", "source.port": 80, @@ -1538,10 +1763,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 11738, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1556,10 +1784,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 11888, - "log.original": "Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1582,12 +1813,16 @@ "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 12081, - "log.original": "Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", + "log.original": "%ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", "network.bytes": 375, + "network.iana_number": 17, "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.1.107", "source.port": 53, @@ -1604,10 +1839,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 12256, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1622,10 +1860,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 12406, - "log.original": "Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1640,10 +1881,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 12599, - "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", + "log.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1658,10 +1902,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 12769, - "log.original": "Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1676,10 +1923,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 12920, - "log.original": "Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1694,10 +1944,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13115, - "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", + "log.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1712,10 +1965,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13285, - "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", + "log.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1730,10 +1986,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13455, - "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", + "log.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1748,10 +2007,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13625, - "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", + "log.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1766,10 +2028,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13795, - "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", + "log.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1784,10 +2049,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13965, - "log.original": "Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", + "log.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1810,12 +2078,16 @@ "event.start": "2018-10-10T12:29:31.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 14135, - "log.original": "Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", + "log.original": "%ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", "network.bytes": 575, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.115.46", "source.port": 80, @@ -1840,12 +2112,16 @@ "event.start": "2018-10-10T12:34:56.000Z", "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 14320, - "log.original": "Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", + "log.original": "%ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", "network.bytes": 5391, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -1862,10 +2138,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 14509, - "log.original": "Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1880,10 +2159,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 14660, - "log.original": "Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -1904,11 +2186,15 @@ "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 14855, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -1931,11 +2217,15 @@ "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 15020, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -1958,11 +2248,15 @@ "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 15185, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -1985,11 +2279,15 @@ "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 15350, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2012,11 +2310,15 @@ "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 15515, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2039,11 +2341,15 @@ "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 15680, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2066,11 +2372,15 @@ "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 15845, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2093,11 +2403,15 @@ "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 16010, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2120,11 +2434,15 @@ "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 16175, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2147,11 +2465,15 @@ "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 16340, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2174,11 +2496,15 @@ "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 16505, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2201,11 +2527,15 @@ "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 16670, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2228,11 +2558,15 @@ "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "warning", "log.offset": 16835, - "log.original": "Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "source.ip": "100.66.19.254", "source.port": 80, @@ -2249,10 +2583,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 17000, - "log.original": "Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -2267,10 +2604,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 17150, - "log.original": "Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -2285,10 +2625,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 17343, - "log.original": "Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", + "log.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" @@ -2303,10 +2646,13 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 17494, - "log.original": "Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "log.original": "%ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, "service.type": "cisco", "tags": [ "cisco-asa" diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index 901e68fd3d35..c6c885247939 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -8,10 +8,13 @@ "event.severity": 7, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "beats", "input.type": "log", "log.level": "debug", "log.offset": 0, - "log.original": "This message is not filtered.", + "log.original": "%ASA-7-999999: This message is not filtered.", + "process.name": "asa", + "process.pid": 1234, "service.type": "cisco", "tags": [ "cisco-asa" diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log b/x-pack/filebeat/module/cisco/asa/test/sample.log index 2f3e126bb9ad..d583acdc132e 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log @@ -37,22 +37,22 @@ Apr 30 2013 09:23:41: %ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] -Dec 11 2018 08:01:24 %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80) -Dec 11 2018 08:01:24 %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80) -Dec 11 2018 08:01:24 %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] -Dec 11 2018 08:01:24 %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] -Dec 11 2018 08:01:31 %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) -Dec 11 2018 08:01:31 %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) -Dec 11 2018 08:01:31 %ASA-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs -Dec 11 2018 08:01:38 %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs -Dec 11 2018 08:01:38 %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs -Dec 11 2018 08:01:38 %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside -Dec 11 2018 08:01:38 %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside -Dec 11 2018 08:01:39 %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group "dmz" [0x123a465e, 0x8c20f21] -Dec 11 2018 08:01:53 %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) -Dec 11 2018 08:01:53 %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) -Dec 11 2018 08:01:53 %ASA-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs -Aug 15 2012 23:30:09 %ASA-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416 +Dec 11 2018 08:01:24 : %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80) +Dec 11 2018 08:01:24 : %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80) +Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:31 : %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 : %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 : %ASA-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs +Dec 11 2018 08:01:38 : %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 : %ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 : %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:38 : %ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:39 : %ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group "dmz" [0x123a465e, 0x8c20f21] +Dec 11 2018 08:01:53 : %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 : %ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 : %ASA-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs +Aug 15 2012 23:30:09 : %ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416 Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index 1bb10b9825f7..02c60b258c6c 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -17,7 +17,8 @@ "input.type": "log", "log.level": "warning", "log.offset": 0, - "log.original": "Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "log.original": "%ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.1.2.30", @@ -44,7 +45,8 @@ "input.type": "log", "log.level": "warning", "log.offset": 139, - "log.original": "Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "log.original": "%ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.1.2.30", @@ -72,7 +74,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 294, - "log.original": "access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.1.2.16", @@ -96,10 +99,12 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "INT-FW01", "input.type": "log", "log.level": "informational", "log.offset": 465, - "log.original": "access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", + "log.original": "%ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", + "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", "source.ip": "172.29.2.101", @@ -123,10 +128,12 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "INT-FW01", "input.type": "log", "log.level": "informational", "log.offset": 632, - "log.original": "access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", + "log.original": "%ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", + "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", "source.ip": "172.29.2.3", @@ -147,7 +154,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 812, - "log.original": "Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", "service.type": "cisco", "tags": [ "cisco-asa" @@ -165,7 +172,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 938, - "log.original": "Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42.130/12834)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42.130/12834)", "service.type": "cisco", "tags": [ "cisco-asa" @@ -183,7 +190,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1110, - "log.original": "Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", + "log.original": "%ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", "service.type": "cisco", "tags": [ "cisco-asa" @@ -201,7 +208,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1237, - "log.original": "Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", + "log.original": "%ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", "service.type": "cisco", "tags": [ "cisco-asa" @@ -219,7 +226,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1405, - "log.original": "Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", "service.type": "cisco", "tags": [ "cisco-asa" @@ -237,7 +244,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1531, - "log.original": "Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", "service.type": "cisco", "tags": [ "cisco-asa" @@ -263,8 +270,9 @@ "input.type": "log", "log.level": "informational", "log.offset": 1696, - "log.original": "Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", + "log.original": "%ASA-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", "network.bytes": 140, + "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", "source.ip": "192.0.2.222", @@ -295,8 +303,9 @@ "input.type": "log", "log.level": "informational", "log.offset": 1848, - "log.original": "Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", + "log.original": "%ASA-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", "network.bytes": 9999999, + "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", "source.ip": "192.0.2.222", @@ -316,10 +325,12 @@ "event.severity": 6, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "FJSG2NRFW01", "input.type": "log", "log.level": "informational", "log.offset": 2012, - "log.original": "Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", + "log.original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", + "network.iana_number": 1, "network.transport": "icmp", "service.type": "cisco", "source.ip": "172.24.177.29", @@ -340,7 +351,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 2167, - "log.original": "Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", "service.type": "cisco", "tags": [ "cisco-asa" @@ -358,7 +369,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 2293, - "log.original": "Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", + "log.original": "%ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", "service.type": "cisco", "tags": [ "cisco-asa" @@ -379,8 +390,9 @@ "input.type": "log", "log.level": "critical", "log.offset": 2458, - "log.original": "Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", + "log.original": "%ASA-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", "network.direction": "inbound", + "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", @@ -408,7 +420,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 2567, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -435,7 +448,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 2726, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.46", @@ -462,7 +476,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 2887, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.46", @@ -489,7 +504,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 3048, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.46", @@ -516,7 +532,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 3209, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.46", @@ -543,7 +560,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 3370, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.46", @@ -570,7 +588,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 3531, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.46", @@ -597,7 +616,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 3692, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -624,7 +644,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 3851, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.13", @@ -651,7 +672,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 4008, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -676,8 +698,9 @@ "input.type": "log", "log.level": "critical", "log.offset": 4167, - "log.original": "Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", + "log.original": "%ASA-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", "network.direction": "inbound", + "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", "source.ip": "192.0.2.66", @@ -701,8 +724,9 @@ "input.type": "log", "log.level": "critical", "log.offset": 4278, - "log.original": "Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", + "log.original": "%ASA-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", "network.direction": "inbound", + "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", "service.type": "cisco", @@ -730,7 +754,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 4387, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -757,7 +782,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 4546, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.46", @@ -784,7 +810,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 4707, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -811,7 +838,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 4866, - "log.original": "access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -838,7 +866,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 5022, - "log.original": "access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -865,7 +894,8 @@ "input.type": "log", "log.level": "warning", "log.offset": 5178, - "log.original": "Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "log.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "192.0.2.126", @@ -892,7 +922,8 @@ "input.type": "log", "log.level": "warning", "log.offset": 5325, - "log.original": "Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "log.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "192.0.2.126", @@ -919,7 +950,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 5472, - "log.original": "access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.46", @@ -946,7 +978,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 5635, - "log.original": "access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -974,7 +1007,8 @@ "input.type": "log", "log.level": "notification", "log.offset": 5796, - "log.original": "access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "log.original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.0.0.16", @@ -995,7 +1029,8 @@ "input.type": "log", "log.level": "informational", "log.offset": 5967, - "log.original": "Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", + "log.original": "%ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", + "process.name": "", "service.type": "cisco", "tags": [ "cisco-asa" @@ -1012,8 +1047,9 @@ "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 6141, - "log.original": "Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)", + "log.offset": 6142, + "log.original": "%ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)", + "process.name": "", "service.type": "cisco", "tags": [ "cisco-asa" @@ -1036,9 +1072,11 @@ "fileset.name": "asa", "input.type": "log", "log.level": "warning", - "log.offset": 6320, - "log.original": "Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "log.offset": 6322, + "log.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "network.iana_number": 17, "network.transport": "udp", + "process.name": "", "service.type": "cisco", "source.ip": "192.168.1.33", "source.port": 5555, @@ -1063,9 +1101,11 @@ "fileset.name": "asa", "input.type": "log", "log.level": "warning", - "log.offset": 6469, - "log.original": "Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "log.offset": 6472, + "log.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "network.iana_number": 17, "network.transport": "udp", + "process.name": "", "service.type": "cisco", "source.ip": "192.168.1.33", "source.port": 5555, @@ -1084,8 +1124,9 @@ "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 6618, - "log.original": "Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "log.offset": 6622, + "log.original": "%ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "process.name": "", "service.type": "cisco", "tags": [ "cisco-asa" @@ -1102,8 +1143,9 @@ "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 6787, - "log.original": "Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "log.offset": 6792, + "log.original": "%ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "process.name": "", "service.type": "cisco", "tags": [ "cisco-asa" @@ -1128,10 +1170,12 @@ "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 6956, - "log.original": "Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", + "log.offset": 6962, + "log.original": "%ASA-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", "network.bytes": 14804, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "", "service.type": "cisco", "source.ip": "192.0.2.222", "source.port": 1234, @@ -1158,10 +1202,12 @@ "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 7120, - "log.original": "Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "log.offset": 7127, + "log.original": "%ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "network.bytes": 134781, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "", "service.type": "cisco", "source.ip": "192.0.2.222", "source.port": 1234, @@ -1188,10 +1234,12 @@ "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 7285, - "log.original": "Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "log.offset": 7293, + "log.original": "%ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "network.bytes": 134781, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "", "service.type": "cisco", "source.ip": "192.0.2.222", "source.port": 1234, @@ -1214,9 +1262,11 @@ "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 7450, - "log.original": "Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "log.offset": 7459, + "log.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "", "service.type": "cisco", "source.ip": "192.0.2.222", "source.port": 1234, @@ -1239,9 +1289,11 @@ "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 7591, - "log.original": "Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "log.offset": 7601, + "log.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "", "service.type": "cisco", "source.ip": "192.0.2.222", "source.port": 1234, @@ -1266,9 +1318,11 @@ "fileset.name": "asa", "input.type": "log", "log.level": "warning", - "log.offset": 7732, - "log.original": "Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", + "log.offset": 7743, + "log.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", + "network.iana_number": 17, "network.transport": "udp", + "process.name": "", "service.type": "cisco", "source.ip": "192.168.1.34", "source.port": 5679, @@ -1287,8 +1341,9 @@ "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 7882, - "log.original": "Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "log.offset": 7894, + "log.original": "%ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "process.name": "", "service.type": "cisco", "tags": [ "cisco-asa" @@ -1305,8 +1360,9 @@ "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 8055, - "log.original": "Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "log.offset": 8068, + "log.original": "%ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "process.name": "", "service.type": "cisco", "tags": [ "cisco-asa" @@ -1331,10 +1387,12 @@ "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 8228, - "log.original": "Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", + "log.offset": 8242, + "log.original": "%ASA-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", "network.bytes": 11420, + "network.iana_number": 6, "network.transport": "tcp", + "process.name": "", "service.type": "cisco", "source.ip": "192.0.2.222", "source.port": 1234, @@ -1361,9 +1419,10 @@ "fileset.name": "asa", "input.type": "log", "log.level": "informational", - "log.offset": 8392, - "log.original": "Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", + "log.offset": 8407, + "log.original": "%ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", "network.bytes": 1416, + "network.iana_number": 17, "network.transport": "udp", "service.type": "cisco", "source.ip": "10.44.4.4", @@ -1384,10 +1443,11 @@ "event.severity": 2, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 8533, - "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "log.offset": 8549, + "log.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "service.type": "cisco", "source.ip": "0.0.0.0", "tags": [ @@ -1406,10 +1466,11 @@ "event.severity": 2, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 8654, - "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "log.offset": 8670, + "log.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "service.type": "cisco", "source.ip": "0.0.0.0", "tags": [ @@ -1428,10 +1489,11 @@ "event.severity": 2, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 8775, - "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "log.offset": 8791, + "log.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "service.type": "cisco", "source.ip": "0.0.0.0", "tags": [ @@ -1450,10 +1512,11 @@ "event.severity": 2, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 8896, - "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "log.offset": 8912, + "log.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "service.type": "cisco", "source.ip": "0.0.0.0", "tags": [ @@ -1472,10 +1535,11 @@ "event.severity": 2, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 9017, - "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "log.offset": 9033, + "log.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "service.type": "cisco", "source.ip": "0.0.0.0", "tags": [ @@ -1494,10 +1558,11 @@ "event.severity": 2, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 9138, - "log.original": "Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "log.offset": 9154, + "log.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "service.type": "cisco", "source.ip": "0.0.0.0", "tags": [ @@ -1516,10 +1581,11 @@ "event.severity": 2, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 9259, - "log.original": "Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "log.offset": 9275, + "log.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "service.type": "cisco", "source.ip": "0.0.0.0", "tags": [ @@ -1538,10 +1604,11 @@ "event.severity": 2, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 9381, - "log.original": "Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "log.offset": 9397, + "log.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "service.type": "cisco", "source.ip": "0.0.0.0", "tags": [ @@ -1563,10 +1630,12 @@ "event.severity": 4, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "warning", - "log.offset": 9503, - "log.original": "Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", + "log.offset": 9519, + "log.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "192.0.2.95", @@ -1588,10 +1657,12 @@ "event.severity": 3, "event.timezone": "+00:00", "fileset.name": "asa", + "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "error", - "log.offset": 9657, - "log.original": "Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", + "log.offset": 9673, + "log.original": "%ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", + "network.iana_number": 1, "network.transport": "icmp", "service.type": "cisco", "source.ip": "10.2.3.5", @@ -1614,8 +1685,9 @@ "fileset.name": "asa", "input.type": "log", "log.level": "warning", - "log.offset": 9767, - "log.original": "Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", + "log.offset": 9783, + "log.original": "%ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", + "network.iana_number": 1, "network.transport": "icmp", "service.type": "cisco", "source.ip": "172.16.30.2", @@ -1645,8 +1717,9 @@ "fileset.name": "asa", "input.type": "log", "log.level": "warning", - "log.offset": 9903, - "log.original": "Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", + "log.offset": 9919, + "log.original": "%ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", + "network.iana_number": 6, "network.transport": "tcp", "server.domain": "bad.example.com", "service.type": "cisco", @@ -1679,8 +1752,9 @@ "fileset.name": "asa", "input.type": "log", "log.level": "warning", - "log.offset": 10154, - "log.original": "Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "log.offset": 10170, + "log.original": "%ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.1.1.1", @@ -1712,8 +1786,9 @@ "fileset.name": "asa", "input.type": "log", "log.level": "warning", - "log.offset": 10453, - "log.original": "Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "log.offset": 10469, + "log.original": "%ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "network.iana_number": 6, "network.transport": "tcp", "service.type": "cisco", "source.ip": "10.1.1.1", @@ -1735,8 +1810,8 @@ "fileset.name": "asa", "input.type": "log", "log.level": "notification", - "log.offset": 10750, - "log.original": "10.30.30.30 Accessed URL 192.0.2.1:/app", + "log.offset": 10766, + "log.original": "%ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", "service.type": "cisco", "source.ip": "10.30.30.30", "tags": [ @@ -1757,8 +1832,8 @@ "fileset.name": "asa", "input.type": "log", "log.level": "notification", - "log.offset": 10827, - "log.original": "10.5.111.32 Accessed URL 192.0.2.32:http://example.com", + "log.offset": 10843, + "log.original": "%ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", "service.type": "cisco", "source.ip": "10.5.111.32", "tags": [ @@ -1780,8 +1855,8 @@ "fileset.name": "asa", "input.type": "log", "log.level": "notification", - "log.offset": 10919, - "log.original": "Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", + "log.offset": 10935, + "log.original": "%ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", "service.type": "cisco", "source.ip": "10.69.6.39", "tags": [ diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index 56718bde0dc7..be1dc60e766f 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJy8l81u6zYQhfd5itkUaAHF3XtRIHAbwEBzE8DtoitjLjm02FAclRzZ129fkJJtWXUVGVGrRQAz0jkfR5wfPcI7HZegbFT8ACBWHC1h1f3UFFWwtVj2S/jpAQDghXXjCAwHKNFrZ/2uvR08yYHDO2jaW0XgeBcXDwDGktNxmR9+BI8VXezSJcealrAL3NTdyg3XdD1nITCBq87xZJGuvk3fCiOe126ZjRj2TTl0nk+bJ3i2gQ7o3KJ369D/QlBRjLijrdVXyi3KOx0PHK7/M4ID8FtJPZJOG6wmL9ZYChemGyixMcZ+m4hB37Cq02mIFKNlP53xNa+j6/wAjVCA7xLwVFBugqKt9ULBoKI5IrfJmnDWzC9VSgLj+AAcgPbkZRRLUxTrMenPy/bzRfhTgM5GmemgfcGKgE0GeFKKYoQVewns4FcbBaREgQpFlaRBShsn4HWvtYkU0sLcmEm35bIxL7R+XRwnEfbf8P+G2TO9h7XCuia9PeVKfYNzsPhhZZGAPjoU0qfYrd8AtQ4U4x0sNQe5QePY7z7Lk6SnkFyl6syh6b+v++LTp/ovgtQn+zBSUgZC2Trak5unNSU9yHr5HFfoDhgIfoSvLJ4kkRpj1QJefc6GPYXjo+NDAenPQK5iTQGFCijtrkz1L9+efkzZlkKhHYfjHDtbdVrnivzvO3tOdfrUOfc2NLHo7hnuTwL/ib4AEjW6H8Xek2oP8iyV/Xdv/2r6M0PeFuY2M0piVVVvk+kNilgOj/Mow3r18paf/NhQsZ7LMEkt/jEiWo6zjojr183VaAqj4yHm3rpNnXvuRpNqU9u5k/popA0q66xMzZbzCd/8srqvWJ2MQBgOpVVlm0/dHBvIUIjwvblkUQGbLy9vBWz+2BSAPjWCgazhIOUPC3i6iCv08JUAocSgc6a2XyUFINSBhRW7AvKpr9oPGjbD9EzzwzEKVRDZSBJZwFpAk2ehq/miKwoKm3iOffvosKS121w8/B0AAP//Krahjg==" + return "eJzsWU1v4zYQvedXDLAo0AJe9e5DgcBJgADNB6r00JPBkEOLG4mj5Yys9b8vKMmxrCqO0lWLFrAOCUxL7z1SwzdP1md4wd0StGNNFwDiJMclrLqPBlkHV4ojv4RfLgAA7shUOYKlAJnyJnd+054OHqWm8AIGt04j5LTh5ALAOswNL5uLP4NXBR7o4iG7EpewCVSV3cgIazxuGiCwgYqOcU8Rjz5Nn0qxeh0bIztB2Cel0HFeppdw4wLWKs+T3qlD/oOCApnVBtfOHCG3Ul5wV1M4/uaEHICnDHtKOmxwBr046zAcNI1I4cpa922iDPymijJWAyOzIz9d40MzrvKOD5QVDPBDFDxVKFVB49p5wWCVxjlWLm0w4RWzuamSIdicaqAAuEUvJ2UZZHFeRfx5tV0dgL9LYO5YZiq0e1UgkG0EXGqNzLAiL4Fy+NWxgGRKoFCiMzQgmeMJ8rrbWjGGODC3zIjb6nLcDLR83TpOUti/w/+azB7pR7QWqizRrPd7pRzRORh811kkKM+5EjT7tbt9BGVMQOYPaCkpyIianPzme/VE6ClKjrbqzEvTv18fW5++qn9ikfrK3l0pyQIqWee4xXye1hTxoMFr6rhQea0Cws/wTOJRolJrnU7gwTe7YYth9zmnegHxzwCuIINBCS4gc5ss+l9zevwwZVpaCW4o7OaY2arDenXkt2d2E3163zm3LlS86M4Zzk8CfVF+ASj65Hw0eY+6LeRZnP13775W/czQTEs1beakEqeLch1JR1RwNiznkxpuV3ePzZXvE2oycxFGqOQvEdGKmTUixnhYUo1hvyOu0KJn/I/kxpunq/9XboyCz7nxnBvPufGcG/+2nnNunKrsnBvPufGcG48Ij3PjWINCXQUnY0VDz19Qv004oPtN1V0kbBY37XDhOrr6mFX0rv8ETw9XD8u4txnh6j7dIxUVCzwjFLRFA1QJO4Ptj7CJFQPkNYLxDFyVA3f51P13HO0qdmyC61WajLVAz8nXKhoJ+WRi/3sP5o2imQijPNcYOBEZ86kjw3wPYZqO1/ojnvWJ4vYhPfqxG04+OKgmda1jpps7gsSu1Wa6iH5yS1ilXT6+JU4+NaTXq4+1sT1RLM06czprnbZ7wgloMTD8aA/+uoD0/u5xAekf6QKUjxFhAGspSPZTApcHcK183EIKMhVM4+Hte44FKCgDCWnKF9D4YdG+IiE7NO6YLHcsWACTlQiSwK2AQU+CR8mzaxdaVfy69u2lw2bXTjO5+DMAAP//O4bnCg==" } diff --git a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml new file mode 100644 index 000000000000..fed61b8647dd --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml @@ -0,0 +1,107 @@ +- name: ftd + type: group + description: > + Fields for Cisco Firepower Threat Defense Firewall. + fields: + - name: message_id + type: keyword + description: > + The Cisco FTD message identifier. + + - name: suffix + type: keyword + example: session + description: > + Optional suffix after %FTD identifier. + + - name: source_interface + type: keyword + description: > + Source interface for the flow or event. + + - name: destination_interface + type: keyword + description: > + Destination interface for the flow or event. + + - name: list_id + type: keyword + description: > + Name of the Access Control List that matched this event. + + - name: source_username + type: keyword + description: > + Name of the user that is the source for this event. + + - name: destination_username + type: keyword + description: > + Name of the user that is the destination for this event. + + - name: mapped_source_ip + type: ip + description: > + The translated source IP address. + + - name: mapped_source_port + type: long + description: > + The translated source port. + + - name: mapped_destination_ip + type: ip + description: > + The translated destination IP address. + + - name: mapped_destination_port + type: long + description: > + The translated destination port. + + - name: threat_level + type: keyword + description: > + Threat level for malware / botnet traffic. One of very-low, low, + moderate, high or very-high. + + - name: threat_category + type: keyword + description: > + Category for the malware / botnet traffic. For example: virus, botnet, + trojan, etc. + + - name: connection_id + type: keyword + description: > + Unique identifier for a flow. + + - name: icmp_type + type: short + description: > + ICMP type. + + - name: icmp_code + type: short + description: > + ICMP code. + + - name: security + type: object + description: + Raw fields for Security Events. + + + # TODO: These DNS fields must be moved outside cisco.ftd once dns support + # is added to ECS. + - name: dns.question.name + type: keyword + + - name: dns.question.type + type: keyword + + - name: dns.answers.ttl + type: long + + - name: dns.answers.type + type: keyword diff --git a/x-pack/filebeat/module/cisco/ftd/config/input.yml b/x-pack/filebeat/module/cisco/ftd/config/input.yml new file mode 100644 index 000000000000..9d23b77f2e41 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/config/input.yml @@ -0,0 +1,20 @@ +{{ if eq .input "syslog" }} + +type: udp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags}} + +processors: + - add_locale: ~ diff --git a/x-pack/filebeat/module/cisco/ftd/manifest.yml b/x-pack/filebeat/module/cisco/ftd/manifest.yml new file mode 100644 index 000000000000..dfcd093ac86e --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/manifest.yml @@ -0,0 +1,32 @@ +module_version: "1.0" + +var: + - name: paths + default: + - /var/log/cisco-ftd.log + - name: tags + default: [cisco-ftd] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9003 + - name: input + default: syslog + - name: log_level + default: 7 + # if ES < 6.1.0, this flag switches to false automatically when evaluating the + # pipeline + min_elasticsearch_version: + version: 6.1.0 + value: false + # These flags are used internally by the shared pipeline + - name: internal_prefix + default: ftd + - name: internal_PREFIX + default: FTD +ingest_pipeline: ../shared/ingest/asa-ftd-pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log b/x-pack/filebeat/module/cisco/ftd/test/asa.log new file mode 100644 index 000000000000..9f0a0b8b5984 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log @@ -0,0 +1,268 @@ +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11800 for outside:100.66.14.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 373 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11801 for outside:100.66.252.210/53 (100.66.252.210/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11801 for outside:100.66.252.210/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 207 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11802 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1276 (172.31.98.44/1276) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11803 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1277 (172.31.98.44/1277) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11802 for outside:100.66.98.165/80 to inside:172.31.98.44/1276 duration 0:00:00 bytes 12853 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11804 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1278 (172.31.98.44/1278) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11803 for outside:100.66.98.165/80 to inside:172.31.98.44/1277 duration 0:00:00 bytes 5291 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11805 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1279 (172.31.98.44/1279) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11804 for outside:100.66.98.165/80 to inside:172.31.98.44/1278 duration 0:00:00 bytes 965 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11805 for outside:100.66.98.165/80 to inside:172.31.98.44/1279 duration 0:00:00 bytes 8605 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11806 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1280 (172.31.98.44/1280) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11806 for outside:100.66.98.165/80 to inside:172.31.98.44/1280 duration 0:00:00 bytes 3428 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11807 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1281 (172.31.98.44/1281) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11808 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1282 (172.31.98.44/1282) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11809 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1283 (172.31.98.44/1283) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11810 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1284 (172.31.98.44/1284) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11807 for outside:100.66.98.165/80 to inside:172.31.98.44/1281 duration 0:00:00 bytes 2028 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11808 for outside:100.66.98.165/80 to inside:172.31.98.44/1282 duration 0:00:00 bytes 1085 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11809 for outside:100.66.98.165/80 to inside:172.31.98.44/1283 duration 0:00:00 bytes 868 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11811 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1285 (172.31.98.44/1285) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11812 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1286 (172.31.98.44/1286) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11810 for outside:100.66.98.165/80 to inside:172.31.98.44/1284 duration 0:00:00 bytes 4439 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11813 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1287 (172.31.98.44/1287) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11811 for outside:100.66.98.165/80 to inside:172.31.98.44/1285 duration 0:00:00 bytes 914 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11812 for outside:100.66.98.165/80 to inside:172.31.98.44/1286 duration 0:00:00 bytes 871 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11814 for outside:100.66.100.107/53 (100.66.100.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11815 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1288 (172.31.98.44/1288) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11814 for outside:100.66.100.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 384 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11816 for outside:100.66.104.8/53 (100.66.104.8/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11816 for outside:100.66.104.8/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 94 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1289 to outside:100.66.98.44/8293 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11817 for outside:100.66.123.191/80 (100.66.123.191/80) to inside:172.31.98.44/1289 (172.31.98.44/1289) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11815 for outside:100.66.98.165/80 to inside:172.31.98.44/1288 duration 0:00:00 bytes 945 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11813 for outside:100.66.98.165/80 to inside:172.31.98.44/1287 duration 0:00:00 bytes 13284 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11818 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11818 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1290 to outside:100.66.98.44/8294 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11819 for outside:100.66.198.25/80 (100.66.198.25/80) to inside:172.31.98.44/1290 (172.31.98.44/1290) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 9828 for outside:100.66.48.1/67 to NP Identity Ifc:255.255.255.255/68 duration 0:58:46 bytes 58512 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1272 to outside:100.66.98.44/8276 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11820 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11821 for outside:100.66.162.30/53 (100.66.162.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11820 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 168 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11822 for outside:100.66.3.39/53 (100.66.3.39/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11821 for outside:100.66.162.30/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 198 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11822 for outside:100.66.3.39/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11823 for outside:100.66.48.186/53 (100.66.48.186/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11823 for outside:100.66.48.186/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 84 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1291 to outside:100.66.98.44/8295 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11824 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1291 (172.31.98.44/1291) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11825 for outside:100.66.254.94/53 (100.66.254.94/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11825 for outside:100.66.254.94/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 188 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1292 to outside:100.66.98.44/8296 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11826 for outside:100.66.54.190/80 (100.66.54.190/80) to inside:172.31.98.44/1292 (172.31.98.44/1292) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11827 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1293 (172.31.98.44/1293) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11828 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1294 (172.31.98.44/1294) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11827 for outside:100.66.98.165/80 to inside:172.31.98.44/1293 duration 0:00:00 bytes 5964 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11829 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1295 (172.31.98.44/1295) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11830 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1296 (172.31.98.44/1296) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11828 for outside:100.66.98.165/80 to inside:172.31.98.44/1294 duration 0:00:00 bytes 6694 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11829 for outside:100.66.98.165/80 to inside:172.31.98.44/1295 duration 0:00:00 bytes 1493 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11830 for outside:100.66.98.165/80 to inside:172.31.98.44/1296 duration 0:00:00 bytes 893 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11831 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1297 (172.31.98.44/1297) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11832 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1298 (172.31.98.44/1298) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11833 for outside:100.66.179.9/53 (100.66.179.9/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11833 for outside:100.66.179.9/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 150 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11831 for outside:100.66.98.165/80 to inside:172.31.98.44/1297 duration 0:00:00 bytes 2750 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11834 for outside:100.66.247.99/80 (100.66.247.99/80) to inside:172.31.98.44/1299 (172.31.98.44/1299) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11835 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1300 (172.31.98.44/1300) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11832 for outside:100.66.98.165/80 to inside:172.31.98.44/1298 duration 0:00:00 bytes 881 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11835 for outside:100.66.98.165/80 to inside:172.31.98.44/1300 duration 0:00:00 bytes 2202 TCP FINs +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11836 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1301 (172.31.98.44/1301) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11837 for outside:100.66.98.165/80 (100.66.98.165/80) to inside:172.31.98.44/1302 (172.31.98.44/1302) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1276 to outside:100.66.98.44/8280 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1277 to outside:100.66.98.44/8281 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1278 to outside:100.66.98.44/8282 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1279 to outside:100.66.98.44/8283 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1280 to outside:100.66.98.44/8284 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1281 to outside:100.66.98.44/8285 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1282 to outside:100.66.98.44/8286 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1283 to outside:100.66.98.44/8287 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1284 to outside:100.66.98.44/8288 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1285 to outside:100.66.98.44/8289 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1286 to outside:100.66.98.44/8290 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1287 to outside:100.66.98.44/8291 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1288 to outside:100.66.98.44/8292 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1293 to outside:100.66.98.44/8297 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1294 to outside:100.66.98.44/8298 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1304 to outside:100.66.98.44/8308 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11840 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1304 (172.31.98.44/1304) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1295 to outside:100.66.98.44/8299 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1296 to outside:100.66.98.44/8300 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11841 for outside:100.66.0.124/53 (100.66.0.124/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302015: Built outbound UDP connection 11842 for outside:100.66.160.2/53 (100.66.160.2/53) to inside:172.31.98.44/56132 (172.31.98.44/56132) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11841 for outside:100.66.0.124/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 318 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11842 for outside:100.66.160.2/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1305 to outside:100.66.98.44/8309 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11843 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1305 (172.31.98.44/1305) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1297 to outside:100.66.98.44/8301 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1298 to outside:100.66.98.44/8302 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1299 to outside:100.66.98.44/8303 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1300 to outside:100.66.98.44/8304 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1301 to outside:100.66.98.44/8305 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1302 to outside:100.66.98.44/8306 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1303 to outside:100.66.98.44/8307 duration 0:00:30 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302014: Teardown TCP connection 11843 for outside:100.66.124.24/80 to inside:172.31.98.44/1305 duration 0:00:04 bytes 410333 TCP Reset-I +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1306 to outside:100.66.98.44/8310 +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302013: Built outbound TCP connection 11844 for outside:100.66.124.24/80 (100.66.124.24/80) to inside:172.31.98.44/1306 (172.31.98.44/1306) +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] +Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:100.66.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0] diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json new file mode 100644 index 000000000000..7b011a0d77a8 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -0,0 +1,2661 @@ +[ + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 150, + "log.original": "%ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11749", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1758, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 67000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:49.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 345, + "log.original": "%ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", + "network.bytes": 38110, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.211.242", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11748", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1757, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 67000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:49.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 535, + "log.original": "%ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", + "network.bytes": 44010, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.211.242", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11745", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1755, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 67000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:49.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 725, + "log.original": "%ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", + "network.bytes": 7652, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.185.90", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11744", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1754, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 67000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:49.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 913, + "log.original": "%ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", + "network.bytes": 7062, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.185.90", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11742", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1752, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 68000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:48.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 1101, + "log.original": "%ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", + "network.bytes": 5738, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.160.197", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11738", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1749, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 68000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:48.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 1290, + "log.original": "%ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", + "network.bytes": 4176, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.205.14", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11739", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1750, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 68000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:48.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 1478, + "log.original": "%ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", + "network.bytes": 1715, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.124.33", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11731", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1747, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 69000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:47.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 1666, + "log.original": "%ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", + "network.bytes": 45595, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.35.9", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11723", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1742, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 69000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:47.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 1853, + "log.original": "%ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", + "network.bytes": 27359, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.211.242", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11715", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1741, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 69000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:47.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 2043, + "log.original": "%ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", + "network.bytes": 4457, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.218.21", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11711", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1739, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 69000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:47.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 2231, + "log.original": "%ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", + "network.bytes": 26709, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.198.27", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11712", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1740, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 69000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:47.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 2420, + "log.original": "%ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", + "network.bytes": 22097, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.198.27", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11708", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1738, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 70000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:46.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 2609, + "log.original": "%ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", + "network.bytes": 2209, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.202.211", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11746", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1756, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 67000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:49.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 2798, + "log.original": "%ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", + "network.bytes": 10404, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.124.15", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11706", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1737, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 70000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:46.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 2987, + "log.original": "%ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", + "network.bytes": 123694, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.124.15", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11702", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1736, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 71000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:33:45.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 3177, + "log.original": "%ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", + "network.bytes": 35835, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.209.247", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11753", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1765, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:26.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 3367, + "log.original": "%ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", + "network.bytes": 0, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.35.162", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 3552, + "log.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 3703, + "log.original": "%ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11758", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 3896, + "log.original": "%ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", + "network.bytes": 148, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.80.32", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 4071, + "log.original": "%ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11759", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 4264, + "log.original": "%ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", + "network.bytes": 164, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.252.6", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 4439, + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 4589, + "log.original": "%ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 4784, + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 4934, + "log.original": "%ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 5129, + "log.original": "%ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 5326, + "log.original": "%ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11762", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 5519, + "log.original": "%ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", + "network.bytes": 111, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.238.126", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11763", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 5696, + "log.original": "%ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", + "network.bytes": 237, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.93.51", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 5871, + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 6021, + "log.original": "%ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 6218, + "log.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 6369, + "log.original": "%ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 6566, + "log.original": "%ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11772", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 6759, + "log.original": "%ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", + "network.bytes": 87, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.240.126", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11773", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 6935, + "log.original": "%ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", + "network.bytes": 221, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.44.45", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 7110, + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 7260, + "log.original": "%ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 7455, + "log.original": "%ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 7652, + "log.original": "%ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11775", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 7849, + "log.original": "%ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", + "network.bytes": 101, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.157.232", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11776", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 8026, + "log.original": "%ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", + "network.bytes": 126, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.178.133", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 8203, + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 8353, + "log.original": "%ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11777", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1453, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 8548, + "log.original": "%ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", + "network.bytes": 862, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.133.112", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 8733, + "log.original": "%ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11778", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 8930, + "log.original": "%ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "network.bytes": 104, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.157.232", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11779", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 9107, + "log.original": "%ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", + "network.bytes": 176, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.204.197", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 9284, + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 9434, + "log.original": "%ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 9625, + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 9775, + "log.original": "%ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 9966, + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 10116, + "log.original": "%ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 10307, + "log.original": "%ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11783", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 10500, + "log.original": "%ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", + "network.bytes": 104, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.100.4", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 10675, + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 10825, + "log.original": "%ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 11018, + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 11168, + "log.original": "%ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 11361, + "log.original": "%ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11784", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 1457, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 11554, + "log.original": "%ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", + "network.bytes": 593, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.198.40", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 11738, + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 11888, + "log.original": "%ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11786", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 56132, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 12081, + "log.original": "%ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", + "network.bytes": 375, + "network.iana_number": 17, + "network.transport": "udp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.1.107", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 12256, + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 12406, + "log.original": "%ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305012", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 12599, + "log.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 12769, + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 12920, + "log.original": "%ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305012", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 13115, + "log.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305012", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 13285, + "log.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305012", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 13455, + "log.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305012", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 13625, + "log.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305012", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 13795, + "log.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305012", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 13965, + "log.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11564", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.156.80", + "destination.port": 1382, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 325000000000, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:29:31.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 14135, + "log.original": "%ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", + "network.bytes": 575, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.115.46", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.connection_id": "11797", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.156.80", + "destination.port": 1385, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-10-10T12:34:56.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-10-10T12:34:56.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 14320, + "log.original": "%ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", + "network.bytes": 5391, + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 14509, + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 14660, + "log.original": "%ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": "inbound", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 14855, + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": "inbound", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 15020, + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": "inbound", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 15185, + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": "inbound", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 15350, + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": "inbound", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 15515, + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": "inbound", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 15680, + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": "inbound", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 15845, + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": "inbound", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 16010, + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": "inbound", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 16175, + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": "inbound", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 16340, + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": "inbound", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 16505, + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": "inbound", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 16670, + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": "inbound", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "outside", + "destination.ip": "172.31.98.44", + "destination.port": 8277, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "warning", + "log.offset": 16835, + "log.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "source.ip": "100.66.19.254", + "source.port": 80, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 17000, + "log.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 17150, + "log.original": "%ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 17343, + "log.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-10-10T12:34:56.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "localhost", + "input.type": "log", + "log.level": "informational", + "log.offset": 17494, + "log.original": "%ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", + "process.name": "CiscoASA", + "process.pid": 999, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/filtered.log b/x-pack/filebeat/module/cisco/ftd/test/filtered.log new file mode 100644 index 000000000000..aa78fd10d1b0 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/filtered.log @@ -0,0 +1,2 @@ +Jan 1 2019 01:00:27 beats asa[1234]: %FTD-7-999999: This message is not filtered. +Jan 1 2019 01:00:30 beats asa[1234]: %FTD-8-999999: This phony message is dropped due to log level. diff --git a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json new file mode 100644 index 000000000000..d3e1c3e0b96d --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json @@ -0,0 +1,23 @@ +[ + { + "@timestamp": "2019-01-01T01:00:27.000Z", + "cisco.ftd.message_id": "999999", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "beats", + "input.type": "log", + "log.level": "debug", + "log.offset": 0, + "log.original": "%FTD-7-999999: This message is not filtered.", + "process.name": "asa", + "process.pid": 1234, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log new file mode 100644 index 000000000000..707bd4f4e54e Binary files /dev/null and b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log differ diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json new file mode 100644 index 000000000000..8bfcfe95c1e9 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json @@ -0,0 +1,615 @@ +[ + { + "@timestamp": "2019-08-14T13:56:30.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "platformSettingEdit.cgi", + "input.type": "log", + "log.level": "debug", + "log.offset": 0, + "log.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:57:19.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "platformSettingEdit.cgi", + "input.type": "log", + "log.level": "debug", + "log.offset": 194, + "log.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=Banner, Page View\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:57:26.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "ChangeReconciliation.cgi", + "input.type": "log", + "log.level": "debug", + "log.offset": 386, + "log.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/ChangeReconciliation.cgi, Page View\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:57:34.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "platformSettingEdit.cgi", + "input.type": "log", + "log.level": "debug", + "log.offset": 568, + "log.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=IntrusionPolicyPrefs, Page View\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:57:43.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 774, + "log.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /admin/lights_out_mgmt.cgi, Page View\u0000x0a\u0000x00", + "process.name": "lights_out_mgmt.cgi", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:58:02.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 943, + "log.original": "siem-management: admin@10.0.255.31, Cloud Services, View url filtering settings\u0000x0a\u0000x00", + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:58:02.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 1072, + "log.original": "siem-management: admin@10.0.255.31, Cloud Services, View amp settings\u0000x0a\u0000x00", + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:58:20.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 1191, + "log.original": "siem-management: admin@10.0.255.31, System > Monitoring > Syslog, Page View\u0000x0a\u0000x00", + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:58:41.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 1316, + "log.original": "siem-management: admin@10.0.255.31, Devices > Device Management, Page View\u0000x0a\u0000x00", + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:58:47.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 1440, + "log.original": "siem-management: admin@10.0.255.31, Devices > Device Management > NGFW Interfaces, Page View\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:58:52.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 1575, + "log.original": "siem-management: admin@10.0.255.31, Devices > Device Management > NGFW Device Summary, Page View\u0000x0a\u0000x00", + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:58:54.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 1721, + "log.original": "siem-management: admin@10.0.255.31, Devices > Device Management > NGFW Device Summary, Page View\u0000x0a\u0000x00", + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:59:10.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 1867, + "log.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings, Page View\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T13:59:15.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 1984, + "log.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Page View\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:00:37.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 2128, + "log.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:00:37.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 2285, + "log.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:00:37.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 2436, + "log.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Page View\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:12.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 2580, + "log.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Save Policy ftd-policy\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:12.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 2737, + "log.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Modified: Syslog\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:13.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 2888, + "log.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Platform Settings Editor, Page View\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:20.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 3032, + "log.original": "siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:31.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "ActionQueueScrape.pl", + "input.type": "log", + "log.level": "debug", + "log.offset": 3143, + "log.original": "siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:31.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "ActionQueueScrape.pl", + "input.type": "log", + "log.level": "debug", + "log.offset": 3267, + "log.original": "siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Global Configuration Generation\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:35.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "ActionQueueScrape.pl", + "input.type": "log", + "log.level": "debug", + "log.offset": 3440, + "log.original": "siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:36.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "ActionQueueScrape.pl", + "input.type": "log", + "log.level": "debug", + "log.offset": 3564, + "log.original": "siem-management: admin@localhost, Task Queue, Successful task completion : Pre-deploy Device Configuration for siem-ftd\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:55.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 3739, + "log.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration, Page View\u0000x0a\u0000x00", + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:56.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 3874, + "log.original": "siem-management: admin@localhost, Task Queue, Policy Deployment to siem-ftd - SUCCESS\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:01:57.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "sfdccsm", + "input.type": "log", + "log.level": "debug", + "log.offset": 4002, + "log.original": "siem-management: csm_processes@Default User IP, Login, Login Success\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:02:03.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 4113, + "log.original": "siem-management: admin@10.0.255.31, System > Monitoring > Syslog, Page View\u0000x0a\u0000x00", + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:02:11.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "index.cgi", + "input.type": "log", + "log.level": "debug", + "log.offset": 4238, + "log.original": "siem-management: admin@10.0.255.31, System > Monitoring > Audit, Page View\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:02:19.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "debug", + "log.offset": 4357, + "log.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration, Page View\u0000x0a\u0000x00", + "process.name": "mojo_server.pl", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:02:31.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "platformSettingEdit.cgi", + "input.type": "log", + "log.level": "debug", + "log.offset": 4492, + "log.original": "siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=AuditLog, Page View\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:02:38.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "platformSettingEdit.cgi", + "input.type": "log", + "log.level": "debug", + "log.offset": 4686, + "log.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Local System Configuration, Save Local System Configuration\u0000x0a\u0000x00", + "service.type": "cisco", + "syslog.facility": 14, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2019-08-14T14:02:38.000Z", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "platformSettingEdit.cgi", + "input.type": "log", + "log.level": "debug", + "log.offset": 4870, + "log.original": "siem-management: admin@10.0.255.31, Devices > Platform Settings > Audit Log Settings > Modified: Send Audit Log to Syslog enabled > Disabled", + "service.type": "cisco", + "syslog.facility": 14, + "syslog.priority": 2, + "tags": [ + "cisco-ftd" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log new file mode 100644 index 000000000000..c92f6380b333 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log @@ -0,0 +1,4 @@ +2019-08-16T09:54:00Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55644, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity +2019-08-16T09:57:02Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55868, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity +2019-08-16T10:04:44Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 39114, Protocol: tcp, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity +2019-08-16T10:09:47Z firepower %FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 40740, Protocol: 6, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json new file mode 100644 index 000000000000..b3365c3640bd --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -0,0 +1,218 @@ +[ + { + "@timestamp": "2019-08-16T09:54:00.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": [ + "intrusion-policy", + "default" + ], + "cisco.ftd.message_id": "430001", + "cisco.ftd.security.ACPolicy": "default", + "cisco.ftd.security.ApplicationProtocol": "HTTP", + "cisco.ftd.security.Classification": "Attempted User Privilege Gain", + "cisco.ftd.security.Client": "Firefox", + "cisco.ftd.security.DstIP": "10.0.100.30", + "cisco.ftd.security.DstPort": "80", + "cisco.ftd.security.EgressInterface": "outside", + "cisco.ftd.security.EgressZone": "output-zone", + "cisco.ftd.security.GID": "1", + "cisco.ftd.security.IngressInterface": "inside", + "cisco.ftd.security.IngressZone": "input-zone", + "cisco.ftd.security.IntrusionPolicy": "intrusion-policy", + "cisco.ftd.security.Message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", + "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity", + "cisco.ftd.security.Priority": "1", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.Revision": "12", + "cisco.ftd.security.SID": "17279", + "cisco.ftd.security.SrcPort": "55644", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.ip": "10.0.100.30", + "destination.port": 80, + "event.action": "intrusion-detected", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "debug", + "log.offset": 0, + "log.original": "%FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55644, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", + "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", + "network.application": "firefox", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.id": "1", + "service.type": "cisco", + "source.port": 55644, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-16T09:57:02.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": [ + "intrusion-policy", + "default" + ], + "cisco.ftd.message_id": "430001", + "cisco.ftd.security.ACPolicy": "default", + "cisco.ftd.security.ApplicationProtocol": "HTTP", + "cisco.ftd.security.Classification": "Attempted User Privilege Gain", + "cisco.ftd.security.Client": "Firefox", + "cisco.ftd.security.DstIP": "10.0.100.30", + "cisco.ftd.security.DstPort": "80", + "cisco.ftd.security.EgressInterface": "outside", + "cisco.ftd.security.EgressZone": "output-zone", + "cisco.ftd.security.GID": "1", + "cisco.ftd.security.IngressInterface": "inside", + "cisco.ftd.security.IngressZone": "input-zone", + "cisco.ftd.security.IntrusionPolicy": "intrusion-policy", + "cisco.ftd.security.Message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", + "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity", + "cisco.ftd.security.Priority": "1", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.Revision": "12", + "cisco.ftd.security.SID": "17279", + "cisco.ftd.security.SrcPort": "55868", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.ip": "10.0.100.30", + "destination.port": 80, + "event.action": "intrusion-detected", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "debug", + "log.offset": 587, + "log.original": "%FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55868, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", + "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", + "network.application": "firefox", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.id": "1", + "service.type": "cisco", + "source.port": 55868, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-16T10:04:44.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": [ + "intrusion-policy", + "default" + ], + "cisco.ftd.message_id": "430001", + "cisco.ftd.security.ACPolicy": "default", + "cisco.ftd.security.Classification": "Misc Activity", + "cisco.ftd.security.DstIP": "10.0.1.20", + "cisco.ftd.security.DstPort": "39114", + "cisco.ftd.security.EgressInterface": "inside", + "cisco.ftd.security.EgressZone": "input-zone", + "cisco.ftd.security.GID": "1", + "cisco.ftd.security.IngressInterface": "outside", + "cisco.ftd.security.IngressZone": "output-zone", + "cisco.ftd.security.IntrusionPolicy": "intrusion-policy", + "cisco.ftd.security.Message": "APP-DETECT failed FTP login attempt", + "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity", + "cisco.ftd.security.Priority": "3", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.Revision": "6", + "cisco.ftd.security.SID": "13360", + "cisco.ftd.security.SrcPort": "21", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.source_interface": "outside", + "destination.ip": "10.0.1.20", + "destination.port": 39114, + "event.action": "intrusion-detected", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "debug", + "log.offset": 1174, + "log.original": "%FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 39114, Protocol: tcp, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", + "message": "APP-DETECT failed FTP login attempt", + "network.iana_number": 6, + "network.transport": "tcp", + "service.id": "1", + "service.type": "cisco", + "source.port": 21, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-16T10:09:47.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": [ + "intrusion-policy", + "default" + ], + "cisco.ftd.message_id": "430001", + "cisco.ftd.security.ACPolicy": "default", + "cisco.ftd.security.Classification": "Misc Activity", + "cisco.ftd.security.DstIP": "10.0.1.20", + "cisco.ftd.security.DstPort": "40740", + "cisco.ftd.security.EgressInterface": "inside", + "cisco.ftd.security.EgressZone": "input-zone", + "cisco.ftd.security.GID": "1", + "cisco.ftd.security.IngressInterface": "outside", + "cisco.ftd.security.IngressZone": "output-zone", + "cisco.ftd.security.IntrusionPolicy": "intrusion-policy", + "cisco.ftd.security.Message": "APP-DETECT failed FTP login attempt", + "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity", + "cisco.ftd.security.Priority": "3", + "cisco.ftd.security.Protocol": "6", + "cisco.ftd.security.Revision": "6", + "cisco.ftd.security.SID": "13360", + "cisco.ftd.security.SrcPort": "21", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.source_interface": "outside", + "destination.ip": "10.0.1.20", + "destination.port": 40740, + "event.action": "intrusion-detected", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "debug", + "log.offset": 1662, + "log.original": "%FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 40740, Protocol: 6, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", + "message": "APP-DETECT failed FTP login attempt", + "network.iana_number": 6, + "network.transport": "tcp", + "service.id": "1", + "service.type": "cisco", + "source.port": 21, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log new file mode 100644 index 000000000000..c8033fb069e0 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log @@ -0,0 +1,4 @@ +Jan 11 2018 01:00:27 beats ftd[1234]: ApplicationProtocol: http, Client: webserver, DstIP: 10.8.12.47, SrcIP: 10.1.123.45, Message: Intrusion attempt +Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2). +Jan 11 2018 01:00:27 beats ftd[1234]: HTTPResponse: 404, Message: Some message here (1:36330:2), Empty: ,FileCount:, IngressZone: +Jan 11 2018 01:00:27 beats ftd[1234]: %ASA-3-430005 Message: This one has a type id, HTTPResponse: 404, Message: And two messages, SrcIP: 127.0.0.1, DstIP: 192.168.3.33, SrcPort: 512, DstPort: 64311 diff --git a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json new file mode 100644 index 000000000000..038d4dc1c232 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json @@ -0,0 +1,122 @@ +[ + { + "@timestamp": "2018-01-11T01:00:27.000Z", + "cisco.ftd.message_id": "430001", + "cisco.ftd.security.ApplicationProtocol": "http", + "cisco.ftd.security.Client": "webserver", + "cisco.ftd.security.DstIP": "10.8.12.47", + "cisco.ftd.security.Message": "Intrusion attempt", + "cisco.ftd.security.SrcIP": "10.1.123.45", + "destination.ip": "10.8.12.47", + "event.action": "intrusion-detected", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "beats", + "input.type": "log", + "log.level": "debug", + "log.offset": 0, + "log.original": "ApplicationProtocol: http, Client: webserver, DstIP: 10.8.12.47, SrcIP: 10.1.123.45, Message: Intrusion attempt", + "message": "Intrusion attempt", + "network.application": "webserver", + "network.protocol": "http", + "process.name": "ftd", + "process.pid": 1234, + "service.type": "cisco", + "source.ip": "10.1.123.45", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-01-11T01:00:27.000Z", + "cisco.ftd.message_id": "430001", + "cisco.ftd.security.HTTPResponse": "404", + "cisco.ftd.security.Message": "Some message here (1:36330:2).", + "event.action": "intrusion-detected", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "beats", + "http.response.status_code": "404", + "input.type": "log", + "log.level": "debug", + "log.offset": 150, + "log.original": "HTTPResponse: 404, Message: Some message here (1:36330:2).", + "message": "Some message here (1:36330:2).", + "process.name": "ftd", + "process.pid": 1234, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-01-11T01:00:27.000Z", + "cisco.ftd.message_id": "430002", + "cisco.ftd.security.HTTPResponse": "404", + "cisco.ftd.security.Message": "Some message here (1:36330:2)", + "event.action": "connection-started", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 7, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "beats", + "http.response.status_code": "404", + "input.type": "log", + "log.level": "debug", + "log.offset": 247, + "log.original": "HTTPResponse: 404, Message: Some message here (1:36330:2), Empty: ,FileCount:, IngressZone:", + "message": "Some message here (1:36330:2)", + "process.name": "ftd", + "process.pid": 1234, + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-01-11T01:00:27.000Z", + "cisco.ftd.message_id": "430005", + "cisco.ftd.security.DstIP": "192.168.3.33", + "cisco.ftd.security.DstPort": "64311", + "cisco.ftd.security.HTTPResponse": "404", + "cisco.ftd.security.Message": [ + "This one has a type id", + "And two messages" + ], + "cisco.ftd.security.SrcIP": "127.0.0.1", + "cisco.ftd.security.SrcPort": "512", + "destination.ip": "192.168.3.33", + "destination.port": 64311, + "event.action": "malware-detected", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 3, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "beats", + "http.response.status_code": "404", + "input.type": "log", + "log.level": "error", + "log.offset": 377, + "log.original": "%ASA-3-430005 Message: This one has a type id, HTTPResponse: 404, Message: And two messages, SrcIP: 127.0.0.1, DstIP: 192.168.3.33, SrcPort: 512, DstPort: 64311", + "message": [ + "This one has a type id", + "And two messages" + ], + "process.name": "ftd", + "process.pid": 1234, + "service.type": "cisco", + "source.ip": "127.0.0.1", + "source.port": 512, + "tags": [ + "cisco-ftd" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log b/x-pack/filebeat/module/cisco/ftd/test/sample.log new file mode 100644 index 000000000000..7f229bcdc644 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log @@ -0,0 +1,72 @@ +Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group "acl_dmz" [0xe3aab522, 0x0] +Apr 15 2013 09:36:50: %FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group "acl_dmz" [0xe3aab522, 0x0] +Apr 15 2014 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 24 2013 16:00:28 INT-FW01 : %FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0] +Apr 24 2013 16:00:27 INT-FW01 : %FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0] +Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834 +Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42.130/12834) +Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882 +Apr 29 2013 12:59:50: %FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882) +Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392 +Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392) +Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140 +Apr 29 2013 12:59:50: %FTD-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999 +Jun 04 2011 21:59:52 FJSG2NRFW01 : %FTD-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233 +Apr 29 2013 12:59:50: %FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879 +Apr 29 2013 12:59:50: %FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879) +Apr 30 2013 09:22:33: %FTD-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query +Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:38: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:39: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:40: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:41: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:47: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:48: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:22:56: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:02: %FTD-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside +Apr 30 2013 09:23:03: %FTD-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query +Apr 30 2013 09:23:06: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:08: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:15: %FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:24: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:34: %FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:40: %FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] +Apr 30 2013 09:23:41: %FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group "acl_out" [0x71761f18, 0x0] +Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] +Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80) +Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80) +Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] +Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) +Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside +Dec 11 2018 08:01:39 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group "dmz" [0x123a465e, 0x8c20f21] +Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000) +Dec 11 2018 08:01:53 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs +Aug 15 2012 23:30:09: %FTD-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416 +Sep 12 2014 06:50:53 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:01 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic +Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:05 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic +Sep 12 2014 06:51:06 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic +Sep 12 2014 06:51:17 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic +Sep 12 2014 06:52:48 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic +Sep 12 2014 06:53:00 GIFRCHN01 : %FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic +Sep 12 2014 06:53:01 GIFRCHN01 : %FTD-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group "PERMIT_IN" [0x0, 0x0]" +Sep 12 2014 06:53:02 GIFRCHN01 : %FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside +Jan 14 2015 13:16:13: %FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session +Jan 14 2015 13:16:14: %FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com +Jan 14 2015 13:16:14: %FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware +Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware +Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app +Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com +Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json new file mode 100644 index 000000000000..ea219f7bdd76 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -0,0 +1,1867 @@ +[ + { + "@timestamp": "2013-04-15T09:36:50.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_dmz", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "dmz", + "destination.ip": "192.0.0.8", + "destination.port": 53, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "warning", + "log.offset": 0, + "log.original": "%FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.1.2.30", + "source.port": 63016, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-15T09:36:50.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_dmz", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "dmz", + "destination.ip": "192.0.0.8", + "destination.port": 53, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "warning", + "log.offset": 139, + "log.original": "%FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.1.2.30", + "source.port": 63016, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-04-15T13:34:34.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "cisco.ftd.suffix": "session", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 294, + "log.original": "%FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.1.2.16", + "source.port": 2241, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-24T16:00:28.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "inside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.2.10", + "destination.port": 53, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "INT-FW01", + "input.type": "log", + "log.level": "informational", + "log.offset": 465, + "log.original": "%FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "172.29.2.101", + "source.port": 1039, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-24T16:00:27.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "inside", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.2.57", + "destination.port": 53, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "INT-FW01", + "input.type": "log", + "log.level": "informational", + "log.offset": 632, + "log.original": "%FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "172.29.2.3", + "source.port": 1065, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 812, + "log.original": "%FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 938, + "log.original": "%FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42.130/12834)", + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 1110, + "log.original": "%FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 1237, + "log.original": "%FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 1405, + "log.original": "%FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 1531, + "log.original": "%FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.connection_id": "89743275", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "10.123.1.35", + "destination.port": 52925, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 5025000000000, + "event.end": "2013-04-29T12:59:50.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2013-04-29T11:36:05.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 1696, + "log.original": "%FTD-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", + "network.bytes": 140, + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.connection_id": "666", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.destination_username": "user2", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "cisco.ftd.source_username": "user1", + "destination.ip": "10.123.1.35", + "destination.port": 52925, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 36000000000000, + "event.end": "2013-04-29T12:59:50.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2013-04-29T02:59:50.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 1848, + "log.original": "%FTD-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", + "network.bytes": 9999999, + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 53, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2011-06-04T21:59:52.000Z", + "cisco.ftd.message_id": "302021", + "destination.ip": "192.168.132.46", + "destination.port": 17233, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "FJSG2NRFW01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2012, + "log.original": "%FTD-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", + "network.iana_number": 1, + "network.transport": "icmp", + "service.type": "cisco", + "source.ip": "172.24.177.29", + "source.port": 0, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.message_id": "305011", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 2167, + "log.original": "%FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-29T12:59:50.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 2293, + "log.original": "%FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:33.000Z", + "cisco.ftd.message_id": "106007", + "destination.ip": "10.1.2.60", + "destination.port": 53, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "critical", + "log.offset": 2458, + "log.original": "%FTD-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", + "network.direction": "inbound", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.0.0.66", + "source.port": 12981, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:38.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 2567, + "log.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2006, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:38.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 2726, + "log.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49734, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:39.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 2887, + "log.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49735, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:39.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 3048, + "log.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49736, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:39.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 3209, + "log.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49737, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:40.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 3370, + "log.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49738, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:41.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 3531, + "log.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49746, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:47.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 3692, + "log.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2007, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:48.000Z", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.168.33.31", + "destination.port": 25, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 3851, + "log.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.13", + "source.port": 43013, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:22:56.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 4008, + "log.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2008, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:02.000Z", + "cisco.ftd.message_id": "106006", + "cisco.ftd.source_interface": "inside", + "destination.ip": "10.1.2.42", + "destination.port": 137, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "critical", + "log.offset": 4167, + "log.original": "%FTD-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", + "network.direction": "inbound", + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.0.2.66", + "source.port": 137, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:03.000Z", + "cisco.ftd.message_id": "106007", + "destination.ip": "10.1.5.60", + "destination.port": 53, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "critical", + "log.offset": 4278, + "log.original": "%FTD-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", + "network.direction": "inbound", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.0.2.66", + "source.port": 12981, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:06.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 4387, + "log.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2009, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:08.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 4546, + "log.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49776, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:15.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 4707, + "log.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2010, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:24.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 4866, + "log.original": "%FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2011, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:34.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 5022, + "log.original": "%FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2012, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:40.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": "acl_out", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "outside", + "destination.ip": "10.0.0.132", + "destination.port": 8111, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "warning", + "log.offset": 5178, + "log.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.126", + "source.port": 53638, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:41.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": "acl_out", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "outside", + "destination.ip": "10.0.0.132", + "destination.port": 8111, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "warning", + "log.offset": 5325, + "log.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.126", + "source.port": 53638, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:43.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.88", + "destination.port": 40443, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 5472, + "log.original": "%FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.46", + "source.port": 49840, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2013-04-30T09:23:43.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.89", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 5635, + "log.original": "%FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2013, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-04-15T13:34:34.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "acl_in", + "cisco.ftd.message_id": "106100", + "cisco.ftd.source_interface": "inside", + "cisco.ftd.suffix": "session", + "destination.ip": "192.0.0.99", + "destination.port": 2000, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 5796, + "log.original": "%FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.0.16", + "source.port": 2241, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:24.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 5967, + "log.original": "%FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:24.000Z", + "cisco.ftd.message_id": "302015", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 6147, + "log.original": "%FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)", + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:24.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "dmz", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "dmz", + "destination.ip": "192.0.0.12", + "destination.port": 53, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "warning", + "log.offset": 6332, + "log.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.168.1.33", + "source.port": 5555, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:24.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "dmz", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "dmz", + "destination.ip": "192.0.0.12", + "destination.port": 53, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "warning", + "log.offset": 6487, + "log.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.168.1.33", + "source.port": 5555, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:31.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 6642, + "log.original": "%FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:31.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 6817, + "log.original": "%FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:31.000Z", + "cisco.ftd.connection_id": "447236", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "192.168.1.34", + "destination.port": 5678, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 0, + "event.end": "2018-12-11T08:01:31.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-12-11T08:01:31.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 6992, + "log.original": "%FTD-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", + "network.bytes": 14804, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco.ftd.connection_id": "447234", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "192.168.1.35", + "destination.port": 5678, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 68000000000, + "event.end": "2018-12-11T08:01:38.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-12-11T08:00:30.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 7162, + "log.original": "%FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "network.bytes": 134781, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco.ftd.connection_id": "447234", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "192.168.1.35", + "destination.port": 5678, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 68000000000, + "event.end": "2018-12-11T08:01:38.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-12-11T08:00:30.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 7333, + "log.original": "%FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "network.bytes": 134781, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco.ftd.message_id": "106015", + "cisco.ftd.source_interface": "outside", + "destination.ip": "192.168.1.34", + "destination.port": 5679, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 7504, + "log.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco.ftd.message_id": "106015", + "cisco.ftd.source_interface": "outside", + "destination.ip": "192.168.1.34", + "destination.port": 5679, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 7651, + "log.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:39.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "dmz", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "dmz", + "destination.ip": "192.0.0.12", + "destination.port": 5000, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "warning", + "log.offset": 7798, + "log.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "192.168.1.34", + "source.port": 5679, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:53.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 7954, + "log.original": "%FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:53.000Z", + "cisco.ftd.message_id": "302013", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 6, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 8133, + "log.original": "%FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", + "service.type": "cisco", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2018-12-11T08:01:53.000Z", + "cisco.ftd.connection_id": "447237", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.message_id": "302014", + "cisco.ftd.source_interface": "outside", + "destination.ip": "10.10.10.10", + "destination.port": 1235, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 86399000000000, + "event.end": "2018-12-11T08:01:53.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2018-12-10T08:01:54.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "127.0.0.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 8312, + "log.original": "%FTD-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", + "network.bytes": 11420, + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.222", + "source.port": 1234, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2012-08-15T23:30:09.000Z", + "cisco.ftd.connection_id": "40", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.message_id": "302016", + "cisco.ftd.source_interface": "outside", + "destination.ip": "10.44.2.2", + "destination.port": 500, + "event.action": "flow-expiration", + "event.dataset": "cisco.ftd", + "event.duration": 122000000000, + "event.end": "2012-08-15T23:30:09.000Z", + "event.module": "cisco", + "event.severity": 6, + "event.start": "2012-08-15T23:28:07.000Z", + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "informational", + "log.offset": 8482, + "log.original": "%FTD-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", + "network.bytes": 1416, + "network.iana_number": 17, + "network.transport": "udp", + "service.type": "cisco", + "source.ip": "10.44.4.4", + "source.port": 500, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:50:53.000Z", + "cisco.ftd.message_id": "106016", + "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.47", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "critical", + "log.offset": 8624, + "log.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:51:01.000Z", + "cisco.ftd.message_id": "106016", + "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.57", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "critical", + "log.offset": 8745, + "log.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:51:05.000Z", + "cisco.ftd.message_id": "106016", + "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.47", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "critical", + "log.offset": 8866, + "log.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:51:05.000Z", + "cisco.ftd.message_id": "106016", + "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.47", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "critical", + "log.offset": 8987, + "log.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:51:06.000Z", + "cisco.ftd.message_id": "106016", + "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.57", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "critical", + "log.offset": 9108, + "log.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:51:17.000Z", + "cisco.ftd.message_id": "106016", + "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.ip": "192.88.99.57", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "critical", + "log.offset": 9229, + "log.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:52:48.000Z", + "cisco.ftd.message_id": "106016", + "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.ip": "192.168.1.255", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "critical", + "log.offset": 9350, + "log.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:53:00.000Z", + "cisco.ftd.message_id": "106016", + "cisco.ftd.source_interface": "Mobile_Traffic", + "destination.ip": "192.168.1.255", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "critical", + "log.offset": 9472, + "log.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", + "service.type": "cisco", + "source.ip": "0.0.0.0", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:53:01.000Z", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.list_id": "PERMIT_IN", + "cisco.ftd.message_id": "106023", + "cisco.ftd.source_interface": "outside", + "destination.ip": "10.32.112.125", + "destination.port": 25, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "warning", + "log.offset": 9594, + "log.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "192.0.2.95", + "source.port": 24069, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2014-09-12T06:53:02.000Z", + "cisco.ftd.icmp_code": 3, + "cisco.ftd.icmp_type": 3, + "cisco.ftd.message_id": "313001", + "cisco.ftd.source_interface": "Outside", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 3, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "GIFRCHN01", + "input.type": "log", + "log.level": "error", + "log.offset": 9748, + "log.original": "%FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", + "network.iana_number": 1, + "network.transport": "icmp", + "service.type": "cisco", + "source.ip": "10.2.3.5", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2015-01-14T13:16:13.000Z", + "cisco.ftd.icmp_type": 0, + "cisco.ftd.message_id": "313004", + "cisco.ftd.source_interface": "inside", + "destination.ip": "172.16.1.10", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "warning", + "log.offset": 9858, + "log.original": "%FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", + "network.iana_number": 1, + "network.transport": "icmp", + "service.type": "cisco", + "source.ip": "172.16.30.2", + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2015-01-14T13:16:14.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": "dynamic", + "cisco.ftd.mapped_destination_ip": "192.88.99.129", + "cisco.ftd.mapped_destination_port": 80, + "cisco.ftd.mapped_source_ip": "192.88.99.1", + "cisco.ftd.mapped_source_port": 7890, + "cisco.ftd.message_id": "338002", + "cisco.ftd.source_interface": "inside", + "destination.domain": "bad.example.com", + "destination.ip": "192.88.99.129", + "destination.port": 80, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "warning", + "log.offset": 9994, + "log.original": "%FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", + "network.iana_number": 6, + "network.transport": "tcp", + "server.domain": "bad.example.com", + "service.type": "cisco", + "source.ip": "10.1.1.45", + "source.port": 6798, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2015-01-14T13:16:14.000Z", + "cisco.ftd.destination_interface": "outsidet", + "cisco.ftd.list_id": "dynamic", + "cisco.ftd.mapped_destination_ip": "192.0.2.223", + "cisco.ftd.mapped_destination_port": 80, + "cisco.ftd.mapped_source_ip": "10.2.1.1", + "cisco.ftd.mapped_source_port": 33340, + "cisco.ftd.message_id": "338004", + "cisco.ftd.source_interface": "inside", + "cisco.ftd.threat_category": "Malware", + "cisco.ftd.threat_level": "very-high", + "destination.ip": "192.0.2.223", + "destination.port": 80, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "monitored", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "warning", + "log.offset": 10245, + "log.original": "%FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.1.1.1", + "source.port": 33340, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2015-01-14T13:16:14.000Z", + "cisco.ftd.destination_interface": "outsidet", + "cisco.ftd.list_id": "dynamic", + "cisco.ftd.mapped_destination_ip": "192.0.2.223", + "cisco.ftd.mapped_destination_port": 80, + "cisco.ftd.mapped_source_ip": "10.2.1.1", + "cisco.ftd.mapped_source_port": 33340, + "cisco.ftd.message_id": "338008", + "cisco.ftd.source_interface": "inside", + "cisco.ftd.threat_category": "Malware", + "cisco.ftd.threat_level": "very-high", + "destination.ip": "192.0.2.223", + "destination.port": 80, + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "warning", + "log.offset": 10544, + "log.original": "%FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.1.1.1", + "source.port": 33340, + "tags": [ + "cisco-ftd" + ] + }, + { + "@timestamp": "2009-11-16T14:12:35.000Z", + "cisco.ftd.message_id": "304001", + "destination.ip": "192.0.2.1", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 10841, + "log.original": "%FTD-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", + "service.type": "cisco", + "source.ip": "10.30.30.30", + "tags": [ + "cisco-ftd" + ], + "url.original": "/app" + }, + { + "@timestamp": "2009-11-16T14:12:36.000Z", + "cisco.ftd.message_id": "304001", + "destination.ip": "192.0.2.32", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 10918, + "log.original": "%FTD-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", + "service.type": "cisco", + "source.ip": "10.5.111.32", + "tags": [ + "cisco-ftd" + ], + "url.original": "http://example.com" + }, + { + "@timestamp": "2009-11-16T14:12:37.000Z", + "cisco.ftd.message_id": "304002", + "cisco.ftd.source_interface": "inside", + "destination.ip": "192.0.0.19", + "event.action": "firewall-rule", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "deny", + "event.severity": 5, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "input.type": "log", + "log.level": "notification", + "log.offset": 11010, + "log.original": "%FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", + "service.type": "cisco", + "source.ip": "10.69.6.39", + "tags": [ + "cisco-ftd" + ], + "url.original": "http://www.example.net/images/favicon.ico" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log new file mode 100644 index 000000000000..c81a41dfb1f7 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log @@ -0,0 +1,10 @@ +2019-08-15T16:03:31Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity +2019-08-15T16:05:33Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity +2019-08-15T16:05:37Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address +2019-08-15T16:07:00Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395 +2019-08-15T16:07:18Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity +2019-08-15T16:07:19Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb +2019-08-16T09:33:15Z firepower %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity +2019-08-16T09:33:15Z firepower %FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip +2019-08-16T09:35:15Z firepower %FTD-1-430002: AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Block-inbound-ICMP, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity +Aug 14 2019 15:09:41 siem-ftd %FTD-1-430003: AccessControlRuleAction: Block, AccessControlRuleReason: File Block, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, IngressInterface: input, EgressInterface: output, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 1, FileCount: 1, InitiatorPackets: 4, ResponderPackets: 7, InitiatorBytes: 365, ResponderBytes: 1927, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: 10.0.100.30:8000, URL: http://10.0.100.30:8000/eicar_com.zip diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json new file mode 100644 index 000000000000..a260bcbd0d25 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -0,0 +1,697 @@ +[ + { + "@timestamp": "2019-08-15T16:03:31.000Z", + "cisco.ftd.destination_interface": "input", + "cisco.ftd.list_id": [ + "default", + "Rule-1" + ], + "cisco.ftd.message_id": "430002", + "cisco.ftd.security.ACPolicy": "default", + "cisco.ftd.security.AccessControlRuleAction": "Allow", + "cisco.ftd.security.AccessControlRuleName": "Rule-1", + "cisco.ftd.security.ApplicationProtocol": "ICMP", + "cisco.ftd.security.Client": "ICMP client", + "cisco.ftd.security.DstIP": "10.0.1.20", + "cisco.ftd.security.EgressInterface": "input", + "cisco.ftd.security.EgressZone": "input-zone", + "cisco.ftd.security.ICMPCode": "No Code", + "cisco.ftd.security.ICMPType": "Echo Request", + "cisco.ftd.security.IngressInterface": "output", + "cisco.ftd.security.IngressZone": "output-zone", + "cisco.ftd.security.InitiatorBytes": "98", + "cisco.ftd.security.InitiatorPackets": "1", + "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity", + "cisco.ftd.security.Prefilter Policy": "Default Prefilter Policy", + "cisco.ftd.security.Protocol": "icmp", + "cisco.ftd.security.ResponderBytes": "0", + "cisco.ftd.security.ResponderPackets": "0", + "cisco.ftd.security.SrcIP": "10.0.100.30", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.source_interface": "output", + "destination.bytes": 0, + "destination.ip": "10.0.1.20", + "destination.packets": 0, + "event.action": "connection-started", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 1, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 0, + "log.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", + "network.application": "icmp client", + "network.iana_number": 1, + "network.protocol": "icmp", + "network.transport": "icmp", + "service.type": "cisco", + "source.bytes": 98, + "source.ip": "10.0.100.30", + "source.packets": 1, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-15T16:05:33.000Z", + "cisco.ftd.destination_interface": "input", + "cisco.ftd.list_id": [ + "default", + "Rule-1" + ], + "cisco.ftd.message_id": "430003", + "cisco.ftd.security.ACPolicy": "default", + "cisco.ftd.security.AccessControlRuleAction": "Allow", + "cisco.ftd.security.AccessControlRuleName": "Rule-1", + "cisco.ftd.security.ApplicationProtocol": "ICMP", + "cisco.ftd.security.Client": "ICMP client", + "cisco.ftd.security.ConnectionDuration": "0", + "cisco.ftd.security.DstIP": "10.0.1.20", + "cisco.ftd.security.EgressInterface": "input", + "cisco.ftd.security.EgressZone": "input-zone", + "cisco.ftd.security.ICMPCode": "No Code", + "cisco.ftd.security.ICMPType": "Echo Request", + "cisco.ftd.security.IngressInterface": "output", + "cisco.ftd.security.IngressZone": "output-zone", + "cisco.ftd.security.InitiatorBytes": "98", + "cisco.ftd.security.InitiatorPackets": "1", + "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity", + "cisco.ftd.security.Prefilter Policy": "Default Prefilter Policy", + "cisco.ftd.security.Protocol": "icmp", + "cisco.ftd.security.ResponderBytes": "98", + "cisco.ftd.security.ResponderPackets": "1", + "cisco.ftd.security.SrcIP": "10.0.100.30", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.source_interface": "output", + "destination.bytes": 98, + "destination.ip": "10.0.1.20", + "destination.packets": 1, + "event.action": "connection-finished", + "event.dataset": "cisco.ftd", + "event.duration": "0", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 1, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 579, + "log.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity", + "network.application": "icmp client", + "network.iana_number": 1, + "network.protocol": "icmp", + "network.transport": "icmp", + "service.type": "cisco", + "source.bytes": 98, + "source.ip": "10.0.100.30", + "source.packets": 1, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-15T16:05:37.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.dns.question.name": "eu-central-1.ec2.archive.ubuntu.com", + "cisco.ftd.dns.question.type": "a host address", + "cisco.ftd.list_id": [ + "default", + "Rule-1" + ], + "cisco.ftd.message_id": "430002", + "cisco.ftd.security.ACPolicy": "default", + "cisco.ftd.security.AccessControlRuleAction": "Allow", + "cisco.ftd.security.AccessControlRuleName": "Rule-1", + "cisco.ftd.security.ApplicationProtocol": "DNS", + "cisco.ftd.security.Client": "DNS client", + "cisco.ftd.security.DNSQuery": "eu-central-1.ec2.archive.ubuntu.com", + "cisco.ftd.security.DNSRecordType": "a host address", + "cisco.ftd.security.DstIP": "8.8.8.8", + "cisco.ftd.security.DstPort": "53", + "cisco.ftd.security.EgressInterface": "outside", + "cisco.ftd.security.EgressZone": "output-zone", + "cisco.ftd.security.IngressInterface": "inside", + "cisco.ftd.security.IngressZone": "input-zone", + "cisco.ftd.security.InitiatorBytes": "106", + "cisco.ftd.security.InitiatorPackets": "1", + "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity", + "cisco.ftd.security.Prefilter Policy": "Default Prefilter Policy", + "cisco.ftd.security.Protocol": "udp", + "cisco.ftd.security.ResponderBytes": "0", + "cisco.ftd.security.ResponderPackets": "0", + "cisco.ftd.security.SrcIP": "10.0.1.20", + "cisco.ftd.security.SrcPort": "50074", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 0, + "destination.port": 53, + "event.action": "connection-started", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 1, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 1182, + "log.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address", + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 106, + "source.ip": "10.0.1.20", + "source.packets": 1, + "source.port": 50074, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-15T16:07:00.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.dns.answers.ttl": "86395", + "cisco.ftd.dns.answers.type": "Non-Existent Domain", + "cisco.ftd.dns.question.name": "siem-inside", + "cisco.ftd.dns.question.type": "a host address", + "cisco.ftd.list_id": [ + "default", + "Rule-1" + ], + "cisco.ftd.message_id": "430003", + "cisco.ftd.security.ACPolicy": "default", + "cisco.ftd.security.AccessControlRuleAction": "Allow", + "cisco.ftd.security.AccessControlRuleName": "Rule-1", + "cisco.ftd.security.ApplicationProtocol": "DNS", + "cisco.ftd.security.Client": "DNS client", + "cisco.ftd.security.ConnectionDuration": "0", + "cisco.ftd.security.DNSQuery": "siem-inside", + "cisco.ftd.security.DNSRecordType": "a host address", + "cisco.ftd.security.DNSResponseType": "Non-Existent Domain", + "cisco.ftd.security.DNS_TTL": "86395", + "cisco.ftd.security.DstIP": "8.8.8.8", + "cisco.ftd.security.DstPort": "53", + "cisco.ftd.security.EgressInterface": "outside", + "cisco.ftd.security.EgressZone": "output-zone", + "cisco.ftd.security.IngressInterface": "inside", + "cisco.ftd.security.IngressZone": "input-zone", + "cisco.ftd.security.InitiatorBytes": "164", + "cisco.ftd.security.InitiatorPackets": "2", + "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity", + "cisco.ftd.security.Prefilter Policy": "Default Prefilter Policy", + "cisco.ftd.security.Protocol": "udp", + "cisco.ftd.security.ResponderBytes": "314", + "cisco.ftd.security.ResponderPackets": "2", + "cisco.ftd.security.SrcIP": "10.0.1.20", + "cisco.ftd.security.SrcPort": "49264", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 314, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 2, + "destination.port": 53, + "event.action": "connection-finished", + "event.dataset": "cisco.ftd", + "event.duration": "0", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 1, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 1821, + "log.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395", + "network.application": "dns client", + "network.iana_number": 17, + "network.protocol": "dns", + "network.transport": "udp", + "service.type": "cisco", + "source.bytes": 164, + "source.ip": "10.0.1.20", + "source.packets": 2, + "source.port": 49264, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-15T16:07:18.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": [ + "default", + "Rule-1" + ], + "cisco.ftd.message_id": "430002", + "cisco.ftd.security.ACPolicy": "default", + "cisco.ftd.security.AccessControlRuleAction": "Allow", + "cisco.ftd.security.AccessControlRuleName": "Rule-1", + "cisco.ftd.security.DstIP": "52.59.244.233", + "cisco.ftd.security.DstPort": "80", + "cisco.ftd.security.EgressInterface": "outside", + "cisco.ftd.security.EgressZone": "output-zone", + "cisco.ftd.security.IngressInterface": "inside", + "cisco.ftd.security.IngressZone": "input-zone", + "cisco.ftd.security.InitiatorBytes": "140", + "cisco.ftd.security.InitiatorPackets": "2", + "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity", + "cisco.ftd.security.Prefilter Policy": "Default Prefilter Policy", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.ResponderBytes": "74", + "cisco.ftd.security.ResponderPackets": "1", + "cisco.ftd.security.SrcIP": "10.0.1.20", + "cisco.ftd.security.SrcPort": "43228", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.bytes": 74, + "destination.geo.city_name": "Frankfurt am Main", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 50.1155, + "destination.geo.location.lon": 8.6842, + "destination.geo.region_iso_code": "DE-HE", + "destination.geo.region_name": "Hesse", + "destination.ip": "52.59.244.233", + "destination.packets": 1, + "destination.port": 80, + "event.action": "connection-started", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 1, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 2515, + "log.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.bytes": 140, + "source.ip": "10.0.1.20", + "source.packets": 2, + "source.port": 43228, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-15T16:07:19.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": [ + "default", + "Rule-1" + ], + "cisco.ftd.message_id": "430003", + "cisco.ftd.security.ACPolicy": "default", + "cisco.ftd.security.AccessControlRuleAction": "Allow", + "cisco.ftd.security.AccessControlRuleName": "Rule-1", + "cisco.ftd.security.ApplicationProtocol": "HTTP", + "cisco.ftd.security.Client": "Advanced Packaging Tool", + "cisco.ftd.security.ClientVersion": "1.3", + "cisco.ftd.security.ConnectionDuration": "1", + "cisco.ftd.security.DstIP": "52.59.244.233", + "cisco.ftd.security.DstPort": "80", + "cisco.ftd.security.EgressInterface": "outside", + "cisco.ftd.security.EgressZone": "output-zone", + "cisco.ftd.security.HTTPResponse": "200", + "cisco.ftd.security.IngressInterface": "inside", + "cisco.ftd.security.IngressZone": "input-zone", + "cisco.ftd.security.InitiatorBytes": "97454", + "cisco.ftd.security.InitiatorPackets": "1359", + "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity", + "cisco.ftd.security.Prefilter Policy": "Default Prefilter Policy", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.ReferencedHost": "eu-central-1.ec2.archive.ubuntu.com", + "cisco.ftd.security.ResponderBytes": "41319018", + "cisco.ftd.security.ResponderPackets": "29001", + "cisco.ftd.security.SrcIP": "10.0.1.20", + "cisco.ftd.security.SrcPort": "43228", + "cisco.ftd.security.URL": "http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.security.UserAgent": "Debian APT-HTTP/1.3 (1.6.11)", + "cisco.ftd.security.WebApplication": "Ubuntu", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.bytes": 41319018, + "destination.geo.city_name": "Frankfurt am Main", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 50.1155, + "destination.geo.location.lon": 8.6842, + "destination.geo.region_iso_code": "DE-HE", + "destination.geo.region_name": "Hesse", + "destination.ip": "52.59.244.233", + "destination.packets": 29001, + "destination.port": 80, + "event.action": "connection-finished", + "event.dataset": "cisco.ftd", + "event.duration": "1", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 1, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "http.response.status_code": "200", + "input.type": "log", + "log.level": "alert", + "log.offset": 3037, + "log.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", + "network.application": [ + "Advanced Packaging Tool", + "Ubuntu" + ], + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.bytes": 97454, + "source.ip": "10.0.1.20", + "source.packets": 1359, + "source.port": 43228, + "tags": [ + "cisco-ftd" + ], + "url.domain": "eu-central-1.ec2.archive.ubuntu.com", + "url.original": "http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required", + "user_agent.original": "Debian APT-HTTP/1.3 (1.6.11)" + }, + { + "@timestamp": "2019-08-16T09:33:15.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": [ + "default", + "Rule-1" + ], + "cisco.ftd.message_id": "430002", + "cisco.ftd.security.ACPolicy": "default", + "cisco.ftd.security.AccessControlRuleAction": "Allow", + "cisco.ftd.security.AccessControlRuleName": "Rule-1", + "cisco.ftd.security.DstIP": "213.211.198.62", + "cisco.ftd.security.DstPort": "80", + "cisco.ftd.security.EgressInterface": "outside", + "cisco.ftd.security.EgressZone": "output-zone", + "cisco.ftd.security.IngressInterface": "inside", + "cisco.ftd.security.IngressZone": "input-zone", + "cisco.ftd.security.InitiatorBytes": "140", + "cisco.ftd.security.InitiatorPackets": "2", + "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity", + "cisco.ftd.security.Prefilter Policy": "Default Prefilter Policy", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.ResponderBytes": "74", + "cisco.ftd.security.ResponderPackets": "1", + "cisco.ftd.security.SrcIP": "10.0.1.20", + "cisco.ftd.security.SrcPort": "46000", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 43341, + "destination.as.organization.name": "MDlink online service center GmbH", + "destination.bytes": 74, + "destination.geo.city_name": "Osterweddingen", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 52.0413, + "destination.geo.location.lon": 11.5794, + "destination.geo.region_iso_code": "DE-ST", + "destination.geo.region_name": "Saxony-Anhalt", + "destination.ip": "213.211.198.62", + "destination.packets": 1, + "destination.port": 80, + "event.action": "connection-started", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 1, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 3919, + "log.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", + "network.iana_number": 6, + "network.transport": "tcp", + "service.type": "cisco", + "source.bytes": 140, + "source.ip": "10.0.1.20", + "source.packets": 2, + "source.port": 46000, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-16T09:33:15.000Z", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.list_id": [ + "default", + "Rule-1" + ], + "cisco.ftd.message_id": "430003", + "cisco.ftd.security.ACPolicy": "default", + "cisco.ftd.security.AccessControlRuleAction": "Allow", + "cisco.ftd.security.AccessControlRuleName": "Rule-1", + "cisco.ftd.security.ApplicationProtocol": "HTTP", + "cisco.ftd.security.Client": "cURL", + "cisco.ftd.security.ClientVersion": "7.58.0", + "cisco.ftd.security.ConnectionDuration": "0", + "cisco.ftd.security.DstIP": "213.211.198.62", + "cisco.ftd.security.DstPort": "80", + "cisco.ftd.security.EgressInterface": "outside", + "cisco.ftd.security.EgressZone": "output-zone", + "cisco.ftd.security.HTTPResponse": "200", + "cisco.ftd.security.IngressInterface": "inside", + "cisco.ftd.security.IngressZone": "input-zone", + "cisco.ftd.security.InitiatorBytes": "503", + "cisco.ftd.security.InitiatorPackets": "6", + "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity", + "cisco.ftd.security.Prefilter Policy": "Default Prefilter Policy", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.ReferencedHost": "www.eicar.org", + "cisco.ftd.security.ResponderBytes": "690", + "cisco.ftd.security.ResponderPackets": "4", + "cisco.ftd.security.SrcIP": "10.0.1.20", + "cisco.ftd.security.SrcPort": "46000", + "cisco.ftd.security.URL": "http://www.eicar.org/download/eicar_com.zip", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.security.UserAgent": "curl/7.58.0", + "cisco.ftd.source_interface": "inside", + "destination.as.number": 43341, + "destination.as.organization.name": "MDlink online service center GmbH", + "destination.bytes": 690, + "destination.geo.city_name": "Osterweddingen", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 52.0413, + "destination.geo.location.lon": 11.5794, + "destination.geo.region_iso_code": "DE-ST", + "destination.geo.region_name": "Saxony-Anhalt", + "destination.ip": "213.211.198.62", + "destination.packets": 4, + "destination.port": 80, + "event.action": "connection-finished", + "event.dataset": "cisco.ftd", + "event.duration": "0", + "event.module": "cisco", + "event.outcome": "allow", + "event.severity": 1, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "http.response.status_code": "200", + "input.type": "log", + "log.level": "alert", + "log.offset": 4442, + "log.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip", + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.bytes": 503, + "source.ip": "10.0.1.20", + "source.packets": 6, + "source.port": 46000, + "tags": [ + "cisco-ftd" + ], + "url.domain": "www.eicar.org", + "url.original": "http://www.eicar.org/download/eicar_com.zip", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required", + "user_agent.original": "curl/7.58.0" + }, + { + "@timestamp": "2019-08-16T09:35:15.000Z", + "cisco.ftd.destination_interface": "input", + "cisco.ftd.list_id": [ + "default", + "Block-inbound-ICMP" + ], + "cisco.ftd.message_id": "430002", + "cisco.ftd.security.ACPolicy": "default", + "cisco.ftd.security.AccessControlRuleAction": "Block", + "cisco.ftd.security.AccessControlRuleName": "Block-inbound-ICMP", + "cisco.ftd.security.DstIP": "10.0.1.20", + "cisco.ftd.security.EgressInterface": "input", + "cisco.ftd.security.EgressZone": "input-zone", + "cisco.ftd.security.ICMPCode": "No Code", + "cisco.ftd.security.ICMPType": "Echo Request", + "cisco.ftd.security.IngressInterface": "output", + "cisco.ftd.security.IngressZone": "output-zone", + "cisco.ftd.security.InitiatorBytes": "0", + "cisco.ftd.security.InitiatorPackets": "0", + "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity", + "cisco.ftd.security.Prefilter Policy": "Default Prefilter Policy", + "cisco.ftd.security.Protocol": "icmp", + "cisco.ftd.security.ResponderBytes": "0", + "cisco.ftd.security.ResponderPackets": "0", + "cisco.ftd.security.SrcIP": "10.0.100.30", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.source_interface": "output", + "destination.bytes": 0, + "destination.ip": "10.0.1.20", + "destination.packets": 0, + "event.action": "connection-started", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.outcome": "block", + "event.severity": 1, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 5177, + "log.original": "%FTD-1-430002: AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Block-inbound-ICMP, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", + "network.iana_number": 1, + "network.transport": "icmp", + "service.type": "cisco", + "source.bytes": 0, + "source.ip": "10.0.100.30", + "source.packets": 0, + "tags": [ + "cisco-ftd" + ], + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-14T15:09:41.000Z", + "cisco.ftd.destination_interface": "output", + "cisco.ftd.list_id": [ + "default", + "Intrusion-Rule" + ], + "cisco.ftd.message_id": "430003", + "cisco.ftd.security.ACPolicy": "default", + "cisco.ftd.security.AccessControlRuleAction": "Block", + "cisco.ftd.security.AccessControlRuleName": "Intrusion-Rule", + "cisco.ftd.security.AccessControlRuleReason": "File Block", + "cisco.ftd.security.ApplicationProtocol": "HTTP", + "cisco.ftd.security.Client": "cURL", + "cisco.ftd.security.ClientVersion": "7.58.0", + "cisco.ftd.security.ConnectionDuration": "1", + "cisco.ftd.security.DstIP": "10.0.100.30", + "cisco.ftd.security.DstPort": "8000", + "cisco.ftd.security.EgressInterface": "output", + "cisco.ftd.security.EgressZone": "output-zone", + "cisco.ftd.security.FileCount": "1", + "cisco.ftd.security.HTTPResponse": "200", + "cisco.ftd.security.IngressInterface": "input", + "cisco.ftd.security.IngressZone": "input-zone", + "cisco.ftd.security.InitiatorBytes": "365", + "cisco.ftd.security.InitiatorPackets": "4", + "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity", + "cisco.ftd.security.Prefilter Policy": "Default Prefilter Policy", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.ReferencedHost": "10.0.100.30:8000", + "cisco.ftd.security.ResponderBytes": "1927", + "cisco.ftd.security.ResponderPackets": "7", + "cisco.ftd.security.SrcIP": "10.0.1.20", + "cisco.ftd.security.SrcPort": "41544", + "cisco.ftd.security.URL": "http://10.0.100.30:8000/eicar_com.zip", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.security.UserAgent": "curl/7.58.0", + "cisco.ftd.source_interface": "input", + "destination.bytes": 1927, + "destination.ip": "10.0.100.30", + "destination.packets": 7, + "destination.port": 8000, + "event.action": "connection-finished", + "event.dataset": "cisco.ftd", + "event.duration": "1", + "event.module": "cisco", + "event.outcome": "block", + "event.severity": 1, + "event.timezone": "+00:00", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "http.response.status_code": "200", + "input.type": "log", + "log.level": "alert", + "log.offset": 5719, + "log.original": "%FTD-1-430003: AccessControlRuleAction: Block, AccessControlRuleReason: File Block, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, IngressInterface: input, EgressInterface: output, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 1, FileCount: 1, InitiatorPackets: 4, ResponderPackets: 7, InitiatorBytes: 365, ResponderBytes: 1927, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: 10.0.100.30:8000, URL: http://10.0.100.30:8000/eicar_com.zip", + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.bytes": 365, + "source.ip": "10.0.1.20", + "source.packets": 4, + "source.port": 41544, + "tags": [ + "cisco-ftd" + ], + "url.domain": "10.0.100.30:8000", + "url.original": "http://10.0.100.30:8000/eicar_com.zip", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required", + "user_agent.original": "curl/7.58.0" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log new file mode 100644 index 000000000000..5a6fe1852f71 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log @@ -0,0 +1,10 @@ +Aug 14 2019 14:54:25 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41522, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:54:24Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe +Aug 14 2019 14:55:02 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41526, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:55:01Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe +Aug 14 2019 15:00:29 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41530, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:00:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com +Aug 14 2019 15:01:41 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41534, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com.txt, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:01:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com.txt +Aug 14 2019 15:03:28 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41540, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip +Aug 14 2019 15:03:33 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41542, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:31Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip +Aug 14 2019 15:09:43 siem-ftd %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Malware Block, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, ThreatScore: 76, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:09:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip +2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip +2019-08-16T09:40:45Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d +2019-08-16T09:42:07Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 18.197.225.123, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json new file mode 100644 index 000000000000..8b0a08995171 --- /dev/null +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -0,0 +1,564 @@ +[ + { + "@timestamp": "2019-08-14T14:54:25.000Z", + "cisco.ftd.list_id": "malware-and-file-policy", + "cisco.ftd.message_id": "430004", + "cisco.ftd.security.ApplicationProtocol": "HTTP", + "cisco.ftd.security.Client": "cURL", + "cisco.ftd.security.DstIP": "10.0.100.30", + "cisco.ftd.security.DstPort": "8000", + "cisco.ftd.security.FileAction": "Detect", + "cisco.ftd.security.FileDirection": "Download", + "cisco.ftd.security.FileName": "exploit.exe", + "cisco.ftd.security.FilePolicy": "malware-and-file-policy", + "cisco.ftd.security.FileSandboxStatus": "File Size Is Too Small", + "cisco.ftd.security.FileType": "ELF", + "cisco.ftd.security.FirstPacketSecond": "2019-08-14T14:54:24Z", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.SrcIP": "10.0.1.20", + "cisco.ftd.security.SrcPort": "41522", + "cisco.ftd.security.URI": "http://10.0.100.30:8000/exploit.exe", + "cisco.ftd.security.User": "No Authentication Required", + "destination.ip": "10.0.100.30", + "destination.port": 8000, + "event.action": "file-detected", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2019-08-14T14:54:24Z", + "event.timezone": "+00:00", + "file.path": "exploit.exe", + "file.type": "ELF", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 0, + "log.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41522, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:54:24Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 41522, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://10.0.100.30:8000/exploit.exe", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-14T14:55:02.000Z", + "cisco.ftd.list_id": "malware-and-file-policy", + "cisco.ftd.message_id": "430004", + "cisco.ftd.security.ApplicationProtocol": "HTTP", + "cisco.ftd.security.Client": "cURL", + "cisco.ftd.security.DstIP": "10.0.100.30", + "cisco.ftd.security.DstPort": "8000", + "cisco.ftd.security.FileAction": "Detect", + "cisco.ftd.security.FileDirection": "Download", + "cisco.ftd.security.FileName": "exploit.exe", + "cisco.ftd.security.FilePolicy": "malware-and-file-policy", + "cisco.ftd.security.FileSandboxStatus": "File Size Is Too Small", + "cisco.ftd.security.FileType": "ELF", + "cisco.ftd.security.FirstPacketSecond": "2019-08-14T14:55:01Z", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.SrcIP": "10.0.1.20", + "cisco.ftd.security.SrcPort": "41526", + "cisco.ftd.security.URI": "http://10.0.100.30:8000/exploit.exe", + "cisco.ftd.security.User": "No Authentication Required", + "destination.ip": "10.0.100.30", + "destination.port": 8000, + "event.action": "file-detected", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2019-08-14T14:55:01Z", + "event.timezone": "+00:00", + "file.path": "exploit.exe", + "file.type": "ELF", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 450, + "log.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41526, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:55:01Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 41526, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://10.0.100.30:8000/exploit.exe", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-14T15:00:29.000Z", + "cisco.ftd.list_id": "malware-and-file-policy", + "cisco.ftd.message_id": "430004", + "cisco.ftd.security.ApplicationProtocol": "HTTP", + "cisco.ftd.security.Client": "cURL", + "cisco.ftd.security.DstIP": "10.0.100.30", + "cisco.ftd.security.DstPort": "8000", + "cisco.ftd.security.FileAction": "Detect", + "cisco.ftd.security.FileDirection": "Download", + "cisco.ftd.security.FileName": "eicar.com", + "cisco.ftd.security.FilePolicy": "malware-and-file-policy", + "cisco.ftd.security.FileSandboxStatus": "File Size Is Too Small", + "cisco.ftd.security.FileType": "EICAR", + "cisco.ftd.security.FirstPacketSecond": "2019-08-14T15:00:27Z", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.SrcIP": "10.0.1.20", + "cisco.ftd.security.SrcPort": "41530", + "cisco.ftd.security.URI": "http://10.0.100.30:8000/eicar.com", + "cisco.ftd.security.User": "No Authentication Required", + "destination.ip": "10.0.100.30", + "destination.port": 8000, + "event.action": "file-detected", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2019-08-14T15:00:27Z", + "event.timezone": "+00:00", + "file.path": "eicar.com", + "file.type": "EICAR", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 900, + "log.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41530, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:00:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com", + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 41530, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://10.0.100.30:8000/eicar.com", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-14T15:01:41.000Z", + "cisco.ftd.list_id": "malware-and-file-policy", + "cisco.ftd.message_id": "430004", + "cisco.ftd.security.ApplicationProtocol": "HTTP", + "cisco.ftd.security.Client": "cURL", + "cisco.ftd.security.DstIP": "10.0.100.30", + "cisco.ftd.security.DstPort": "8000", + "cisco.ftd.security.FileAction": "Detect", + "cisco.ftd.security.FileDirection": "Download", + "cisco.ftd.security.FileName": "eicar.com.txt", + "cisco.ftd.security.FilePolicy": "malware-and-file-policy", + "cisco.ftd.security.FileSandboxStatus": "File Size Is Too Small", + "cisco.ftd.security.FileType": "EICAR", + "cisco.ftd.security.FirstPacketSecond": "2019-08-14T15:01:40Z", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.SrcIP": "10.0.1.20", + "cisco.ftd.security.SrcPort": "41534", + "cisco.ftd.security.URI": "http://10.0.100.30:8000/eicar.com.txt", + "cisco.ftd.security.User": "No Authentication Required", + "destination.ip": "10.0.100.30", + "destination.port": 8000, + "event.action": "file-detected", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2019-08-14T15:01:40Z", + "event.timezone": "+00:00", + "file.path": "eicar.com.txt", + "file.type": "EICAR", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 1348, + "log.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41534, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com.txt, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:01:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com.txt", + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 41534, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://10.0.100.30:8000/eicar.com.txt", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-14T15:03:28.000Z", + "cisco.ftd.list_id": "malware-and-file-policy", + "cisco.ftd.message_id": "430004", + "cisco.ftd.security.ApplicationProtocol": "HTTP", + "cisco.ftd.security.Client": "cURL", + "cisco.ftd.security.DstIP": "10.0.100.30", + "cisco.ftd.security.DstPort": "8000", + "cisco.ftd.security.FileAction": "Detect", + "cisco.ftd.security.FileDirection": "Download", + "cisco.ftd.security.FileName": "eicar_com.zip", + "cisco.ftd.security.FilePolicy": "malware-and-file-policy", + "cisco.ftd.security.FileSHA256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "cisco.ftd.security.FileSandboxStatus": "File Size Is Too Small", + "cisco.ftd.security.FileSize": "184", + "cisco.ftd.security.FileType": "ZIP", + "cisco.ftd.security.FirstPacketSecond": "2019-08-14T15:03:27Z", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.SrcIP": "10.0.1.20", + "cisco.ftd.security.SrcPort": "41540", + "cisco.ftd.security.ThreatName": "Unknown", + "cisco.ftd.security.URI": "http://10.0.100.30:8000/eicar_com.zip", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.threat_category": "Unknown", + "destination.ip": "10.0.100.30", + "destination.port": 8000, + "event.action": "file-detected", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2019-08-14T15:03:27Z", + "event.timezone": "+00:00", + "file.path": "eicar_com.zip", + "file.size": "184", + "file.type": "ZIP", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 1804, + "log.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41540, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 41540, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://10.0.100.30:8000/eicar_com.zip", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-14T15:03:33.000Z", + "cisco.ftd.list_id": "malware-and-file-policy", + "cisco.ftd.message_id": "430004", + "cisco.ftd.security.ApplicationProtocol": "HTTP", + "cisco.ftd.security.Client": "cURL", + "cisco.ftd.security.DstIP": "10.0.100.30", + "cisco.ftd.security.DstPort": "8000", + "cisco.ftd.security.FileAction": "Detect", + "cisco.ftd.security.FileDirection": "Download", + "cisco.ftd.security.FileName": "eicar_com.zip", + "cisco.ftd.security.FilePolicy": "malware-and-file-policy", + "cisco.ftd.security.FileSHA256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "cisco.ftd.security.FileSandboxStatus": "File Size Is Too Small", + "cisco.ftd.security.FileSize": "184", + "cisco.ftd.security.FileType": "ZIP", + "cisco.ftd.security.FirstPacketSecond": "2019-08-14T15:03:31Z", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.SrcIP": "10.0.1.20", + "cisco.ftd.security.SrcPort": "41542", + "cisco.ftd.security.ThreatName": "Unknown", + "cisco.ftd.security.URI": "http://10.0.100.30:8000/eicar_com.zip", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.threat_category": "Unknown", + "destination.ip": "10.0.100.30", + "destination.port": 8000, + "event.action": "file-detected", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2019-08-14T15:03:31Z", + "event.timezone": "+00:00", + "file.path": "eicar_com.zip", + "file.size": "184", + "file.type": "ZIP", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 2372, + "log.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41542, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:31Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 41542, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://10.0.100.30:8000/eicar_com.zip", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-14T15:09:43.000Z", + "cisco.ftd.list_id": "malware-and-file-policy", + "cisco.ftd.message_id": "430005", + "cisco.ftd.security.ApplicationProtocol": "HTTP", + "cisco.ftd.security.Client": "cURL", + "cisco.ftd.security.DstIP": "10.0.100.30", + "cisco.ftd.security.DstPort": "8000", + "cisco.ftd.security.FileAction": "Malware Block", + "cisco.ftd.security.FileDirection": "Download", + "cisco.ftd.security.FileName": "eicar_com.zip", + "cisco.ftd.security.FilePolicy": "malware-and-file-policy", + "cisco.ftd.security.FileSHA256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "cisco.ftd.security.FileSandboxStatus": "File Size Is Too Small", + "cisco.ftd.security.FileSize": "184", + "cisco.ftd.security.FileType": "ZIP", + "cisco.ftd.security.FirstPacketSecond": "2019-08-14T15:09:40Z", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.SHA_Disposition": "Malware", + "cisco.ftd.security.SperoDisposition": "Spero detection not performed on file", + "cisco.ftd.security.SrcIP": "10.0.1.20", + "cisco.ftd.security.SrcPort": "41544", + "cisco.ftd.security.ThreatName": "Win.Ransomware.Eicar::95.sbx.tg", + "cisco.ftd.security.ThreatScore": "76", + "cisco.ftd.security.URI": "http://10.0.100.30:8000/eicar_com.zip", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.threat_category": "Win.Ransomware.Eicar::95.sbx.tg", + "cisco.ftd.threat_level": "76", + "destination.ip": "10.0.100.30", + "destination.port": 8000, + "event.action": "malware-detected", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2019-08-14T15:09:40Z", + "event.timezone": "+00:00", + "file.path": "eicar_com.zip", + "file.size": "184", + "file.type": "ZIP", + "fileset.name": "ftd", + "host.hostname": "siem-ftd", + "input.type": "log", + "log.level": "alert", + "log.offset": 2940, + "log.original": "%FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Malware Block, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, ThreatScore: 76, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:09:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 41544, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://10.0.100.30:8000/eicar_com.zip", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-16T09:39:03.000Z", + "cisco.ftd.list_id": "malware-and-file-policy", + "cisco.ftd.message_id": "430005", + "cisco.ftd.security.ApplicationProtocol": "HTTP", + "cisco.ftd.security.Client": "cURL", + "cisco.ftd.security.DstIP": "213.211.198.62", + "cisco.ftd.security.DstPort": "80", + "cisco.ftd.security.FileAction": "Malware Cloud Lookup", + "cisco.ftd.security.FileDirection": "Download", + "cisco.ftd.security.FileName": "eicar_com.zip", + "cisco.ftd.security.FilePolicy": "malware-and-file-policy", + "cisco.ftd.security.FileSHA256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "cisco.ftd.security.FileSandboxStatus": "File Size Is Too Small", + "cisco.ftd.security.FileSize": "184", + "cisco.ftd.security.FileStorageStatus": "Not Stored (Disposition Was Pending)", + "cisco.ftd.security.FileType": "ZIP", + "cisco.ftd.security.FirstPacketSecond": "2019-08-16T09:39:02Z", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.SHA_Disposition": "Unavailable", + "cisco.ftd.security.SperoDisposition": "Spero detection not performed on file", + "cisco.ftd.security.SrcIP": "10.0.1.20", + "cisco.ftd.security.SrcPort": "46004", + "cisco.ftd.security.ThreatName": "Win.Ransomware.Eicar::95.sbx.tg", + "cisco.ftd.security.URI": "http://www.eicar.org/download/eicar_com.zip", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.threat_category": "Win.Ransomware.Eicar::95.sbx.tg", + "destination.as.number": 43341, + "destination.as.organization.name": "MDlink online service center GmbH", + "destination.geo.city_name": "Osterweddingen", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 52.0413, + "destination.geo.location.lon": 11.5794, + "destination.geo.region_iso_code": "DE-ST", + "destination.geo.region_name": "Saxony-Anhalt", + "destination.ip": "213.211.198.62", + "destination.port": 80, + "event.action": "malware-detected", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2019-08-16T09:39:02Z", + "event.timezone": "+00:00", + "file.path": "eicar_com.zip", + "file.size": "184", + "file.type": "ZIP", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 3639, + "log.original": "%FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 46004, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://www.eicar.org/download/eicar_com.zip", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-16T09:40:45.000Z", + "cisco.ftd.list_id": "malware-and-file-policy", + "cisco.ftd.message_id": "430005", + "cisco.ftd.security.ApplicationProtocol": "HTTP", + "cisco.ftd.security.Client": "cURL", + "cisco.ftd.security.DstIP": "10.0.100.30", + "cisco.ftd.security.DstPort": "80", + "cisco.ftd.security.FileAction": "Malware Cloud Lookup", + "cisco.ftd.security.FileDirection": "Download", + "cisco.ftd.security.FileName": "dd3dee576d0cb4abfed00f97f0c71c1d", + "cisco.ftd.security.FilePolicy": "malware-and-file-policy", + "cisco.ftd.security.FileSHA256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7", + "cisco.ftd.security.FileSandboxStatus": "Sent for Analysis", + "cisco.ftd.security.FileSize": "278987", + "cisco.ftd.security.FileStorageStatus": "Not Stored (Disposition Was Pending)", + "cisco.ftd.security.FileType": "PDF", + "cisco.ftd.security.FirstPacketSecond": "2019-08-16T09:40:45Z", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.SHA_Disposition": "Unavailable", + "cisco.ftd.security.SperoDisposition": "Spero detection not performed on file", + "cisco.ftd.security.SrcIP": "10.0.1.20", + "cisco.ftd.security.SrcPort": "55378", + "cisco.ftd.security.ThreatName": "Unknown", + "cisco.ftd.security.URI": "http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.threat_category": "Unknown", + "destination.ip": "10.0.100.30", + "destination.port": 80, + "event.action": "malware-detected", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2019-08-16T09:40:45Z", + "event.timezone": "+00:00", + "file.path": "dd3dee576d0cb4abfed00f97f0c71c1d", + "file.size": "278987", + "file.type": "PDF", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 4397, + "log.original": "%FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 55378, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + }, + { + "@timestamp": "2019-08-16T09:42:07.000Z", + "cisco.ftd.list_id": "malware-and-file-policy", + "cisco.ftd.message_id": "430005", + "cisco.ftd.security.ApplicationProtocol": "HTTP", + "cisco.ftd.security.Client": "cURL", + "cisco.ftd.security.DstIP": "18.197.225.123", + "cisco.ftd.security.DstPort": "80", + "cisco.ftd.security.FileAction": "Malware Cloud Lookup", + "cisco.ftd.security.FileDirection": "Download", + "cisco.ftd.security.FileName": "dd3dee576d0cb4abfed00f97f0c71c1d", + "cisco.ftd.security.FilePolicy": "malware-and-file-policy", + "cisco.ftd.security.FileSHA256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7", + "cisco.ftd.security.FileSandboxStatus": "Failed to Send", + "cisco.ftd.security.FileSize": "278987", + "cisco.ftd.security.FileType": "PDF", + "cisco.ftd.security.FirstPacketSecond": "2019-08-16T09:42:06Z", + "cisco.ftd.security.Protocol": "tcp", + "cisco.ftd.security.SHA_Disposition": "Malware", + "cisco.ftd.security.SperoDisposition": "Spero detection not performed on file", + "cisco.ftd.security.SrcIP": "10.0.1.20", + "cisco.ftd.security.SrcPort": "47926", + "cisco.ftd.security.ThreatName": "Pdf.Exploit.Pdfka::100.sbx.tg", + "cisco.ftd.security.ThreatScore": "100", + "cisco.ftd.security.URI": "http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "cisco.ftd.security.User": "No Authentication Required", + "cisco.ftd.threat_category": "Pdf.Exploit.Pdfka::100.sbx.tg", + "cisco.ftd.threat_level": "100", + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.geo.city_name": "Frankfurt am Main", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 50.1155, + "destination.geo.location.lon": 8.6842, + "destination.geo.region_iso_code": "DE-HE", + "destination.geo.region_name": "Hesse", + "destination.ip": "18.197.225.123", + "destination.port": 80, + "event.action": "malware-detected", + "event.dataset": "cisco.ftd", + "event.module": "cisco", + "event.severity": 1, + "event.start": "2019-08-16T09:42:06Z", + "event.timezone": "+00:00", + "file.path": "dd3dee576d0cb4abfed00f97f0c71c1d", + "file.size": "278987", + "file.type": "PDF", + "fileset.name": "ftd", + "host.hostname": "firepower", + "input.type": "log", + "log.level": "alert", + "log.offset": 5211, + "log.original": "%FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 18.197.225.123, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "network.application": "curl", + "network.iana_number": 6, + "network.protocol": "http", + "network.transport": "tcp", + "service.type": "cisco", + "source.ip": "10.0.1.20", + "source.port": 47926, + "tags": [ + "cisco-ftd" + ], + "url.original": "http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", + "user.id": "No Authentication Required", + "user.name": "No Authentication Required" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/shared/gen-ecs-mapping-docs.go b/x-pack/filebeat/module/cisco/shared/gen-ecs-mapping-docs.go new file mode 100644 index 000000000000..62fc5f419145 --- /dev/null +++ b/x-pack/filebeat/module/cisco/shared/gen-ecs-mapping-docs.go @@ -0,0 +1,143 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build ignore + +package main + +import ( + "encoding/csv" + "flag" + "fmt" + "io" + "os" + "sort" + + "github.com/pkg/errors" +) + +var outputFile = flag.String("output", "ftd-ecs-mappings.asciidoc", "Output file") + +var outputTables = []struct { + Name string + IDs []string +}{ + { + Name: "Intrusion events", + IDs: []string{"430001"}, + }, + { + Name: "Connection and Security Intelligence events", + IDs: []string{"430002", "430003"}, + }, + { + Name: "File and Malware events", + IDs: []string{"430004", "430004"}, + }, +} + +type idMappings map[string]fieldMappings + +type fieldMappings map[string]stringSet + +func main() { + if err := generate(); err != nil { + fmt.Fprintf(os.Stderr, "Error: %v\n", err) + os.Exit(2) + } +} + +func usage() { + fmt.Fprintf(os.Stderr, "Usage: %s [-output file.yml] \n", os.Args[0]) + flag.PrintDefaults() + os.Exit(1) +} + +func generate() error { + flag.Usage = usage + flag.Parse() + if len(flag.Args()) == 0 || len(flag.Args()[0]) == 0 { + return errors.New("no csv file provided") + } + csvFile := flag.Args()[0] + fHandle, err := os.Open(csvFile) + if err != nil { + return fmt.Errorf("failed to open %s: %v", csvFile, err) + } + defer fHandle.Close() + + outHandle, err := os.Create(*outputFile) + if err != nil { + return fmt.Errorf("failed to create %s: %v", *outputFile, err) + } + defer outHandle.Close() + + mappings, err := loadMappings(fHandle) + if err != nil { + return fmt.Errorf("failed to load mappings from '%s': %v", csvFile, err) + } + + for _, table := range outputTables { + fieldMap := make(fieldMappings) + for _, id := range table.IDs { + fieldMap.merge(mappings[id]) + } + var fields []string + for k, v := range fieldMap { + if len(v) > 0 { + fields = append(fields, k) + } + } + sort.Strings(fields) + fmt.Fprintf(outHandle, "Mappings for %s fields:\n", table.Name) + fmt.Fprintln(outHandle, "[options=\"header\"]") + fmt.Fprintln(outHandle, "|====================================") + fmt.Fprintln(outHandle, "| FTD Field | Mapped fields") + for _, field := range fields { + fmt.Fprintln(outHandle, "|", field, "|", fieldMap[field].String()) + } + fmt.Fprintln(outHandle, "|====================================") + fmt.Fprintln(outHandle) + } + + return nil +} + +func loadMappings(reader io.Reader) (m idMappings, err error) { + csvReader := csv.NewReader(reader) + csvReader.FieldsPerRecord = -1 + m = make(idMappings) + for lineNum := 1; ; lineNum++ { + record, err := csvReader.Read() + if err == io.EOF { + break + } + if err != nil { + return m, errors.Wrapf(err, "failed reading line %d", lineNum) + } + if len(record) < 3 { + return m, fmt.Errorf("line %d has unexpected number of columns: %d", lineNum, len(record)) + } + id := record[1] + ftdField := record[2] + if _, found := m[id]; !found { + m[id] = make(fieldMappings) + } + if _, found := m[id][ftdField]; !found { + m[id][ftdField] = newStringSet(nil) + } + m[id][ftdField].merge(newStringSet(record[3:])) + } + return m, nil +} + +func (m fieldMappings) merge(other fieldMappings) { + for ftdField, newECS := range other { + if curECS, found := m[ftdField]; found { + curECS.merge(newECS) + } else { + m[ftdField] = newECS + } + } +} diff --git a/x-pack/filebeat/module/cisco/shared/gen-ftd-ecs-mapping.go b/x-pack/filebeat/module/cisco/shared/gen-ftd-ecs-mapping.go new file mode 100644 index 000000000000..2f54502b39b8 --- /dev/null +++ b/x-pack/filebeat/module/cisco/shared/gen-ftd-ecs-mapping.go @@ -0,0 +1,203 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build ignore + +package main + +import ( + "encoding/csv" + "flag" + "fmt" + "io" + "os" + "strings" + + "gopkg.in/yaml.v2" + + "github.com/pkg/errors" +) + +var ( + outputFile = flag.String("output", "ftd-processor.yml", "Output file") + filesetFieldsBase = "cisco.ftd" + tmpFieldsFieldsBase = "_temp_.cisco" +) + +const begin = `#******************************************************************************* +# Code generated by go generate. DO NOT EDIT. +#******************************************************************************* +` + +const end = `#******************************************************************************* +# End of generated code. +#******************************************************************************* +` + +const painless = `boolean isEmpty(def value) { + return (value instanceof AbstractList? value.size() : value.length()) == 0; +} +def appendOrCreate(Map dest, String[] path, def value) { + for (int i=0; i new HashMap()); + } + String key = path[path.length - 1]; + def existing = dest.get(key); + return existing == null? + dest.put(key, value) + : existing instanceof AbstractList? + existing.add(value) + : dest.put(key, new ArrayList([existing, value])); +} +def msg = ctx._temp_.cisco.security; +def counters = new HashMap(); +def delete = new HashSet(); +for (entry in msg.entrySet()) { + def param = params.get(entry.getKey()); + if (param == null) { + delete.add(entry.getKey()); + continue; + } + param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) ); + if (!isEmpty(entry.getValue())) { + param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) ); + } +} +msg.entrySet().removeIf(item -> delete.contains(item.getKey()) || isEmpty(item.getValue())); +if (ctx._temp_.cisco.message_id != "") return; +def best; +for (entry in counters.entrySet()) { + if (best == null || best.getValue() < entry.getValue()) best = entry; +} +if (best != null) ctx._temp_.cisco.message_id = best.getKey(); +` + +type mappings struct { + If string + Params map[string]*fieldMapping + Lang string + Source string +} + +type fieldMapping struct { + name string + ID stringSet `yaml:",flow,omitempty"` + ECS stringSet `yaml:",flow,omitempty"` +} + +func main() { + if err := generate(); err != nil { + fmt.Fprintf(os.Stderr, "Error: %v\n", err) + os.Exit(2) + } +} + +func usage() { + fmt.Fprint(os.Stderr, "Usage: gen [-output file.yml] \n") + flag.PrintDefaults() + os.Exit(1) +} + +func generate() error { + flag.Usage = usage + flag.Parse() + if len(flag.Args()) == 0 || len(flag.Args()[0]) == 0 { + return errors.New("no csv file provided") + } + csvFile := flag.Args()[0] + fHandle, err := os.Open(csvFile) + if err != nil { + return fmt.Errorf("failed to open %s: %v", csvFile, err) + } + defer fHandle.Close() + + outHandle, err := os.Create(*outputFile) + if err != nil { + return fmt.Errorf("failed to create %s: %v", *outputFile, err) + } + defer outHandle.Close() + + mappings, err := loadMappings(fHandle) + if err != nil { + return fmt.Errorf("failed to load mappings from '%s': %v", csvFile, err) + } + mappings.If = "ctx._temp_?.cisco?.security != null" + mappings.Lang = "painless" + mappings.Source = painless + processors := []map[string]interface{}{ + { + "script": mappings, + }, + } + body, err := yaml.Marshal(processors) + if err != nil { + return fmt.Errorf("error marshalling output yaml: %v", err) + } + var content []byte + content = append(content, begin...) + content = append(content, body...) + content = append(content, end...) + n, err := outHandle.Write(content) + if err != nil { + return errors.Wrap(err, "failed writing output file") + } + if n != len(content) { + return fmt.Errorf("short write on output file. expected=%d, written=%d", len(content), n) + } + return nil +} + +func loadMappings(reader io.Reader) (m mappings, err error) { + csvReader := csv.NewReader(reader) + csvReader.FieldsPerRecord = -1 + allIDs := newStringSet(nil) + for lineNum := 1; ; lineNum++ { + record, err := csvReader.Read() + if err == io.EOF { + break + } + if err != nil { + return m, errors.Wrapf(err, "failed reading line %d", lineNum) + } + if len(record) < 3 { + return m, fmt.Errorf("line %d has unexpected number of columns: %d", lineNum, len(record)) + } + ids := newStringSet(record[1:2]) + m.merge(&fieldMapping{ + name: record[2], + ID: ids, + ECS: newStringSet(makeTempFields(record[3:])), + }) + allIDs.merge(ids) + } + + // fields that are used by all IDs are equivalent to an empty ID list + for k := range m.Params { + if m.Params[k].ID.equal(allIDs) { + m.Params[k].ID = newStringSet(nil) + } + } + return m, nil +} + +func (m *mappings) merge(f *fieldMapping) { + if other, found := m.Params[f.name]; found { + other.ID.merge(f.ID) + other.ECS.merge(f.ECS) + return + } + if m.Params == nil { + m.Params = make(map[string]*fieldMapping) + } + m.Params[f.name] = f +} + +func makeTempFields(fields []string) []string { + for idx, field := range fields { + if strings.Index(field, filesetFieldsBase) == 0 { + fields[idx] = tmpFieldsFieldsBase + field[len(filesetFieldsBase):] + } + } + return fields +} diff --git a/x-pack/filebeat/module/cisco/shared/gen.go b/x-pack/filebeat/module/cisco/shared/gen.go new file mode 100644 index 000000000000..92f3231ca58e --- /dev/null +++ b/x-pack/filebeat/module/cisco/shared/gen.go @@ -0,0 +1,8 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package shared + +//go:generate go run gen-ftd-ecs-mapping.go stringset.go -output ecs-mapping-processor.yml security-mappings.csv +//go:generate go run gen-ecs-mapping-docs.go stringset.go -output ecs-mapping-docs.asciidoc security-mappings.csv diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml new file mode 100644 index 000000000000..2209fb086fc6 --- /dev/null +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -0,0 +1,980 @@ +description: "Pipeline for Cisco {< .internal_PREFIX >} logs" +processors: + +# +# Parse the syslog header +# +# This populates the host.hostname, process.name, timestamp and other fields +# from the header and stores the message contents in log.original. + - grok: + field: message + patterns: + - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:log.original}" + pattern_definitions: + SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date})?(?:\\s+%{SYSLOGHOST:host.hostname})?(?: %{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?(?:{DATA})?%{SYSLOG_END}" + SYSLOGFACILITY: "<%{NONNEGINT:syslog.facility:int}(?:.%{NONNEGINT:syslog.priority:int})?>" + # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. + FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" + ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" + PROCESS: "(?:[^\\s:\\[]+)" + SYSLOG_END: "(?::|\\s\\s+)" + +# +# Parse FTD/ASA style message +# +# This parses the header of an EMBLEM-style message for FTD and ASA prefixes. + - grok: + field: log.original + patterns: + - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{POSINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" + # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. + - "%{GREEDYDATA:message}" + pattern_definitions: + FTD_SUFFIX: "[^0-9-]+" + # Before version 6.3, FTD used ASA prefix in syslog messages + FTD_PREFIX: "%{DATA}%(?:FTD|ASA)" + +# +# Create missing fields when no %FTD label is present +# +# message_id is needed in order for some processors below to work. + - set: + field: _temp_.cisco.message_id + value: '' + if: "ctx?._temp_?.cisco?.message_id == null" + +# +# set default event.severity to 7 (debug): +# +# This value is read from the EMBLEM header and won't be present if this is not +# an emblem message (firewalls can be configured to report other kinds of events) +# This has no effect unless var.log_level is above 7 (default) to filter some +# messages. + - set: + field: event.severity + value: 7 + if: "ctx?.event?.severity == null" + +# +# Drop messages above configured log_level +# + - drop: + if: "ctx.event.severity > {< .log_level >}" + +# +# Parse the date included in FTD logs +# + - date: + field: "_temp_.raw_date" + ignore_failure: true + formats: + - "ISO8601" + - "MMM d HH:mm:ss" + - "MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "EEE MMM dd HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + - date: + if: "ctx.event.timezone != null" + field: "@timestamp" + formats: ["ISO8601"] + timezone: "{{ event.timezone }}" + on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] + +# +# Set log.level +# + - set: + field: "log.level" + if: "ctx.event.severity == 0" + value: unknown + - set: + field: "log.level" + if: "ctx.event.severity == 1" + value: alert + - set: + field: "log.level" + if: "ctx.event.severity == 2" + value: critical + - set: + field: "log.level" + if: "ctx.event.severity == 3" + value: error + - set: + field: "log.level" + if: "ctx.event.severity == 4" + value: warning + - set: + field: "log.level" + if: "ctx.event.severity == 5" + value: notification + - set: + field: "log.level" + if: "ctx.event.severity == 6" + value: informational + - set: + field: "log.level" + if: "ctx.event.severity == 7" + value: debug + +# +# Firewall messages +# +# This set of messages is shared between FTD and ASA. + - set: + if: 'ctx._temp_.cisco.message_id != ""' + field: "event.action" + value: "firewall-rule" + - dissect: + if: "ctx._temp_.cisco.message_id == '106001'" + field: "message" + pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106002'" + field: "message" + pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.ip} dest %{destination.ip}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106006'" + field: "message" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106007'" + field: "message" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} due to %{network.protocol} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106010'" + field: "message" + pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} %{} dst %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "message" + pattern: "Dropping echo request from %{source.ip} to PAT address %{destination.ip}" + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.transport" + value: icmp + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.direction" + value: inbound + - dissect: + if: "ctx._temp_.cisco.message_id == '106014'" + field: "message" + pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.ip} %{}dst %{_temp_.cisco.destination_interface}:%{destination.ip} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106015'" + field: "message" + pattern: "%{event.outcome} %{network.transport} (no connection) from %{source.ip}/%{source.port} to %{destination.ip}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106016'" + field: "message" + pattern: "%{event.outcome} IP spoof from (%{source.ip}) to %{destination.ip} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106017'" + field: "message" + pattern: "%{event.outcome} IP due to Land Attack from %{source.ip} to %{destination.ip}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106018'" + field: "message" + pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.ip} dest %{destination.ip}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106020'" + field: "message" + pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.ip} to %{destination.ip}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106021'" + field: "message" + pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.ip} to %{destination.ip} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106022'" + field: "message" + pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.ip} to %{destination.ip} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106023'" + field: "message" + pattern: "%{event.outcome} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} dst %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} %{} access%{}group \"%{_temp_.cisco.list_id}\"%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106027'" + field: "message" + pattern: "%{} %{event.outcome} src %{source.ip} dst %{destination.ip} by access-group \"%{_temp_.cisco.list_id}\"" + - dissect: + if: "ctx._temp_.cisco.message_id == '106100'" + field: "message" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.ip}(%{source.port}) -> %{_temp_.cisco.destination_interface}/%{destination.ip}(%{destination.port}) %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106102'" + field: "message" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.ip} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.ip} %{destination.port} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106103'" + field: "message" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.ip} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.ip} %{destination.port} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "message" + pattern: "%{source.ip} %{}ccessed URL %{destination.ip}:%{url.original}" + - set: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "event.outcome" + value: allow + - dissect: + if: "ctx._temp_.cisco.message_id == '304002'" + field: "message" + pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.ip} %{}EST %{destination.ip} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313001'" + field: "message" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.ip} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313004'" + field: "message" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.ip} on interface %{_temp_.cisco.source_interface} to %{destination.ip}: no matching session" + - dissect: + if: "ctx._temp_.cisco.message_id == '313005'" + field: "message" + pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313008'" + field: "message" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type} , code=%{_temp_.cisco.icmp_code} from %{source.ip} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313009'" + field: "message" + pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code} , for %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '322001'" + field: "message" + pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "message" + pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338003'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338004'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338007'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338008'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338103'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338104'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "server.domain" + value: "{{source.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "message" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "server.domain" + value: "{{destination.domain}}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "message" + pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.ip}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.ip}/%{destination.port}, matched %{_temp_.cisco.list_id}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.ip" + value: "{{destination.ip}}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.port" + value: "{{destination.port}}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.ip" + value: "{{source.ip}}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.port" + value: "{{source.port}}" + +# +# Handle 302xxx messages (Flow expiration a.k.a "Teardown") +# + - set: + if: "[\"302014\", \"302016\", \"302018\", \"302021\", \"302036\", \"302304\", \"302306\"].contains(ctx._temp_.cisco.message_id)" + field: "event.action" + value: "flow-expiration" + - grok: + field: "message" + if: "[\"302014\", \"302016\", \"302018\", \"302021\", \"302036\", \"302304\", \"302306\"].contains(ctx._temp_.cisco.message_id)" + patterns: + - "Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.ip}/%{NUMBER:source.port:int} (?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.ip}/%{NUMBER:destination.port:int} (?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA}" + - "Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{IP:source.ip}/%{NUMBER:source.port:int} (?:%{NOTSPACE:_temp_.cisco.source_username} )?gaddr (?:%{NOTCOLON}:)?%{IP}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.destination_interface}:)?%{IP:destination.ip}/%{NUMBER:destination.port:int}(?: %{NOTSPACE:_temp_.cisco.destination_username})?%{GREEDYDATA}" + pattern_definitions: + NOTCOLON: "[^:]*" + +# +# Decode FTD's Security Event Syslog Messages +# +# 43000x messages are security event syslog messages specific to FTD. +# Format is a comma-separated sequence of key: value pairs. +# +# The result of this decoding is saved as _temp_.cisco.security.{Key}: {Value} + - kv: + if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)' + field: "message" + field_split: "," + value_split: ":" + target_field: "_temp_.cisco.security" + trim_key: " " + trim_value: " " + ignore_failure: true + +# +# Remove message. +# +# The field has been used as temporary buffer while decoding. The full message +# is kept log.original. Processors below can still add a message field, as some +# security events contain an explanatory Message field. + - remove: + field: + - message + ignore_missing: true + +# +# Populate ECS fields from Security Events +# +# This script uses the key-value pairs from Security Events to populate +# the appropriate ECS fields. +# +# A single key can be mapped to multiple ECS fields, and more than one key can +# map to the same ECS field, which results in an array being created. +# +# This script performs an additional job: +# +# Before FTD version 6.3, the message_id was not included in Security Events. +# As this field encodes the kind of event (intrusion, connection, malware...) +# the script below will guess the right message_id from the keys present in +# the event. +# +#******************************************************************************* +# Code generated by go generate. DO NOT EDIT. +#******************************************************************************* + - script: + if: ctx._temp_?.cisco?.security != null + params: + ACPolicy: + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.list_id] + AccessControlRuleAction: + id: ["430002", "430003"] + ecs: [event.outcome] + AccessControlRuleName: + id: ["430002", "430003"] + ecs: [_temp_.cisco.list_id] + AccessControlRuleReason: + id: ["430002", "430003"] + ApplicationProtocol: + ecs: [network.protocol] + ArchiveDepth: + id: ["430004", "430005"] + ArchiveFileName: + id: ["430004", "430005"] + ecs: [file.path] + ArchiveFileStatus: + id: ["430004", "430005"] + ArchiveSHA256: + id: ["430004", "430005"] + ecs: [file.hash] + Classification: + id: ["430001"] + Client: + ecs: [network.application] + ClientVersion: + id: ["430002", "430003"] + ConnectionDuration: + id: ["430003"] + ecs: [event.duration] + DNS_Sinkhole: + id: ["430002", "430003"] + DNS_TTL: + id: ["430002", "430003"] + ecs: [_temp_.cisco.dns.answers.ttl] + DNSQuery: + id: ["430002", "430003"] + ecs: [_temp_.cisco.dns.question.name] + DNSRecordType: + id: ["430002", "430003"] + ecs: [_temp_.cisco.dns.question.type] + DNSResponseType: + id: ["430002", "430003"] + ecs: [_temp_.cisco.dns.answers.type] + DNSSICategory: + id: ["430002", "430003"] + DstIP: + ecs: [destination.ip] + DstPort: + ecs: [destination.port] + EgressInterface: + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.destination_interface] + EgressZone: + id: ["430001", "430002", "430003"] + Endpoint Profile: + id: ["430002", "430003"] + FileAction: + id: ["430004", "430005"] + FileCount: + id: ["430002", "430003"] + FileDirection: + id: ["430004", "430005"] + FileName: + id: ["430004", "430005"] + ecs: [file.path] + FilePolicy: + id: ["430004", "430005"] + ecs: [_temp_.cisco.list_id] + FileSHA256: + id: ["430004", "430005"] + FileSandboxStatus: + id: ["430004", "430005"] + FileSize: + id: ["430004", "430005"] + ecs: [file.size] + FileStorageStatus: + id: ["430004", "430005"] + FileType: + id: ["430004", "430005"] + ecs: [file.type] + FirstPacketSecond: + id: ["430004", "430005"] + ecs: [event.start] + GID: + id: ["430001"] + ecs: [service.id] + HTTPReferer: + id: ["430002", "430003"] + ecs: [http.request.referrer] + HTTPResponse: + id: ["430001", "430002", "430003"] + ecs: [http.response.status_code] + ICMPCode: + id: ["430001", "430002", "430003"] + ICMPType: + id: ["430001", "430002", "430003"] + IPReputationSICategory: + id: ["430002", "430003"] + IPSCount: + id: ["430002", "430003"] + IngressInterface: + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.source_interface] + IngressZone: + id: ["430001", "430002", "430003"] + InitiatorBytes: + id: ["430003"] + ecs: [source.bytes] + InitiatorPackets: + id: ["430003"] + ecs: [source.packets] + InlineResult: + id: ["430001"] + ecs: [event.outcome] + IntrusionPolicy: + id: ["430001"] + ecs: [_temp_.cisco.list_id] + MPLS_Label: + id: ["430001"] + Message: + id: ["430001"] + ecs: [message] + NAPPolicy: + id: ["430001", "430002", "430003"] + NetBIOSDomain: + id: ["430002", "430003"] + ecs: [host.hostname] + NumIOC: + id: ["430001"] + Prefilter Policy: + id: ["430002", "430003"] + Priority: + id: ["430001"] + Protocol: + ecs: [network.transport] + ReferencedHost: + id: ["430002", "430003"] + ecs: [url.domain] + ResponderBytes: + id: ["430003"] + ecs: [destination.bytes] + ResponderPackets: + id: ["430003"] + ecs: [destination.packets] + Revision: + id: ["430001"] + SHA_Disposition: + id: ["430004", "430005"] + SID: + id: ["430001"] + SSLActualAction: + ecs: [event.outcome] + SSLCertificate: + id: ["430002", "430003", "430004", "430005"] + SSLExpectedAction: + id: ["430002", "430003"] + SSLFlowStatus: + id: ["430002", "430003", "430004", "430005"] + SSLPolicy: + id: ["430002", "430003"] + SSLRuleName: + id: ["430002", "430003"] + SSLServerCertStatus: + id: ["430002", "430003"] + SSLServerName: + id: ["430002", "430003"] + ecs: [server.domain] + SSLSessionID: + id: ["430002", "430003"] + SSLTicketID: + id: ["430002", "430003"] + SSLURLCategory: + id: ["430002", "430003"] + SSLVersion: + id: ["430002", "430003"] + SSSLCipherSuite: + id: ["430002", "430003"] + SecIntMatchingIP: + id: ["430002", "430003"] + Security Group: + id: ["430002", "430003"] + SperoDisposition: + id: ["430004", "430005"] + SrcIP: + ecs: [source.ip] + SrcPort: + ecs: [source.port] + TCPFlags: + id: ["430002", "430003"] + ThreatName: + id: ["430005"] + ecs: [_temp_.cisco.threat_category] + ThreatScore: + id: ["430005"] + ecs: [_temp_.cisco.threat_level] + Tunnel or Prefilter Rule: + id: ["430002", "430003"] + URI: + id: ["430004", "430005"] + ecs: [url.original] + URL: + id: ["430002", "430003"] + ecs: [url.original] + URLCategory: + id: ["430002", "430003"] + URLReputation: + id: ["430002", "430003"] + URLSICategory: + id: ["430002", "430003"] + User: + ecs: [user.id, user.name] + UserAgent: + id: ["430002", "430003"] + ecs: [user_agent.original] + VLAN_ID: + id: ["430001", "430002", "430003"] + WebApplication: + ecs: [network.application] + originalClientSrcIP: + id: ["430002", "430003"] + ecs: [client.ip] + lang: painless + source: | + boolean isEmpty(def value) { + return (value instanceof AbstractList? value.size() : value.length()) == 0; + } + def appendOrCreate(Map dest, String[] path, def value) { + for (int i=0; i new HashMap()); + } + String key = path[path.length - 1]; + def existing = dest.get(key); + return existing == null? + dest.put(key, value) + : existing instanceof AbstractList? + existing.add(value) + : dest.put(key, new ArrayList([existing, value])); + } + def msg = ctx._temp_.cisco.security; + def counters = new HashMap(); + def delete = new HashSet(); + for (entry in msg.entrySet()) { + def param = params.get(entry.getKey()); + if (param == null) { + delete.add(entry.getKey()); + continue; + } + param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) ); + if (!isEmpty(entry.getValue())) { + param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) ); + } + } + msg.entrySet().removeIf(item -> delete.contains(item.getKey()) || isEmpty(item.getValue())); + if (ctx._temp_.cisco.message_id != "") return; + def best; + for (entry in counters.entrySet()) { + if (best == null || best.getValue() < entry.getValue()) best = entry; + } + if (best != null) ctx._temp_.cisco.message_id = best.getKey(); +#******************************************************************************* +# End of generated code. +#******************************************************************************* + + - set: + if: 'ctx._temp_.cisco.message_id == "430001"' + field: event.action + value: intrusion-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430002"' + field: event.action + value: connection-started + - set: + if: 'ctx._temp_.cisco.message_id == "430003"' + field: event.action + value: connection-finished + - set: + if: 'ctx._temp_.cisco.message_id == "430004"' + field: event.action + value: file-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430005"' + field: event.action + value: malware-detected + +# +# Process the flow duration "hh:mm:ss" present in some messages +# This will fill event.start, event.end and event.duration +# + - script: + lang: painless + if: "ctx?._temp_?.duration_hms != null" + source: > + long parse_hms(String s) { + long cur = 0, total = 0; + for (char c: s.toCharArray()) { + if (c >= (char)'0' && c <= (char)'9') { + cur = (cur*10) + (long)c - (char)'0'; + } else if (c == (char)':') { + total = (total + cur) * 60; + cur = 0; + } else { + return 0; + } + } + return total + cur; + } + if (ctx?.event == null) { + ctx['event'] = new HashMap(); + } + String end = ctx['@timestamp']; + ctx.event['end'] = end; + long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; + ctx.event['duration'] = nanos; + ctx.event['start'] = ZonedDateTime.ofInstant( + Instant.parse(end).minusNanos(nanos), + ZoneOffset.UTC); + +# +# Normalize protocol names +# + - lowercase: + field: "network.transport" + ignore_failure: true + - lowercase: + field: "network.protocol" + ignore_failure: true + - lowercase: + field: "network.application" + ignore_failure: true + +# +# Populate network.iana_number from network.transport. Also does reverse +# mapping in case network.transport contains the iana_number. +# + - script: + if: 'ctx?.network?.transport != null' + lang: painless + params: + icmp: 1 + igmp: 2 + ipv4: 4 + tcp: 6 + egp: 8 + igp: 9 + pup: 12 + udp: 17 + rdp: 27 + irtp: 28 + dccp: 33 + idpr: 35 + ipv6: 41 + ipv6-route: 43 + ipv6-frag: 44 + rsvp: 46 + gre: 47 + esp: 50 + ipv6-icmp: 58 + ipv6-nonxt: 59 + ipv6-opts: 60 + source: > + def net = ctx.network; + def iana = params[net.transport]; + if (iana != null) { + net['iana_number'] = iana; + return; + } + def reverse = new HashMap(); + def[] arr = new def[] { null }; + for (entry in params.entrySet()) { + arr[0] = entry.getValue(); + reverse.put(String.format("%d", arr), entry.getKey()); + } + def trans = reverse[net.transport]; + if (trans != null) { + net['iana_number'] = net.transport; + net['transport'] = trans; + } + +# +# Normalize event.outcome +# + - lowercase: + field: "event.outcome" + ignore_missing: true + - set: + field: "event.outcome" + if: "ctx.event?.outcome == \"est-allowed\"" + value: allow + - set: + field: "event.outcome" + if: "ctx.event?.outcome == \"permitted\"" + value: allow + - set: + field: "event.outcome" + if: "ctx.event?.outcome == \"denied\"" + value: deny + - set: + field: "event.outcome" + if: "ctx.event?.outcome == \"dropped\"" + value: deny + + - set: + field: "network.transport" + if: "ctx.network?.transport == \"icmpv6\"" + value: "ipv6-icmp" + +# +# Convert integer fields, as output of dissect and kv processors is always a string +# + - convert: + field: "source.port" + type: integer + ignore_failure: true + - convert: + field: "destination.port" + type: integer + ignore_failure: true + - convert: + field: "source.bytes" + type: integer + ignore_failure: true + - convert: + field: "destination.bytes" + type: integer + ignore_failure: true + - convert: + field: "source.packets" + type: integer + ignore_failure: true + - convert: + field: "destination.packets" + type: integer + ignore_failure: true + - convert: + field: "_temp_.cisco.mapped_source_port" + type: integer + ignore_failure: true + - convert: + field: "_temp_.cisco.mapped_destination_port" + type: integer + ignore_failure: true + - convert: + field: "_temp_.cisco.icmp_code" + type: integer + ignore_failure: true + - convert: + field: "_temp_.cisco.icmp_type" + type: integer + ignore_failure: true + - convert: + field: "network.iana_number" + type: integer + ignore_failure: true + +# +# Geolocation for source and destination addresses +# + - geoip: + field: "source.ip" + target_field: "source.geo" + ignore_missing: true + - geoip: + field: "destination.ip" + target_field: "destination.geo" + ignore_missing: true + +# +# IP Autonomous System (AS) Lookup +# + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + + + - remove: + field: _temp_.cisco.message_id + if: 'ctx._temp_.cisco.message_id == ""' + + - rename: + field: _temp_.cisco + target_field: 'cisco.{< .internal_prefix >}' + ignore_failure: true + +# +# Remove temporary fields +# + - remove: + field: + - _temp_ + ignore_missing: true + +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" + - remove: + field: + - _temp_ + ignore_missing: true diff --git a/x-pack/filebeat/module/cisco/shared/security-mappings.csv b/x-pack/filebeat/module/cisco/shared/security-mappings.csv new file mode 100644 index 000000000000..511310d33b2a --- /dev/null +++ b/x-pack/filebeat/module/cisco/shared/security-mappings.csv @@ -0,0 +1,215 @@ +intrusion,430001,ACPolicy, +intrusion,430001,ApplicationProtocol,network.protocol +intrusion,430001,Classification, +intrusion,430001,Client, +intrusion,430001,DstIP,destination.ip +intrusion,430001,DstPort,destination.port +intrusion,430001,EgressInterface,cisco.ftd.destination_interface +intrusion,430001,EgressZone, +intrusion,430001,GID,service.id +intrusion,430001,HTTPResponse,http.response.status_code +intrusion,430001,ICMPCode, +intrusion,430001,ICMPType, +intrusion,430001,IngressInterface,cisco.ftd.source_interface +intrusion,430001,IngressZone, +intrusion,430001,InlineResult,event.outcome +intrusion,430001,IntrusionPolicy,cisco.ftd.list_id +intrusion,430001,MPLS_Label, +intrusion,430001,Message,message +intrusion,430001,NAPPolicy, +intrusion,430001,NumIOC, +intrusion,430001,Priority, +intrusion,430001,Protocol,network.transport +intrusion,430001,Revision, +intrusion,430001,SID, +intrusion,430001,SSLActualAction, +intrusion,430001,SrcIP,source.ip +intrusion,430001,SrcPort,source.port +intrusion,430001,User,user.id,user.name +intrusion,430001,VLAN_ID, +intrusion,430001,WebApplication,network.application +flow_start,430002,AccessControlRuleAction,event.outcome +flow_start,430002,AccessControlRuleName,cisco.ftd.list_id +flow_start,430002,AccessControlRuleReason, +flow_start,430002,ACPolicy,cisco.ftd.list_id +flow_start,430002,ApplicationProtocol,network.protocol +flow_start,430002,Client, +flow_start,430002,ClientVersion, +flow_start,430002,DNS_Sinkhole, +flow_start,430002,DNS_TTL,cisco.ftd.dns.answers.ttl +flow_start,430002,DNSQuery,cisco.ftd.dns.question.name +flow_start,430002,DNSRecordType,cisco.ftd.dns.question.type +flow_start,430002,DNSResponseType,cisco.ftd.dns.answers.type +flow_start,430002,DNSSICategory, +flow_start,430002,DstIP,destination.ip +flow_start,430002,DstPort,destination.port +flow_start,430002,EgressInterface,cisco.ftd.destination_interface +flow_start,430002,EgressZone, +flow_start,430002,Endpoint Profile, +flow_start,430002,FileCount, +flow_start,430002,HTTPReferer,http.request.referrer +flow_start,430002,HTTPResponse,http.response.status_code +flow_start,430002,ICMPCode, +flow_start,430002,ICMPType, +flow_start,430002,IngressInterface,cisco.ftd.source_interface +flow_start,430002,IngressZone, +flow_start,430002,IPReputationSICategory, +flow_start,430002,IPSCount, +flow_start,430002,NAPPolicy, +flow_start,430002,NetBIOSDomain,host.hostname +flow_start,430002,originalClientSrcIP,client.ip +flow_start,430002,Prefilter Policy, +flow_start,430002,Protocol,network.transport +flow_start,430002,ReferencedHost,url.domain +flow_start,430002,SecIntMatchingIP, +flow_start,430002,Security Group, +flow_start,430002,SrcIP,source.ip +flow_start,430002,SrcPort,source.port +flow_start,430002,SSLActualAction,event.outcome +flow_start,430002,SSLCertificate, +flow_start,430002,SSLExpectedAction, +flow_start,430002,SSLFlowStatus, +flow_start,430002,SSLPolicy, +flow_start,430002,SSLRuleName, +flow_start,430002,SSLServerCertStatus, +flow_start,430002,SSLServerName,server.domain +flow_start,430002,SSLSessionID, +flow_start,430002,SSLTicketID, +flow_start,430002,SSLURLCategory, +flow_start,430002,SSLVersion, +flow_start,430002,SSSLCipherSuite, +flow_start,430002,TCPFlags, +flow_start,430002,Tunnel or Prefilter Rule, +flow_start,430002,URL,url.original +flow_start,430002,URLCategory, +flow_start,430002,URLReputation, +flow_start,430002,URLSICategory, +flow_start,430002,User,user.name +flow_start,430002,UserAgent,user_agent.original +flow_start,430002,VLAN_ID, +flow_start,430002,WebApplication,network.application +flow_end,430003,AccessControlRuleAction,event.outcome +flow_end,430003,AccessControlRuleName,cisco.ftd.list_id +flow_end,430003,AccessControlRuleReason, +flow_end,430003,ACPolicy,cisco.ftd.list_id +flow_end,430003,ApplicationProtocol,network.protocol +flow_end,430003,Client, +flow_end,430003,ClientVersion, +flow_end,430003,ConnectionDuration,event.duration +flow_end,430003,DNS_Sinkhole, +flow_end,430003,DNS_TTL,cisco.ftd.dns.answers.ttl +flow_end,430003,DNSQuery,cisco.ftd.dns.question.name +flow_end,430003,DNSRecordType,cisco.ftd.dns.question.type +flow_end,430003,DNSResponseType,cisco.ftd.dns.answers.type +flow_end,430003,DNSSICategory, +flow_end,430003,DstIP,destination.ip +flow_end,430003,DstPort,destination.port +flow_end,430003,EgressInterface,cisco.ftd.destination_interface +flow_end,430003,EgressZone, +flow_end,430003,Endpoint Profile, +flow_end,430003,FileCount, +flow_end,430003,HTTPReferer,http.request.referrer +flow_end,430003,HTTPResponse,http.response.status_code +flow_end,430003,ICMPCode, +flow_end,430003,ICMPType, +flow_end,430003,IngressInterface,cisco.ftd.source_interface +flow_end,430003,IngressZone, +flow_end,430003,InitiatorBytes,source.bytes +flow_end,430003,InitiatorPackets,source.packets +flow_end,430003,IPReputationSICategory, +flow_end,430003,IPSCount, +flow_end,430003,NAPPolicy, +flow_end,430003,NetBIOSDomain,host.hostname +flow_end,430003,originalClientSrcIP,client.ip +flow_end,430003,Prefilter Policy, +flow_end,430003,Protocol,network.transport +flow_end,430003,ReferencedHost,url.domain +flow_end,430003,ResponderBytes,destination.bytes +flow_end,430003,ResponderPackets,destination.packets +flow_end,430003,SecIntMatchingIP, +flow_end,430003,Security Group, +flow_end,430003,SrcIP,source.ip +flow_end,430003,SrcPort,source.port +flow_end,430003,SSLActualAction,event.outcome +flow_end,430003,SSLCertificate, +flow_end,430003,SSLExpectedAction, +flow_end,430003,SSLFlowStatus, +flow_end,430003,SSLPolicy, +flow_end,430003,SSLRuleName, +flow_end,430003,SSLServerCertStatus, +flow_end,430003,SSLServerName,server.domain +flow_end,430003,SSLSessionID, +flow_end,430003,SSLTicketID, +flow_end,430003,SSLURLCategory, +flow_end,430003,SSLVersion, +flow_end,430003,SSSLCipherSuite, +flow_end,430003,TCPFlags, +flow_end,430003,Tunnel or Prefilter Rule, +flow_end,430003,URL,url.original +flow_end,430003,URLCategory, +flow_end,430003,URLReputation, +flow_end,430003,URLSICategory, +flow_end,430003,User,user.name +flow_end,430003,UserAgent,user_agent.original +flow_end,430003,VLAN_ID, +flow_end,430003,WebApplication,network.application +file,430004,ApplicationProtocol,network.protocol +file,430004,ArchiveDepth, +file,430004,ArchiveFileName,file.path +file,430004,ArchiveFileStatus, +file,430004,ArchiveSHA256,file.hash +file,430004,Client,network.application +file,430004,DstIP,destination.ip +file,430004,DstPort,destination.port +file,430004,FileAction, +file,430004,FileDirection, +file,430004,FileName,file.path +file,430004,FilePolicy,cisco.ftd.list_id +file,430004,FileSandboxStatus, +file,430004,FileSHA256, +file,430004,FileSize,file.size +file,430004,FileStorageStatus, +file,430004,FileType,file.type +file,430004,FirstPacketSecond,event.start +file,430004,Protocol,network.transport +file,430004,SHA_Disposition, +file,430004,SperoDisposition, +file,430004,SrcIP,source.ip +file,430004,SrcPort,source.port +file,430004,SSLActualAction, +file,430004,SSLCertificate, +file,430004,SSLFlowStatus, +file,430004,URI,url.original +file,430004,User,user.name +file,430004,WebApplication,network.application +malware,430005,ApplicationProtocol,network.protocol +malware,430005,ArchiveDepth, +malware,430005,ArchiveFileName,file.path +malware,430005,ArchiveFileStatus, +malware,430005,ArchiveSHA256,file.hash +malware,430005,Client,network.application +malware,430005,DstIP,destination.ip +malware,430005,DstPort,destination.port +malware,430005,FileAction, +malware,430005,FileDirection, +malware,430005,FileName,file.path +malware,430005,FilePolicy,cisco.ftd.list_id +malware,430005,FileSandboxStatus, +malware,430005,FileSHA256, +malware,430005,FileSize,file.size +malware,430005,FileStorageStatus, +malware,430005,FileType,file.type +malware,430005,FirstPacketSecond,event.start +malware,430005,Protocol,network.transport +malware,430005,SHA_Disposition, +malware,430005,SperoDisposition, +malware,430005,SrcIP,source.ip +malware,430005,SrcPort,source.port +malware,430005,SSLActualAction, +malware,430005,SSLCertificate, +malware,430005,SSLFlowStatus, +malware,430005,ThreatName,cisco.ftd.threat_category +malware,430005,ThreatScore,cisco.ftd.threat_level +malware,430005,URI,url.original +malware,430005,User,user.name +malware,430005,WebApplication,network.application diff --git a/x-pack/filebeat/module/cisco/shared/stringset.go b/x-pack/filebeat/module/cisco/shared/stringset.go new file mode 100644 index 000000000000..8e1ecf3cdc00 --- /dev/null +++ b/x-pack/filebeat/module/cisco/shared/stringset.go @@ -0,0 +1,56 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build ignore + +package main + +import ( + "sort" + "strings" +) + +type stringSet map[string]struct{} + +func newStringSet(list []string) stringSet { + r := stringSet{} + for _, value := range list { + if len(value) != 0 { + r[value] = struct{}{} + } + } + return r +} + +func (set stringSet) merge(o stringSet) { + for key := range o { + set[key] = struct{}{} + } +} + +func (set stringSet) equal(other stringSet) bool { + if len(set) != len(other) { + return false + } + for k := range set { + if _, found := other[k]; !found { + return false + } + } + return true +} + +func (set stringSet) MarshalYAML() (interface{}, error) { + keys := make([]string, 0, len(set)) + for key := range set { + keys = append(keys, key) + } + sort.Strings(keys) + return keys, nil +} + +func (set stringSet) String() string { + yaml, _ := set.MarshalYAML() + return strings.Join(yaml.([]string), ", ") +} diff --git a/x-pack/filebeat/modules.d/cisco.yml.disabled b/x-pack/filebeat/modules.d/cisco.yml.disabled index 43548b44d434..2b2ea2461cc8 100644 --- a/x-pack/filebeat/modules.d/cisco.yml.disabled +++ b/x-pack/filebeat/modules.d/cisco.yml.disabled @@ -20,6 +20,24 @@ # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html #var.log_level: 7 + ftd: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: syslog + + # The interface to listen to UDP based syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The UDP port to listen for syslog traffic. Defaults to 9003. + #var.syslog_port: 9003 + + # Set the log level from 1 (alerts only) to 7 (include all messages). + # Messages with a log level higher than the specified will be dropped. + # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html + #var.log_level: 7 + ios: enabled: true