snake_case all the things

x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json

@@ -7,26 +7,26 @@
             "intrusion-policy",
             "default"
         ],
-        "cisco.ftd.security.ACPolicy": "default",
-        "cisco.ftd.security.ApplicationProtocol": "HTTP",
-        "cisco.ftd.security.Classification": "Attempted User Privilege Gain",
-        "cisco.ftd.security.Client": "Firefox",
-        "cisco.ftd.security.DstIP": "10.0.100.30",
-        "cisco.ftd.security.DstPort": "80",
-        "cisco.ftd.security.EgressInterface": "outside",
-        "cisco.ftd.security.EgressZone": "output-zone",
-        "cisco.ftd.security.GID": "1",
-        "cisco.ftd.security.IngressInterface": "inside",
-        "cisco.ftd.security.IngressZone": "input-zone",
-        "cisco.ftd.security.IntrusionPolicy": "intrusion-policy",
-        "cisco.ftd.security.Message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt",
-        "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity",
-        "cisco.ftd.security.Priority": "1",
-        "cisco.ftd.security.Protocol": "tcp",
-        "cisco.ftd.security.Revision": "12",
-        "cisco.ftd.security.SID": "17279",
-        "cisco.ftd.security.SrcPort": "55644",
-        "cisco.ftd.security.User": "No Authentication Required",
+        "cisco.ftd.security.ac_policy": "default",
+        "cisco.ftd.security.application_protocol": "HTTP",
+        "cisco.ftd.security.classification": "Attempted User Privilege Gain",
+        "cisco.ftd.security.client": "Firefox",
+        "cisco.ftd.security.dst_ip": "10.0.100.30",
+        "cisco.ftd.security.dst_port": "80",
+        "cisco.ftd.security.egress_interface": "outside",
+        "cisco.ftd.security.egress_zone": "output-zone",
+        "cisco.ftd.security.gid": "1",
+        "cisco.ftd.security.ingress_interface": "inside",
+        "cisco.ftd.security.ingress_zone": "input-zone",
+        "cisco.ftd.security.intrusion_policy": "intrusion-policy",
+        "cisco.ftd.security.message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt",
+        "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity",
+        "cisco.ftd.security.priority": "1",
+        "cisco.ftd.security.protocol": "tcp",
+        "cisco.ftd.security.revision": "12",
+        "cisco.ftd.security.sid": "17279",
+        "cisco.ftd.security.src_port": "55644",
+        "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
         "destination.ip": "10.0.100.30",
         "destination.port": 80,
@@ -64,26 +64,26 @@
             "intrusion-policy",
             "default"
         ],
-        "cisco.ftd.security.ACPolicy": "default",
-        "cisco.ftd.security.ApplicationProtocol": "HTTP",
-        "cisco.ftd.security.Classification": "Attempted User Privilege Gain",
-        "cisco.ftd.security.Client": "Firefox",
-        "cisco.ftd.security.DstIP": "10.0.100.30",
-        "cisco.ftd.security.DstPort": "80",
-        "cisco.ftd.security.EgressInterface": "outside",
-        "cisco.ftd.security.EgressZone": "output-zone",
-        "cisco.ftd.security.GID": "1",
-        "cisco.ftd.security.IngressInterface": "inside",
-        "cisco.ftd.security.IngressZone": "input-zone",
-        "cisco.ftd.security.IntrusionPolicy": "intrusion-policy",
-        "cisco.ftd.security.Message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt",
-        "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity",
-        "cisco.ftd.security.Priority": "1",
-        "cisco.ftd.security.Protocol": "tcp",
-        "cisco.ftd.security.Revision": "12",
-        "cisco.ftd.security.SID": "17279",
-        "cisco.ftd.security.SrcPort": "55868",
-        "cisco.ftd.security.User": "No Authentication Required",
+        "cisco.ftd.security.ac_policy": "default",
+        "cisco.ftd.security.application_protocol": "HTTP",
+        "cisco.ftd.security.classification": "Attempted User Privilege Gain",
+        "cisco.ftd.security.client": "Firefox",
+        "cisco.ftd.security.dst_ip": "10.0.100.30",
+        "cisco.ftd.security.dst_port": "80",
+        "cisco.ftd.security.egress_interface": "outside",
+        "cisco.ftd.security.egress_zone": "output-zone",
+        "cisco.ftd.security.gid": "1",
+        "cisco.ftd.security.ingress_interface": "inside",
+        "cisco.ftd.security.ingress_zone": "input-zone",
+        "cisco.ftd.security.intrusion_policy": "intrusion-policy",
+        "cisco.ftd.security.message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt",
+        "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity",
+        "cisco.ftd.security.priority": "1",
+        "cisco.ftd.security.protocol": "tcp",
+        "cisco.ftd.security.revision": "12",
+        "cisco.ftd.security.sid": "17279",
+        "cisco.ftd.security.src_port": "55868",
+        "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "inside",
         "destination.ip": "10.0.100.30",
         "destination.port": 80,
@@ -121,24 +121,24 @@
             "intrusion-policy",
             "default"
         ],
-        "cisco.ftd.security.ACPolicy": "default",
-        "cisco.ftd.security.Classification": "Misc Activity",
-        "cisco.ftd.security.DstIP": "10.0.1.20",
-        "cisco.ftd.security.DstPort": "39114",
-        "cisco.ftd.security.EgressInterface": "inside",
-        "cisco.ftd.security.EgressZone": "input-zone",
-        "cisco.ftd.security.GID": "1",
-        "cisco.ftd.security.IngressInterface": "outside",
-        "cisco.ftd.security.IngressZone": "output-zone",
-        "cisco.ftd.security.IntrusionPolicy": "intrusion-policy",
-        "cisco.ftd.security.Message": "APP-DETECT failed FTP login attempt",
-        "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity",
-        "cisco.ftd.security.Priority": "3",
-        "cisco.ftd.security.Protocol": "tcp",
-        "cisco.ftd.security.Revision": "6",
-        "cisco.ftd.security.SID": "13360",
-        "cisco.ftd.security.SrcPort": "21",
-        "cisco.ftd.security.User": "No Authentication Required",
+        "cisco.ftd.security.ac_policy": "default",
+        "cisco.ftd.security.classification": "Misc Activity",
+        "cisco.ftd.security.dst_ip": "10.0.1.20",
+        "cisco.ftd.security.dst_port": "39114",
+        "cisco.ftd.security.egress_interface": "inside",
+        "cisco.ftd.security.egress_zone": "input-zone",
+        "cisco.ftd.security.gid": "1",
+        "cisco.ftd.security.ingress_interface": "outside",
+        "cisco.ftd.security.ingress_zone": "output-zone",
+        "cisco.ftd.security.intrusion_policy": "intrusion-policy",
+        "cisco.ftd.security.message": "APP-DETECT failed FTP login attempt",
+        "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity",
+        "cisco.ftd.security.priority": "3",
+        "cisco.ftd.security.protocol": "tcp",
+        "cisco.ftd.security.revision": "6",
+        "cisco.ftd.security.sid": "13360",
+        "cisco.ftd.security.src_port": "21",
+        "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "outside",
         "destination.ip": "10.0.1.20",
         "destination.port": 39114,
@@ -174,24 +174,24 @@
             "intrusion-policy",
             "default"
         ],
-        "cisco.ftd.security.ACPolicy": "default",
-        "cisco.ftd.security.Classification": "Misc Activity",
-        "cisco.ftd.security.DstIP": "10.0.1.20",
-        "cisco.ftd.security.DstPort": "40740",
-        "cisco.ftd.security.EgressInterface": "inside",
-        "cisco.ftd.security.EgressZone": "input-zone",
-        "cisco.ftd.security.GID": "1",
-        "cisco.ftd.security.IngressInterface": "outside",
-        "cisco.ftd.security.IngressZone": "output-zone",
-        "cisco.ftd.security.IntrusionPolicy": "intrusion-policy",
-        "cisco.ftd.security.Message": "APP-DETECT failed FTP login attempt",
-        "cisco.ftd.security.NAPPolicy": "Balanced Security and Connectivity",
-        "cisco.ftd.security.Priority": "3",
-        "cisco.ftd.security.Protocol": "6",
-        "cisco.ftd.security.Revision": "6",
-        "cisco.ftd.security.SID": "13360",
-        "cisco.ftd.security.SrcPort": "21",
-        "cisco.ftd.security.User": "No Authentication Required",
+        "cisco.ftd.security.ac_policy": "default",
+        "cisco.ftd.security.classification": "Misc Activity",
+        "cisco.ftd.security.dst_ip": "10.0.1.20",
+        "cisco.ftd.security.dst_port": "40740",
+        "cisco.ftd.security.egress_interface": "inside",
+        "cisco.ftd.security.egress_zone": "input-zone",
+        "cisco.ftd.security.gid": "1",
+        "cisco.ftd.security.ingress_interface": "outside",
+        "cisco.ftd.security.ingress_zone": "output-zone",
+        "cisco.ftd.security.intrusion_policy": "intrusion-policy",
+        "cisco.ftd.security.message": "APP-DETECT failed FTP login attempt",
+        "cisco.ftd.security.nap_policy": "Balanced Security and Connectivity",
+        "cisco.ftd.security.priority": "3",
+        "cisco.ftd.security.protocol": "6",
+        "cisco.ftd.security.revision": "6",
+        "cisco.ftd.security.sid": "13360",
+        "cisco.ftd.security.src_port": "21",
+        "cisco.ftd.security.user": "No Authentication Required",
         "cisco.ftd.source_interface": "outside",
         "destination.ip": "10.0.1.20",
         "destination.port": 40740,

x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json

@@ -2,11 +2,11 @@
     {
         "@timestamp": "2018-01-11T01:00:27.000Z",
         "cisco.ftd.message_id": "430001",
-        "cisco.ftd.security.ApplicationProtocol": "http",
-        "cisco.ftd.security.Client": "webserver",
-        "cisco.ftd.security.DstIP": "10.8.12.47",
-        "cisco.ftd.security.Message": "Intrusion attempt",
-        "cisco.ftd.security.SrcIP": "10.1.123.45",
+        "cisco.ftd.security.application_protocol": "http",
+        "cisco.ftd.security.client": "webserver",
+        "cisco.ftd.security.dst_ip": "10.8.12.47",
+        "cisco.ftd.security.message": "Intrusion attempt",
+        "cisco.ftd.security.src_ip": "10.1.123.45",
         "destination.ip": "10.8.12.47",
         "event.action": "intrusion-detected",
         "event.code": 430001,
@@ -34,8 +34,8 @@
     {
         "@timestamp": "2018-01-11T01:00:27.000Z",
         "cisco.ftd.message_id": "430001",
-        "cisco.ftd.security.HTTPResponse": "404",
-        "cisco.ftd.security.Message": "Some message here (1:36330:2).",
+        "cisco.ftd.security.http_response": "404",
+        "cisco.ftd.security.message": "Some message here (1:36330:2).",
         "event.action": "intrusion-detected",
         "event.code": 430001,
         "event.dataset": "cisco.ftd",
@@ -60,8 +60,8 @@
     {
         "@timestamp": "2018-01-11T01:00:27.000Z",
         "cisco.ftd.message_id": "430002",
-        "cisco.ftd.security.HTTPResponse": "404",
-        "cisco.ftd.security.Message": "Some message here (1:36330:2)",
+        "cisco.ftd.security.http_response": "404",
+        "cisco.ftd.security.message": "Some message here (1:36330:2)",
         "event.action": "connection-started",
         "event.code": 430002,
         "event.dataset": "cisco.ftd",
@@ -86,15 +86,15 @@
     {
         "@timestamp": "2018-01-11T01:00:27.000Z",
         "cisco.ftd.message_id": "430005",
-        "cisco.ftd.security.DstIP": "192.168.3.33",
-        "cisco.ftd.security.DstPort": "64311",
-        "cisco.ftd.security.HTTPResponse": "404",
-        "cisco.ftd.security.Message": [
+        "cisco.ftd.security.dst_ip": "192.168.3.33",
+        "cisco.ftd.security.dst_port": "64311",
+        "cisco.ftd.security.http_response": "404",
+        "cisco.ftd.security.message": [
             "This one has a type id",
             "And two messages"
         ],
-        "cisco.ftd.security.SrcIP": "127.0.0.1",
-        "cisco.ftd.security.SrcPort": "512",
+        "cisco.ftd.security.src_ip": "127.0.0.1",
+        "cisco.ftd.security.src_port": "512",
         "destination.ip": "192.168.3.33",
         "destination.port": 64311,
         "event.action": "malware-detected",