Skip to content

Commit

Permalink
Cherry-pick #23068 to 7.x: [Filebeat] Allow cisco/asa and cisco/ftd m…
Browse files Browse the repository at this point in the history 
…odules to override network directionality based off of zones (#23084)

* [Filebeat] Allow cisco/asa and cisco/ftd modules to override network directionality based off of zones (#23068)

* [Filebeat] Allow cisco/asa and cisco/ftd modules to override network directionality based off of zones

* Add changelog entry

* Don't override categorization if no zone set

* regenerate golden files

(cherry picked from commit 76b7c8c)

* Fix up changelog
  • Loading branch information
Andrew Stucki authored Dec 10, 2020
1 parent bec81ba commit e1b7ebe
Show file tree
Hide file tree
Showing 13 changed files with 221 additions and 0 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -501,6 +501,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Preserve AWS CloudTrail eventCategory in aws.cloudtrail.event_category. {issue}22776[22776] {pull}22805[22805]
- Add top_level_domain enrichment for suricata/eve fileset. {pull}23046[23046]
- Add top_level_domain enrichment for zeek/dns fileset. {pull}23046[23046]
- Add `observer.egress.zone` and `observer.ingress.zone` for cisco/asa and cisco/ftd filesets. {pull}23068[23068]
- Allow cisco/asa and cisco/ftd filesets to override network directionality based off of zones. {pull}23068[23068]
- Allow cef and checkpoint modules to override network directionality based off of zones {pull}23066[23066]

*Heartbeat*
Expand Down
16 changes: 16 additions & 0 deletions x-pack/filebeat/filebeat.reference.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -512,6 +512,14 @@ filebeat.modules:
# See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
#var.log_level: 7

# Set internal security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.internal_zones: [ "Internal" ]

# Set external security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.external_zones: [ "External" ]

ftd:
enabled: true

Expand All @@ -530,6 +538,14 @@ filebeat.modules:
# See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html
#var.log_level: 7

# Set internal security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.internal_zones: [ "Internal" ]

# Set external security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.external_zones: [ "External" ]

ios:
enabled: true

Expand Down
16 changes: 16 additions & 0 deletions x-pack/filebeat/module/cisco/_meta/config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,14 @@
# See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
#var.log_level: 7

# Set internal security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.internal_zones: [ "Internal" ]

# Set external security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.external_zones: [ "External" ]

ftd:
enabled: true

Expand All @@ -35,6 +43,14 @@
# See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html
#var.log_level: 7

# Set internal security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.internal_zones: [ "Internal" ]

# Set external security zones. used to override parsed network.direction
# based on zone egress and ingress
#var.external_zones: [ "External" ]

ios:
enabled: true

Expand Down
14 changes: 14 additions & 0 deletions x-pack/filebeat/module/cisco/asa/config/input.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,17 @@ processors:
target: ''
fields:
ecs.version: 1.7.0

{{ if .external_zones }}
- add_fields:
target: _temp_
fields:
external_zones: {{ .external_zones | tojson }}
{{ end }}

{{ if .internal_zones }}
- add_fields:
target: _temp_
fields:
internal_zones: {{ .internal_zones | tojson }}
{{ end }}
2 changes: 2 additions & 0 deletions x-pack/filebeat/module/cisco/asa/manifest.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ var:
default: asa
- name: internal_PREFIX
default: ASA
- name: external_zones
- name: internal_zones

ingest_pipeline: ../shared/ingest/asa-ftd-pipeline.yml
input: config/input.yml
Expand Down
14 changes: 14 additions & 0 deletions x-pack/filebeat/module/cisco/ftd/config/input.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,17 @@ processors:
target: ''
fields:
ecs.version: 1.7.0

{{ if .external_zones }}
- add_fields:
target: _temp_
fields:
external_zones: {{ .external_zones | tojson }}
{{ end }}

{{ if .internal_zones }}
- add_fields:
target: _temp_
fields:
internal_zones: {{ .internal_zones | tojson }}
{{ end }}
3 changes: 3 additions & 0 deletions x-pack/filebeat/module/cisco/ftd/manifest.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ var:
default: ftd
- name: internal_PREFIX
default: FTD
- name: external_zones
- name: internal_zones

ingest_pipeline: ../shared/ingest/asa-ftd-pipeline.yml
input: config/input.yml

Expand Down
42 changes: 42 additions & 0 deletions x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -187,8 +189,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -294,8 +298,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -403,8 +409,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -511,8 +519,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -618,8 +628,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -728,8 +740,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -835,8 +849,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -943,8 +959,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -1052,8 +1070,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -1162,8 +1182,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -1265,8 +1287,10 @@
"network.protocol": "dns",
"network.transport": "tcp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -1373,8 +1397,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -1480,8 +1506,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -1588,8 +1616,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -1697,8 +1727,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -1804,8 +1836,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -1911,8 +1945,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -2018,8 +2054,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -2123,8 +2161,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -2232,8 +2272,10 @@
"network.protocol": "dns",
"network.transport": "udp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "siem-ftd",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down
8 changes: 8 additions & 0 deletions x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,10 @@
"network.protocol": "http",
"network.transport": "tcp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "firepower",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -142,8 +144,10 @@
"network.protocol": "http",
"network.transport": "tcp",
"observer.egress.interface.name": "inside",
"observer.egress.zone": "output-zone",
"observer.hostname": "firepower",
"observer.ingress.interface.name": "outside",
"observer.ingress.zone": "input-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -223,8 +227,10 @@
"network.iana_number": 6,
"network.transport": "tcp",
"observer.egress.interface.name": "outside",
"observer.egress.zone": "input-zone",
"observer.hostname": "firepower",
"observer.ingress.interface.name": "inside",
"observer.ingress.zone": "output-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down Expand Up @@ -304,8 +310,10 @@
"network.iana_number": 6,
"network.transport": "tcp",
"observer.egress.interface.name": "outside",
"observer.egress.zone": "input-zone",
"observer.hostname": "firepower",
"observer.ingress.interface.name": "inside",
"observer.ingress.zone": "output-zone",
"observer.product": "ftd",
"observer.type": "firewall",
"observer.vendor": "Cisco",
Expand Down
Loading

0 comments on commit e1b7ebe

Please sign in to comment.