From e1b7ebea9915eed158b2cded21d6a21ef4900939 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Thu, 10 Dec 2020 18:21:41 -0500 Subject: [PATCH] Cherry-pick #23068 to 7.x: [Filebeat] Allow cisco/asa and cisco/ftd modules to override network directionality based off of zones (#23084) * [Filebeat] Allow cisco/asa and cisco/ftd modules to override network directionality based off of zones (#23068) * [Filebeat] Allow cisco/asa and cisco/ftd modules to override network directionality based off of zones * Add changelog entry * Don't override categorization if no zone set * regenerate golden files (cherry picked from commit 76b7c8c1a44eff4766a2886400757033fdf6e063) * Fix up changelog --- CHANGELOG.next.asciidoc | 2 + x-pack/filebeat/filebeat.reference.yml | 16 +++++ x-pack/filebeat/module/cisco/_meta/config.yml | 16 +++++ .../module/cisco/asa/config/input.yml | 14 ++++ x-pack/filebeat/module/cisco/asa/manifest.yml | 2 + .../module/cisco/ftd/config/input.yml | 14 ++++ x-pack/filebeat/module/cisco/ftd/manifest.yml | 3 + .../cisco/ftd/test/dns.log-expected.json | 42 ++++++++++++ .../ftd/test/intrusion.log-expected.json | 8 +++ .../security-connection.log-expected.json | 20 ++++++ .../security-malware-site.log-expected.json | 2 + .../cisco/shared/ingest/asa-ftd-pipeline.yml | 66 +++++++++++++++++++ x-pack/filebeat/modules.d/cisco.yml.disabled | 16 +++++ 13 files changed, 221 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 2a61ee1044a..7d5dcfe7b5a 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -501,6 +501,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Preserve AWS CloudTrail eventCategory in aws.cloudtrail.event_category. {issue}22776[22776] {pull}22805[22805] - Add top_level_domain enrichment for suricata/eve fileset. {pull}23046[23046] - Add top_level_domain enrichment for zeek/dns fileset. {pull}23046[23046] +- Add `observer.egress.zone` and `observer.ingress.zone` for cisco/asa and cisco/ftd filesets. {pull}23068[23068] +- Allow cisco/asa and cisco/ftd filesets to override network directionality based off of zones. {pull}23068[23068] - Allow cef and checkpoint modules to override network directionality based off of zones {pull}23066[23066] *Heartbeat* diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index c949e31735d..37fdd95b6d1 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -512,6 +512,14 @@ filebeat.modules: # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html #var.log_level: 7 + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] + ftd: enabled: true @@ -530,6 +538,14 @@ filebeat.modules: # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html #var.log_level: 7 + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] + ios: enabled: true diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml index c9c670fc095..b0fb55ed7cb 100644 --- a/x-pack/filebeat/module/cisco/_meta/config.yml +++ b/x-pack/filebeat/module/cisco/_meta/config.yml @@ -17,6 +17,14 @@ # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html #var.log_level: 7 + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] + ftd: enabled: true @@ -35,6 +43,14 @@ # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html #var.log_level: 7 + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] + ios: enabled: true diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml index 9cd38cbc3d7..2e85cd4dfee 100644 --- a/x-pack/filebeat/module/cisco/asa/config/input.yml +++ b/x-pack/filebeat/module/cisco/asa/config/input.yml @@ -24,3 +24,17 @@ processors: target: '' fields: ecs.version: 1.7.0 + +{{ if .external_zones }} + - add_fields: + target: _temp_ + fields: + external_zones: {{ .external_zones | tojson }} +{{ end }} + +{{ if .internal_zones }} + - add_fields: + target: _temp_ + fields: + internal_zones: {{ .internal_zones | tojson }} +{{ end }} diff --git a/x-pack/filebeat/module/cisco/asa/manifest.yml b/x-pack/filebeat/module/cisco/asa/manifest.yml index 58b1bed572a..3c185f7980c 100644 --- a/x-pack/filebeat/module/cisco/asa/manifest.yml +++ b/x-pack/filebeat/module/cisco/asa/manifest.yml @@ -24,6 +24,8 @@ var: default: asa - name: internal_PREFIX default: ASA + - name: external_zones + - name: internal_zones ingest_pipeline: ../shared/ingest/asa-ftd-pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/cisco/ftd/config/input.yml b/x-pack/filebeat/module/cisco/ftd/config/input.yml index 8573365f7f3..8a3ec3e9ab4 100644 --- a/x-pack/filebeat/module/cisco/ftd/config/input.yml +++ b/x-pack/filebeat/module/cisco/ftd/config/input.yml @@ -23,3 +23,17 @@ processors: target: '' fields: ecs.version: 1.7.0 + +{{ if .external_zones }} + - add_fields: + target: _temp_ + fields: + external_zones: {{ .external_zones | tojson }} +{{ end }} + +{{ if .internal_zones }} + - add_fields: + target: _temp_ + fields: + internal_zones: {{ .internal_zones | tojson }} +{{ end }} diff --git a/x-pack/filebeat/module/cisco/ftd/manifest.yml b/x-pack/filebeat/module/cisco/ftd/manifest.yml index e18956c1dc8..31eb9659a6b 100644 --- a/x-pack/filebeat/module/cisco/ftd/manifest.yml +++ b/x-pack/filebeat/module/cisco/ftd/manifest.yml @@ -24,6 +24,9 @@ var: default: ftd - name: internal_PREFIX default: FTD + - name: external_zones + - name: internal_zones + ingest_pipeline: ../shared/ingest/asa-ftd-pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index b7b065dea1c..093665fca98 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -78,8 +78,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -187,8 +189,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -294,8 +298,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -403,8 +409,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -511,8 +519,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -618,8 +628,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -728,8 +740,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -835,8 +849,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -943,8 +959,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1052,8 +1070,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1162,8 +1182,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1265,8 +1287,10 @@ "network.protocol": "dns", "network.transport": "tcp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1373,8 +1397,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1480,8 +1506,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1588,8 +1616,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1697,8 +1727,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1804,8 +1836,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1911,8 +1945,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -2018,8 +2054,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -2123,8 +2161,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -2232,8 +2272,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index 681c8052cb0..f8745332a6f 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -57,8 +57,10 @@ "network.protocol": "http", "network.transport": "tcp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -142,8 +144,10 @@ "network.protocol": "http", "network.transport": "tcp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -223,8 +227,10 @@ "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", + "observer.egress.zone": "input-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "inside", + "observer.ingress.zone": "output-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -304,8 +310,10 @@ "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", + "observer.egress.zone": "input-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "inside", + "observer.ingress.zone": "output-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 7490bc1ac57..6a38a072bfc 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -60,8 +60,10 @@ "network.protocol": "icmp", "network.transport": "icmp", "observer.egress.interface.name": "output", + "observer.egress.zone": "input-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "input", + "observer.ingress.zone": "output-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -152,8 +154,10 @@ "network.protocol": "icmp", "network.transport": "icmp", "observer.egress.interface.name": "output", + "observer.egress.zone": "input-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "input", + "observer.ingress.zone": "output-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -253,8 +257,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -361,8 +367,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -457,8 +465,10 @@ "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -571,8 +581,10 @@ "network.protocol": "http", "network.transport": "tcp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -670,8 +682,10 @@ "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -780,8 +794,10 @@ "network.protocol": "http", "network.transport": "tcp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -868,8 +884,10 @@ "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "output", + "observer.egress.zone": "input-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "input", + "observer.ingress.zone": "output-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -969,8 +987,10 @@ "network.protocol": "http", "network.transport": "tcp", "observer.egress.interface.name": "input", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "output", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index 0b669eb5dff..de4be40b0b5 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -81,8 +81,10 @@ "network.protocol": "http", "network.transport": "tcp", "observer.egress.interface.name": "s1p1", + "observer.egress.zone": "Inside-DMZ-Interface-Inline", "observer.hostname": "CISCO-SENSOR-3D", "observer.ingress.interface.name": "s1p2", + "observer.ingress.zone": "Inside-DMZ-Interface-Inline", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index c828c45250a..9568d4fbc36 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -723,6 +723,7 @@ processors: EgressZone: target: egress_zone id: ["430001", "430002", "430003"] + ecs: [observer.egress.zone] Endpoint Profile: target: endpoint_profile id: ["430002", "430003"] @@ -795,6 +796,7 @@ processors: IngressZone: target: ingress_zone id: ["430001", "430002", "430003"] + ecs: [observer.ingress.zone] InitiatorBytes: target: initiator_bytes id: ["430003"] @@ -1390,6 +1392,70 @@ processors: value: "{{_temp_.cisco.mapped_destination_port}}" if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" ignore_empty_value: true + # + # Zone-based Network Directionality + # + # If external and internal zones are specified and our ingress/egress zones are + # populated, then we can classify traffic directionality based off of our defined + # zones rather than the logs. + - set: + field: network.direction + value: inbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + - set: + field: network.direction + value: outbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: internal + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: external + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: unknown + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.egress?.zone != null && + ctx?.observer?.ingress?.zone != null && + ( + ( + !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + ) || + ( + !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + ) + ) # # Populate ECS event.code diff --git a/x-pack/filebeat/modules.d/cisco.yml.disabled b/x-pack/filebeat/modules.d/cisco.yml.disabled index cf0c2d62464..785b6c37d69 100644 --- a/x-pack/filebeat/modules.d/cisco.yml.disabled +++ b/x-pack/filebeat/modules.d/cisco.yml.disabled @@ -20,6 +20,14 @@ # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html #var.log_level: 7 + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] + ftd: enabled: true @@ -38,6 +46,14 @@ # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html #var.log_level: 7 + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] + ios: enabled: true