[Filebeat][Cisco ASA] event.action Mappings (7.10)

[dainperkins]

Based on the test docs in the current 7.10 implementation there's an issue with event.action mappings. Firepower may exhibit the same issues.

Message IDs: 302016
Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)

output shows:
"event.action": "flow-expiration"

referencing flow-expiration as the event action for connection teardowns (even ones that were caused by a flow timeout) is not really accurate.

I'd suggest:

"event.action": "connection-end"

would be more applicable for event.action (as aside from NSEL the references point of asa logs will be almost always be connections), with an event.reason potentially used for any specifics provided by the log entry

for example:
%ASA-6-302014: Teardown [Probe] TCP connection id for interface :real-address /real-port [(idfw_user )] to interface :real-address /real-port [(idfw_user )] duration hh:mm:ss bytes bytes [reason [from teardown-initiator]] [(user )]

"event.action" : "connection-end"
"event.reason" : "Flow timed out"

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-302003-to-342008.html#con_6941209

I'd suggest firewall permit/deny messages reference e.g. connection-allow, connection-deny in event.action

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.