From a3d46b2ef928b04d0b332cd013a0a6263bf810ba Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Tue, 25 Aug 2020 09:30:43 +0200 Subject: [PATCH] [Filebeat][Cisco Module] Adding various smaller hotfixes related to github issues (#20565) * applying fixes to existing message_ids, adding support for new message_ids, fixing nat mapping and a few more * adding the last missing fields * updating changelog * mage fmt update * Updating test data to be a bit more realistic instead of just localhost (cherry picked from commit 3f025e1df0fe45a2bcdc1e5ea44ed3c24a9f899a) --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 110 + .../module/cisco/asa/_meta/fields.yml | 66 + .../cisco/asa/test/additional_messages.log | 69 + .../additional_messages.log-expected.json | 2953 +++++++++++++++++ .../cisco/asa/test/asa-fix.log-expected.json | 57 + .../cisco/asa/test/asa.log-expected.json | 1412 ++++++++ .../asa/test/dap_records.log-expected.json | 3 + .../cisco/asa/test/filtered.log-expected.json | 9 + .../asa/test/hostnames.log-expected.json | 8 + .../cisco/asa/test/not-ip.log-expected.json | 16 +- .../cisco/asa/test/sample.log-expected.json | 630 +++- x-pack/filebeat/module/cisco/fields.go | 2 +- .../cisco/ftd/test/asa-fix.log-expected.json | 27 + .../cisco/ftd/test/asa.log-expected.json | 1412 ++++++++ .../cisco/ftd/test/dns.log-expected.json | 126 + .../cisco/ftd/test/filtered.log-expected.json | 4 + .../firepower-management.log-expected.json | 102 + .../ftd/test/intrusion.log-expected.json | 24 + .../ftd/test/no-type-id.log-expected.json | 16 + .../cisco/ftd/test/not-ip.log-expected.json | 16 +- .../cisco/ftd/test/sample.log-expected.json | 645 +++- .../security-connection.log-expected.json | 60 + .../security-file-malware.log-expected.json | 40 + .../security-malware-site.log-expected.json | 6 + .../cisco/shared/ingest/asa-ftd-pipeline.yml | 178 +- 26 files changed, 7896 insertions(+), 96 deletions(-) create mode 100644 x-pack/filebeat/module/cisco/asa/test/additional_messages.log create mode 100644 x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index ca13c20b582..0e46800fbe8 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -456,6 +456,7 @@ field. You can revert this change by configuring tags for the module and omittin - Set index.max_docvalue_fields_search in index template to increase value to 200 fields. {issue}20215[20215] - Add leader election for Kubernetes autodiscover. {pull}20281[20281] - Add capability of enriching process metadata with contianer id also for non-privileged containers in `add_process_metadata` processor. {pull}19767[19767] +- Added support for more message types for Cisco ASA and FTD. {pull}20565[20565] - Add replace_fields config option in add_host_metadata for replacing host fields. {pull}20490[20490] {issue}20464[20464] *Auditbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index c3b36cb087e..bb6ab0847e1 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -20675,6 +20675,116 @@ type: keyword The assigned DAP records +type: keyword + +-- + +*`cisco.asa.command_line_arguments`*:: ++ +-- +The command line arguments logged by the local audit log + + +type: keyword + +-- + +*`cisco.asa.assigned_ip`*:: ++ +-- +The IP address assigned to a VPN client successfully connecting + + +type: ip + +-- + +*`cisco.asa.privilege.old`*:: ++ +-- +When a users privilege is changed this is the old value + + +type: keyword + +-- + +*`cisco.asa.privilege.new`*:: ++ +-- +When a users privilege is changed this is the new value + + +type: keyword + +-- + +*`cisco.asa.burst.object`*:: ++ +-- +The related object for burst warnings + + +type: keyword + +-- + +*`cisco.asa.burst.id`*:: ++ +-- +The related rate ID for burst warnings + + +type: keyword + +-- + +*`cisco.asa.burst.current_rate`*:: ++ +-- +The current burst rate seen + + +type: keyword + +-- + +*`cisco.asa.burst.configured_rate`*:: ++ +-- +The current configured burst rate + + +type: keyword + +-- + +*`cisco.asa.burst.avg_rate`*:: ++ +-- +The current average burst rate seen + + +type: keyword + +-- + +*`cisco.asa.burst.configured_avg_rate`*:: ++ +-- +The current configured average burst rate allowed + + +type: keyword + +-- + +*`cisco.asa.burst.cumulative_count`*:: ++ +-- +The total count of burst rate hits since the object was created or cleared + + type: keyword -- diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml index 678615265fa..b3bb3b5eb1d 100644 --- a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml @@ -109,3 +109,69 @@ type: keyword description: > The assigned DAP records + + - name: command_line_arguments + default_field: false + type: keyword + description: > + The command line arguments logged by the local audit log + + - name: assigned_ip + default_field: false + type: ip + description: > + The IP address assigned to a VPN client successfully connecting + + - name: privilege.old + default_field: false + type: keyword + description: > + When a users privilege is changed this is the old value + + - name: privilege.new + default_field: false + type: keyword + description: > + When a users privilege is changed this is the new value + + - name: burst.object + default_field: false + type: keyword + description: > + The related object for burst warnings + + - name: burst.id + default_field: false + type: keyword + description: > + The related rate ID for burst warnings + + - name: burst.current_rate + default_field: false + type: keyword + description: > + The current burst rate seen + + - name: burst.configured_rate + default_field: false + type: keyword + description: > + The current configured burst rate + + - name: burst.avg_rate + default_field: false + type: keyword + description: > + The current average burst rate seen + + - name: burst.configured_avg_rate + default_field: false + type: keyword + description: > + The current configured average burst rate allowed + + - name: burst.cumulative_count + default_field: false + type: keyword + description: > + The total count of burst rate hits since the object was created or cleared diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log new file mode 100644 index 00000000000..f9ba86b8d0c --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log @@ -0,0 +1,69 @@ +May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500) +May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500) +May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 +May 5 17:51:17 dev01: %FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00 +May 5 17:51:17 dev01: %FTD-7-609001: Built local-host net:192.168.2.2 +May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1 +May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111) +May 5 17:51:17 dev01: %FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443) +May 5 17:51:17 dev01: %FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67 +May 5 17:51:17 dev01: %FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log +May 5 17:51:17 dev01: %FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4 +May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872. +May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0 +May 5 18:22:35 dev01: %ASA-7-609001: Built local-host net:10.10.10.10 +May 5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00 +May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0 +May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 +May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I +May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839) +May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00 +May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session +May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006 +May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111 +May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585 +May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638) +May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638) +May 5 18:40:50 dev01: %ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group "out1111_access_out" [0x47e21ef4, 0x47e21ef4] +May 5 18:40:50 dev01: %ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111 +May 5 19:02:58 dev01: %ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111 +May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111 +May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111 +May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111 +May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051) +May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051) +May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051) +May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner +May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow +May 5 19:03:27 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief +May 5 19:02:26 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief +May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -> fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000] +May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -> fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000] +May 5 19:02:26 dev01: %ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner +May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8) +May 5 19:02:26 dev01: %ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985 +May 5 19:02:26 dev01: %ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout +May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123) +May 5 19:02:26 dev01: %ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0) +May 5 19:02:25 dev01: %ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063 +May 5 19:02:25 dev01: %ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2 +May 5 19:02:25 dev01: %ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet. +Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/ +Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0] +Apr 27 17:54:52 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23 +Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/ +Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout +Apr 27 02:02:02 dev01: %ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group "global_access_1" +Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -> OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000] +Apr 27 02:03:03 dev01: %ASA-5-111004: console end configuration: OK +Apr 27 02:03:03 dev01: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear' +Apr 27 02:03:03 dev01: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15 +Apr 27 02:03:03 dev01: %ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user "*****" +Apr 27 02:03:03 dev01: %ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin +Apr 27 02:03:03 dev01: %ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user "admin" +Apr 27 02:03:03 dev01: %ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin +Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d +Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested +Apr 27 02:03:03 dev01: %ASA-4-722051: Group some-policy User testuser IP 8.8.8.8 IPv4 Address 8.8.4.4 IPv6 address 2001:4860:4860::8888 assigned to session +Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested. +Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23 diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json new file mode 100644 index 00000000000..8d8b28fe30f --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -0,0 +1,2953 @@ +[ + { + "cisco.asa.connection_id": "111111111", + "cisco.asa.destination_interface": "fw111", + "cisco.asa.mapped_destination_ip": "8.8.5.4", + "cisco.asa.mapped_destination_port": 53500, + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.mapped_source_port": 53500, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "net", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.5.4", + "destination.port": 53500, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.8", + "source.port": 53500, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "111111111", + "cisco.asa.destination_interface": "fw111", + "cisco.asa.mapped_destination_ip": "8.8.5.4", + "cisco.asa.mapped_destination_port": 53500, + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.mapped_source_port": 53500, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "net", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.5.4", + "destination.port": 53500, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 162, + "network.direction": "inbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.8", + "source.port": 53500, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302020", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 324, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "609002", + "cisco.asa.source_interface": "net", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 609002, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-05-05T17:51:17.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00", + "event.severity": 7, + "event.start": "2020-05-05T19:51:17.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 466, + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "609001", + "cisco.asa.source_interface": "net", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 609001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-7-609001: Built local-host net:192.168.2.2", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 557, + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302020", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 628, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "111111111", + "cisco.asa.destination_interface": "fw111", + "cisco.asa.mapped_destination_ip": "8.8.5.4", + "cisco.asa.mapped_destination_port": 111, + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.mapped_source_port": 111, + "cisco.asa.message_id": "805001", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.5.4", + "destination.port": 111, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 805001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 770, + "network.transport": "tcp flow", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.8", + "source.port": 111, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "941243214", + "cisco.asa.destination_interface": "fw109", + "cisco.asa.mapped_destination_ip": "10.192.70.66", + "cisco.asa.mapped_destination_port": 443, + "cisco.asa.mapped_source_ip": "10.192.18.4", + "cisco.asa.mapped_source_port": 51261, + "cisco.asa.message_id": "805002", + "cisco.asa.source_interface": "net", + "destination.address": "10.192.70.66", + "destination.ip": "10.192.70.66", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 805002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 932, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw109", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.192.18.4", + "10.192.70.66" + ], + "service.type": "cisco", + "source.address": "10.192.18.4", + "source.ip": "10.192.18.4", + "source.port": 51261, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "710005", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 67, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 710005, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 1119, + "network.iana_number": 17, + "network.transport": "udp", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 68, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "303002", + "cisco.asa.source_interface": "net", + "client.user.name": "testuser", + "destination.address": "10.192.18.4", + "destination.ip": "10.192.18.4", + "destination.port": 21, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 303002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "file.path": "/export/home/sysm/ftproot/sdsdsds/tmp.log", + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 1223, + "network.protocol": "ftp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.192.18.4" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 63656, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "710006", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 710006, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 1396, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "313005", + "cisco.asa.source_interface": "fw111", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 313005, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872.", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 1492, + "network.iana_number": 1, + "network.transport": "icmp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302021", + "cisco.asa.source_username": "type", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302021, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 1722, + "network.iana_number": 1, + "network.transport": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "609001", + "cisco.asa.source_interface": "net", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 609001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-609001: Built local-host net:10.10.10.10", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 1859, + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "609002", + "cisco.asa.source_interface": "identity", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 609002, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-05-05T18:24:31.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00", + "event.severity": 7, + "event.start": "2020-05-05T20:24:31.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 1930, + "observer.egress.interface.name": "identity", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302020", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2026, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.192.46.90", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.192.46.90", + "source.ip": "10.192.46.90", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302020", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2155, + "network.direction": "outbound", + "network.protocol": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "2960892904", + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "out111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 55225, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302014, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-05-05T18:29:32.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", + "event.severity": 6, + "event.start": "2020-05-05T20:29:32.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2298, + "network.bytes": 0, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "out111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 443, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "1588662", + "cisco.asa.destination_interface": "net", + "cisco.asa.mapped_destination_ip": "8.8.8.8", + "cisco.asa.mapped_destination_port": 54839, + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.mapped_source_port": 80, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "intfacename", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.nat.ip": "8.8.8.8", + "destination.port": 54839, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2462, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "intfacename", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.nat.ip": "8.8.8.8", + "source.port": 80, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "out111", + "cisco.asa.message_id": "302012", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 54230, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302012, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-05-05T18:29:32.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", + "event.severity": 6, + "event.start": "2020-05-05T20:29:32.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2623, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "out111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 54230, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.icmp_type": 0, + "cisco.asa.message_id": "313004", + "cisco.asa.source_interface": "fw502", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 313004, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 2768, + "network.iana_number": 1, + "network.transport": "icmp", + "observer.egress.interface.name": "fw502", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "out111", + "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 57006, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 305011, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2904, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "out111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 57006, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106001", + "cisco.asa.source_interface": "out111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 14322, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3029, + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "out111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 43803, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "1671727", + "cisco.asa.destination_interface": "net", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "intfacename", + "destination.address": "192.186.2.2", + "destination.as.number": 395776, + "destination.as.organization.name": "FEDERAL ONLINE GROUP LLC", + "destination.geo.city_name": "Thousand Oaks", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 34.197, + "destination.geo.location.lon": -118.8199, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "192.186.2.2", + "destination.port": 53356, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302016, + "event.dataset": "cisco.asa", + "event.duration": 124000000000, + "event.end": "2020-05-05T18:40:50.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585", + "event.severity": 2, + "event.start": "2020-05-05T20:38:46.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3172, + "network.bytes": 64585, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "intfacename", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.186.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 161, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "1743372", + "cisco.asa.destination_interface": "net", + "cisco.asa.mapped_destination_ip": "8.8.8.8", + "cisco.asa.mapped_destination_port": 22638, + "cisco.asa.mapped_source_ip": "8.8.8.4", + "cisco.asa.mapped_source_port": 161, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "intfacename", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.8.8", + "destination.port": 22638, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3328, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "intfacename", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.4", + "source.port": 161, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "1743372", + "cisco.asa.destination_interface": "net", + "cisco.asa.mapped_destination_ip": "8.8.8.8", + "cisco.asa.mapped_destination_port": 22638, + "cisco.asa.mapped_source_ip": "8.8.8.4", + "cisco.asa.mapped_source_port": 161, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "intfacename", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.8.8", + "destination.port": 22638, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3491, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "intfacename", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.4", + "source.port": 161, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "out111", + "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "out1111_access_out", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 3654, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "out111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 64388, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106021", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106021, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 3818, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106006", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 65020, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106006, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3935, + "network.direction": "inbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 65020, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106015", + "cisco.asa.source_interface": "out111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", + "event.outcome": "tcp", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4053, + "network.transport": "(no", + "observer.egress.interface.name": "out111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 53089, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106015", + "cisco.asa.source_interface": "out111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", + "event.outcome": "tcp", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4197, + "network.transport": "(no", + "observer.egress.interface.name": "out111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 17127, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106015", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", + "event.outcome": "tcp", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4337, + "network.transport": "(no", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 24223, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302023", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4949, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302023", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 5142, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.command_line_arguments": "show access-list fw211111_access_out brief", + "cisco.asa.message_id": "111009", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 111009, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "aaaa", + "input.type": "log", + "log.level": "debug", + "log.offset": 5369, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.command_line_arguments": "show access-list aaa_out brief", + "cisco.asa.message_id": "111009", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 111009, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "aaaa", + "input.type": "log", + "log.level": "debug", + "log.offset": 5476, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "fw111_out", + "cisco.asa.source_interface": "ptaaac", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 3452, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -> fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 5571, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "ptaaac", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 62157, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "fw111_out", + "cisco.asa.source_interface": "net", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 6007, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -> fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 5743, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 49033, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302027", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302027, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 5922, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302026", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302026, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 6113, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "net", + "cisco.asa.message_id": "710005", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 1985, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 710005, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 6256, + "network.iana_number": 17, + "network.transport": "udp", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 1985, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302025", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302025, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 6362, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302024", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302024, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 6571, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "106014", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10(type", + "destination.ip": "10.10.10.10", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106014, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", + "event.outcome": "deny", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "error", + "log.offset": 6722, + "network.direction": "inbound", + "network.iana_number": 1, + "network.transport": "icmp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.burst.avg_rate": "7", + "cisco.asa.burst.configured_avg_rate": "-4", + "cisco.asa.burst.configured_rate": "-4", + "cisco.asa.burst.cumulative_count": "9063", + "cisco.asa.burst.current_rate": "0", + "cisco.asa.burst.id": "rate-1", + "cisco.asa.burst.object": "192.168.2.2", + "cisco.asa.message_id": "733100", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 733100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 6838, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "106010", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 2, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106010, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", + "event.outcome": "deny", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "error", + "log.offset": 7071, + "network.direction": "inbound", + "network.transport": "sctp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 5114, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "out111", + "cisco.asa.message_id": "507003", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 80, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 507003, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet.", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 7178, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "out111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 49574, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "304001", + "destination.address": "10.20.30.40", + "destination.ip": "10.20.30.40", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 7351, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.20.30.40", + "10.20.30.40" + ], + "service.type": "cisco", + "source.address": "10.20.30.40", + "source.ip": "10.20.30.40", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.original": "http://10.20.30.40/" + }, + { + "cisco.asa.message_id": "304001", + "destination.address": "10.20.30.40", + "destination.ip": "10.20.30.40", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 7446, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.20.30.40", + "10.20.30.40" + ], + "service.type": "cisco", + "source.address": "10.20.30.40", + "source.ip": "10.20.30.40", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.original": "http://10.20.30.40/IOFUHSIU98[0]" + }, + { + "cisco.asa.message_id": "304001", + "destination.address": "10.20.30.40", + "destination.ip": "10.20.30.40", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 7563, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.20.30.40", + "10.20.30.40" + ], + "service.type": "cisco", + "source.address": "10.20.30.40", + "source.ip": "10.20.30.40", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.original": "http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23" + }, + { + "cisco.asa.message_id": "304001", + "destination.address": "10.20.30.40", + "destination.ip": "10.20.30.40", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 7699, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.20.30.40", + "10.20.30.40" + ], + "service.type": "cisco", + "source.address": "10.20.30.40", + "source.ip": "10.20.30.40", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.original": "http://10.20.30.40/" + }, + { + "cisco.asa.connection_id": "2751765169", + "cisco.asa.destination_interface": "server.deflan", + "cisco.asa.message_id": "302304", + "cisco.asa.source_interface": "server.deflan", + "destination.address": "2.3.4.5", + "destination.as.number": 3215, + "destination.as.organization.name": "Orange", + "destination.geo.city_name": "Clermont-Ferrand", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "FR", + "destination.geo.location.lat": 45.7838, + "destination.geo.location.lon": 3.0966, + "destination.geo.region_iso_code": "FR-63", + "destination.geo.region_name": "Puy-de-D\u00f4me", + "destination.ip": "2.3.4.5", + "destination.port": 9101, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302304, + "event.dataset": "cisco.asa", + "event.duration": 3602000000000, + "event.end": "2020-04-27T04:12:23.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout", + "event.severity": 6, + "event.start": "2020-04-27T05:12:21.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 7808, + "network.bytes": 245, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "server.deflan", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "server.deflan", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "1.2.3.4", + "2.3.4.5" + ], + "service.type": "cisco", + "source.address": "1.2.3.4", + "source.geo.city_name": "Moscow", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.location.lat": 55.7527, + "source.geo.location.lon": 37.6172, + "source.geo.region_iso_code": "RU-MOW", + "source.geo.region_name": "Moscow", + "source.ip": "1.2.3.4", + "source.port": 54242, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "srv", + "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "global_access_1", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 51635, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 8003, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "srv", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.2", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.2", + "source.ip": "10.10.10.2", + "source.port": 56444, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "testrulename", + "cisco.asa.source_interface": "insideintf", + "destination.address": "195.122.12.242", + "destination.as.number": 12578, + "destination.as.organization.name": "SIA Tet", + "destination.geo.city_name": "Riga", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "LV", + "destination.geo.location.lat": 56.9496, + "destination.geo.location.lon": 24.0978, + "destination.geo.region_iso_code": "LV-RIX", + "destination.geo.region_name": "Riga", + "destination.ip": "195.122.12.242", + "destination.port": 53, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -> OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "event.outcome": "deny", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 8160, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "insideintf", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "195.122.12.242" + ], + "service.type": "cisco", + "source.address": "somedomainname.local", + "source.domain": "somedomainname.local", + "source.port": 27218, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "111004", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 111004, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-111004: console end configuration: OK", + "event.outcome": "success", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 8353, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "source.address": "console", + "source.domain": "console", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.command_line_arguments": "'clear'", + "cisco.asa.message_id": "111010", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 111010, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear'", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "enable_15", + "input.type": "log", + "log.level": "notification", + "log.offset": 8421, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.0.87" + ], + "service.type": "cisco", + "source.address": "10.10.0.87", + "source.ip": "10.10.0.87", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "502103", + "cisco.asa.privilege.new": "15", + "cisco.asa.privilege.old": "1", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 502103, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "enable_15", + "input.type": "log", + "log.level": "notification", + "log.offset": 8528, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "FCD-FS-LAN", + "cisco.asa.message_id": "605004", + "destination.address": "10.10.1.254", + "destination.ip": "10.10.1.254", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 605004, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user \"*****\"", + "event.outcome": "deny", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 8623, + "network.protocol": "https", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "FCD-FS-LAN", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.1.212", + "10.10.1.254" + ], + "service.type": "cisco", + "source.address": "10.10.1.212", + "source.ip": "10.10.1.212", + "source.port": 51923, + "source.user.name": "*****", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "611102", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 611102, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin", + "event.outcome": "failed", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "admin", + "input.type": "log", + "log.level": "informational", + "log.offset": 8746, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.0.87" + ], + "service.type": "cisco", + "source.address": "10.10.0.87", + "source.ip": "10.10.0.87", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "FCD-FS-LAN", + "cisco.asa.message_id": "605005", + "destination.address": "10.10.1.254", + "destination.ip": "10.10.1.254", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 605005, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user \"admin\"", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 8849, + "network.protocol": "ssh", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "FCD-FS-LAN", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.0.87", + "10.10.1.254" + ], + "service.type": "cisco", + "source.address": "10.10.0.87", + "source.ip": "10.10.0.87", + "source.port": 6651, + "source.user.name": "admin", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "611101", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 611101, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin", + "event.outcome": "succeeded", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "admin", + "input.type": "log", + "log.level": "informational", + "log.offset": 8971, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.0.87" + ], + "service.type": "cisco", + "source.address": "10.10.0.87", + "source.ip": "10.10.0.87", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713049", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 713049, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 9077, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "91.240.17.178" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "113019", + "destination.address": "91.240.17.178", + "destination.as.number": 201126, + "destination.as.organization.name": "CDW Ltd", + "destination.bytes": 1216163, + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5888, + "destination.geo.location.lon": -0.0247, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": "91.240.17.178", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 113019, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-04-27T02:03:03.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", + "event.severity": 4, + "event.start": "2020-04-27T04:03:03.000Z", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 9288, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "91.240.17.178" + ], + "service.type": "cisco", + "source.bytes": 297103, + "source.user.name": "91.240.17.178", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.assigned_ip": "8.8.4.4", + "cisco.asa.message_id": "722051", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 722051, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-722051: Group some-policy User testuser IP 8.8.8.8 IPv4 Address 8.8.4.4 IPv6 address 2001:4860:4860::8888 assigned to session", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 9527, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "8.8.8.8" + ], + "service.type": "cisco", + "source.address": "8.8.8.8", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "8.8.8.8", + "source.user.name": "testuser", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "716002", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 716002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested.", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 9683, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "8.8.8.8" + ], + "service.type": "cisco", + "source.address": "8.8.8.8", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "8.8.8.8", + "source.user.name": "testuser", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "outside", + "cisco.asa.message_id": "710003", + "destination.address": "195.74.114.34", + "destination.as.number": 8468, + "destination.as.organization.name": "Entanet", + "destination.geo.city_name": "Stoke Newington", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5638, + "destination.geo.location.lon": -0.0765, + "destination.geo.region_iso_code": "GB-HCK", + "destination.geo.region_name": "Hackney", + "destination.ip": "195.74.114.34", + "destination.port": 23, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 710003, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "error", + "log.offset": 9810, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "104.46.88.19", + "195.74.114.34" + ], + "service.type": "cisco", + "source.address": "104.46.88.19", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "Dublin", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "IE", + "source.geo.location.lat": 53.3338, + "source.geo.location.lon": -6.2488, + "source.geo.region_iso_code": "IE-L", + "source.geo.region_name": "Leinster", + "source.ip": "104.46.88.19", + "source.port": 6370, + "tags": [ + "cisco-asa", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 75f12d9b6b1..90ec4ed3a8f 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -34,6 +34,12 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "Outside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.233.123.123" @@ -77,6 +83,12 @@ "log.offset": 200, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Inside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -119,6 +131,11 @@ "log.offset": 381, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -164,6 +181,12 @@ "log.offset": 545, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "Inside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -202,6 +225,10 @@ "input.type": "log", "log.level": "critical", "log.offset": 734, + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -242,6 +269,11 @@ "log.offset": 853, "network.iana_number": 58, "network.transport": "ipv6-icmp", + "observer.egress.interface.name": "ISP1", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "fe80::1ff:fe23:4567:890a" ], @@ -287,6 +319,11 @@ "log.offset": 989, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Inside", + "observer.ingress.interface.name": "identity", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.255.0.206", "10.12.31.51" @@ -330,6 +367,11 @@ "log.offset": 1171, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz2", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "127.2.3.4", "127.3.4.5" @@ -373,6 +415,11 @@ "log.offset": 1334, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz2", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "127.2.3.4", "127.3.4.5" @@ -417,6 +464,11 @@ "log.offset": 1514, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.20", "10.223.223.40" @@ -470,6 +522,11 @@ "log.offset": 1723, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.3", "1.2.33.40" diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index 09cce4899fc..18ea450c55f 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -1,7 +1,12 @@ [ { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8256, "event.action": "firewall-rule", "event.category": [ "network" @@ -22,9 +27,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 0, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1772, "tags": [ "cisco-asa", "forwarded" @@ -32,7 +52,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11757", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1772, + "cisco.asa.mapped_source_ip": "100.66.205.104", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1772, "event.action": "firewall-rule", "event.category": [ "network" @@ -53,9 +83,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 150, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.205.104", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.205.104", + "source.ip": "100.66.205.104", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -97,6 +143,12 @@ "network.bytes": 38110, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -148,6 +200,12 @@ "network.bytes": 44010, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -199,6 +257,12 @@ "network.bytes": 7652, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -250,6 +314,12 @@ "network.bytes": 7062, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -301,6 +371,12 @@ "network.bytes": 5738, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -352,6 +428,12 @@ "network.bytes": 4176, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -403,6 +485,12 @@ "network.bytes": 1715, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -454,6 +542,12 @@ "network.bytes": 45595, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -505,6 +599,12 @@ "network.bytes": 27359, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -556,6 +656,12 @@ "network.bytes": 4457, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -607,6 +713,12 @@ "network.bytes": 26709, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -658,6 +770,12 @@ "network.bytes": 22097, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -709,6 +827,12 @@ "network.bytes": 2209, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -760,6 +884,12 @@ "network.bytes": 10404, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -811,6 +941,12 @@ "network.bytes": 123694, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -862,6 +998,12 @@ "network.bytes": 35835, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -913,6 +1055,12 @@ "network.bytes": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -930,7 +1078,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1188, "event.action": "firewall-rule", "event.category": [ "network" @@ -951,9 +1104,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 3552, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-asa", "forwarded" @@ -961,7 +1129,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11758", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.80.32", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -982,9 +1160,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 3703, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.80.32", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.80.32", + "source.ip": "100.66.80.32", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1026,6 +1220,12 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1043,7 +1243,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11759", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.252.6", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1064,9 +1274,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4071, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.6", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.6", + "source.ip": "100.66.252.6", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1108,6 +1334,12 @@ "network.bytes": 164, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1125,7 +1357,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8257, "event.action": "firewall-rule", "event.category": [ "network" @@ -1146,9 +1383,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4439, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1773, "tags": [ "cisco-asa", "forwarded" @@ -1156,7 +1408,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11760", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1773, + "cisco.asa.mapped_source_ip": "100.66.252.226", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1773, "event.action": "firewall-rule", "event.category": [ "network" @@ -1177,9 +1439,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4589, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.226", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.226", + "source.ip": "100.66.252.226", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -1187,7 +1465,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8258, "event.action": "firewall-rule", "event.category": [ "network" @@ -1208,9 +1491,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4784, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1774, "tags": [ "cisco-asa", "forwarded" @@ -1218,7 +1516,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11761", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1774, + "cisco.asa.mapped_source_ip": "100.66.252.226", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1774, "event.action": "firewall-rule", "event.category": [ "network" @@ -1239,9 +1547,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4934, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.226", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.226", + "source.ip": "100.66.252.226", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -1249,7 +1573,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11762", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.238.126", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1270,9 +1604,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5129, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.238.126", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.238.126", + "source.ip": "100.66.238.126", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1280,7 +1630,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11763", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.93.51", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1301,9 +1661,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5326, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.93.51", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.93.51", + "source.ip": "100.66.93.51", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1345,6 +1721,12 @@ "network.bytes": 111, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1396,6 +1778,12 @@ "network.bytes": 237, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1413,7 +1801,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8259, "event.action": "firewall-rule", "event.category": [ "network" @@ -1434,9 +1827,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5871, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1775, "tags": [ "cisco-asa", "forwarded" @@ -1444,7 +1852,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11764", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1775, + "cisco.asa.mapped_source_ip": "100.66.225.103", + "cisco.asa.mapped_source_port": 443, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1775, "event.action": "firewall-rule", "event.category": [ "network" @@ -1465,9 +1883,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6021, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.225.103", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.225.103", + "source.ip": "100.66.225.103", + "source.port": 443, "tags": [ "cisco-asa", "forwarded" @@ -1475,7 +1909,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1189, "event.action": "firewall-rule", "event.category": [ "network" @@ -1496,9 +1935,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6218, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-asa", "forwarded" @@ -1506,7 +1960,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11772", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.240.126", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1527,9 +1991,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6369, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.240.126", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.240.126", + "source.ip": "100.66.240.126", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1537,7 +2017,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11773", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.44.45", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1558,9 +2048,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6566, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.44.45", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.44.45", + "source.ip": "100.66.44.45", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1602,6 +2108,12 @@ "network.bytes": 87, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1653,6 +2165,12 @@ "network.bytes": 221, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1670,7 +2188,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8265, "event.action": "firewall-rule", "event.category": [ "network" @@ -1691,9 +2214,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7110, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1452, "tags": [ "cisco-asa", "forwarded" @@ -1701,7 +2239,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11774", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1452, + "cisco.asa.mapped_source_ip": "100.66.179.219", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1452, "event.action": "firewall-rule", "event.category": [ "network" @@ -1722,9 +2270,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7260, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.179.219", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.179.219", + "source.ip": "100.66.179.219", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -1732,7 +2296,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11775", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.157.232", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1753,9 +2327,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7455, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.157.232", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.157.232", + "source.ip": "100.66.157.232", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1763,7 +2353,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11776", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.178.133", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1784,9 +2384,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7652, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.178.133", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.178.133", + "source.ip": "100.66.178.133", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1828,6 +2444,12 @@ "network.bytes": 101, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1879,6 +2501,12 @@ "network.bytes": 126, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1896,7 +2524,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8266, "event.action": "firewall-rule", "event.category": [ "network" @@ -1917,9 +2550,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8203, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1453, "tags": [ "cisco-asa", "forwarded" @@ -1927,7 +2575,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11777", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1453, + "cisco.asa.mapped_source_ip": "100.66.133.112", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1453, "event.action": "firewall-rule", "event.category": [ "network" @@ -1948,9 +2606,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8353, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.133.112", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.133.112", + "source.ip": "100.66.133.112", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -1992,6 +2666,12 @@ "network.bytes": 862, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2009,7 +2689,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11779", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.204.197", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2030,9 +2720,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8733, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.204.197", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.204.197", + "source.ip": "100.66.204.197", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -2074,6 +2780,12 @@ "network.bytes": 104, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2125,6 +2837,12 @@ "network.bytes": 176, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2142,7 +2860,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8267, "event.action": "firewall-rule", "event.category": [ "network" @@ -2163,9 +2886,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9284, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1454, "tags": [ "cisco-asa", "forwarded" @@ -2173,7 +2911,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11780", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1454, + "cisco.asa.mapped_source_ip": "100.66.128.3", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1454, "event.action": "firewall-rule", "event.category": [ "network" @@ -2194,9 +2942,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9434, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2204,7 +2968,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8268, "event.action": "firewall-rule", "event.category": [ "network" @@ -2225,9 +2994,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9625, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1455, "tags": [ "cisco-asa", "forwarded" @@ -2235,7 +3019,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11781", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1455, + "cisco.asa.mapped_source_ip": "100.66.128.3", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1455, "event.action": "firewall-rule", "event.category": [ "network" @@ -2256,9 +3050,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9775, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2266,7 +3076,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8269, "event.action": "firewall-rule", "event.category": [ "network" @@ -2287,9 +3102,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9966, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1456, "tags": [ "cisco-asa", "forwarded" @@ -2297,7 +3127,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11782", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1456, + "cisco.asa.mapped_source_ip": "100.66.128.3", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1456, "event.action": "firewall-rule", "event.category": [ "network" @@ -2318,9 +3158,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10116, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2328,7 +3184,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11783", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.100.4", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2349,9 +3215,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10307, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.100.4", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.100.4", + "source.ip": "100.66.100.4", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -2393,6 +3275,12 @@ "network.bytes": 104, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2410,7 +3298,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8270, "event.action": "firewall-rule", "event.category": [ "network" @@ -2431,9 +3324,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10675, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1457, "tags": [ "cisco-asa", "forwarded" @@ -2441,7 +3349,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11784", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1457, + "cisco.asa.mapped_source_ip": "100.66.198.40", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1457, "event.action": "firewall-rule", "event.category": [ "network" @@ -2462,9 +3380,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10825, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2472,7 +3406,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8271, "event.action": "firewall-rule", "event.category": [ "network" @@ -2493,9 +3432,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11018, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1458, "tags": [ "cisco-asa", "forwarded" @@ -2503,7 +3457,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11785", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1458, + "cisco.asa.mapped_source_ip": "100.66.198.40", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1458, "event.action": "firewall-rule", "event.category": [ "network" @@ -2524,9 +3488,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11168, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2534,7 +3514,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11786", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.1.107", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2555,9 +3545,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11361, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.1.107", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.1.107", + "source.ip": "100.66.1.107", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -2599,6 +3605,12 @@ "network.bytes": 593, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2616,7 +3628,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8272, "event.action": "firewall-rule", "event.category": [ "network" @@ -2637,9 +3654,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11738, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1459, "tags": [ "cisco-asa", "forwarded" @@ -2647,7 +3679,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11787", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1459, + "cisco.asa.mapped_source_ip": "100.66.198.40", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1459, "event.action": "firewall-rule", "event.category": [ "network" @@ -2668,9 +3710,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11888, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2712,6 +3770,12 @@ "network.bytes": 375, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2729,7 +3793,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8273, "event.action": "firewall-rule", "event.category": [ "network" @@ -2750,9 +3819,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12256, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1460, "tags": [ "cisco-asa", "forwarded" @@ -2760,7 +3844,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11788", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1460, + "cisco.asa.mapped_source_ip": "100.66.192.44", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1460, "event.action": "firewall-rule", "event.category": [ "network" @@ -2781,9 +3875,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12406, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.192.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.192.44", + "source.ip": "100.66.192.44", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2812,6 +3922,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12599, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2822,7 +3936,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8277, "event.action": "firewall-rule", "event.category": [ "network" @@ -2843,9 +3962,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12769, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.156.80", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.156.80", + "source.ip": "172.31.156.80", + "source.port": 1385, "tags": [ "cisco-asa", "forwarded" @@ -2853,7 +3987,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11797", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.156.80", + "cisco.asa.mapped_destination_port": 1385, + "cisco.asa.mapped_source_ip": "100.66.19.254", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.156.80", + "destination.ip": "172.31.156.80", + "destination.port": 1385, "event.action": "firewall-rule", "event.category": [ "network" @@ -2874,9 +4018,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12920, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.156.80" + ], "service.type": "cisco", + "source.address": "100.66.19.254", + "source.ip": "100.66.19.254", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2905,6 +4065,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13115, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2936,6 +4100,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13285, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2967,6 +4135,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13455, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2998,6 +4170,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13625, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -3029,6 +4205,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13795, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -3060,6 +4240,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13965, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -3104,6 +4288,12 @@ "network.bytes": 575, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3155,6 +4345,12 @@ "network.bytes": 5391, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3172,7 +4368,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8278, "event.action": "firewall-rule", "event.category": [ "network" @@ -3193,9 +4394,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 14509, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.156.80", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.156.80", + "source.ip": "172.31.156.80", + "source.port": 1386, "tags": [ "cisco-asa", "forwarded" @@ -3203,7 +4419,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11798", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.156.80", + "cisco.asa.mapped_destination_port": 1386, + "cisco.asa.mapped_source_ip": "100.66.115.46", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.156.80", + "destination.ip": "172.31.156.80", + "destination.port": 1386, "event.action": "firewall-rule", "event.category": [ "network" @@ -3224,9 +4450,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 14660, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.115.46", + "172.31.156.80" + ], "service.type": "cisco", + "source.address": "100.66.115.46", + "source.ip": "100.66.115.46", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -3265,6 +4507,12 @@ "log.offset": 14855, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3313,6 +4561,12 @@ "log.offset": 15020, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3361,6 +4615,12 @@ "log.offset": 15185, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3409,6 +4669,12 @@ "log.offset": 15350, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3457,6 +4723,12 @@ "log.offset": 15515, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3505,6 +4777,12 @@ "log.offset": 15680, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3553,6 +4831,12 @@ "log.offset": 15845, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3601,6 +4885,12 @@ "log.offset": 16010, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3649,6 +4939,12 @@ "log.offset": 16175, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3697,6 +4993,12 @@ "log.offset": 16340, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3745,6 +5047,12 @@ "log.offset": 16505, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3793,6 +5101,12 @@ "log.offset": 16670, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3841,6 +5155,12 @@ "log.offset": 16835, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3858,7 +5178,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8279, "event.action": "firewall-rule", "event.category": [ "network" @@ -3879,9 +5204,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17000, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1275, "tags": [ "cisco-asa", "forwarded" @@ -3889,7 +5229,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11799", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1275, + "cisco.asa.mapped_source_ip": "100.66.205.99", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1275, "event.action": "firewall-rule", "event.category": [ "network" @@ -3910,9 +5260,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17150, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.205.99", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.205.99", + "source.ip": "100.66.205.99", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -3920,7 +5286,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1190, "event.action": "firewall-rule", "event.category": [ "network" @@ -3941,9 +5312,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17343, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-asa", "forwarded" @@ -3951,7 +5337,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11800", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.14.30", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -3972,9 +5368,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17494, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.14.30", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.14.30", + "source.ip": "100.66.14.30", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json index cff051f89ae..bb691462f78 100644 --- a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json @@ -24,6 +24,9 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "1.2.3.4" ], diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index 0cdbce9fc70..e0c78694ae9 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -20,6 +20,10 @@ "input.type": "log", "log.level": "debug", "log.offset": 0, + "observer.hostname": "beats", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, "service.type": "cisco", @@ -58,6 +62,11 @@ "network.direction": "inbound", "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "eth0", + "observer.hostname": "beats", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index 5af2ac66dca..7d010afe62c 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -27,6 +27,10 @@ "log.offset": 0, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "service.type": "cisco", "source.domain": "Prod-host.name.addr", "source.nat.ip": "10.0.55.66", @@ -65,6 +69,10 @@ "log.offset": 169, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "MYHOSTNAME", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.134", "192.0.2.15" diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 8747c17b868..74097780ab2 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -31,6 +31,11 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "LB-DMZ", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "203.0.113.42" ], @@ -73,6 +78,10 @@ "log.offset": 201, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -100,7 +109,6 @@ "destination.address": "172.24.177.3", "destination.domain": "example.org", "destination.ip": "172.24.177.3", - "destination.nat.port": "80", "destination.port": 80, "event.action": "firewall-rule", "event.category": [ @@ -126,6 +134,12 @@ "log.offset": 360, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "eth0", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "wan", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.10.10.1", "172.24.177.3" diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index ce31629c9fc..d27f89ab5b9 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -31,6 +31,11 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.30", "192.0.0.8" @@ -76,6 +81,11 @@ "log.offset": 139, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.30", "192.0.0.8" @@ -122,6 +132,11 @@ "log.offset": 294, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.16", "192.0.0.89" @@ -168,6 +183,12 @@ "log.offset": 465, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "INT-FW01", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.29.2.101", "192.0.2.10" @@ -214,6 +235,12 @@ "log.offset": 632, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "INT-FW01", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.29.2.3", "192.0.2.57" @@ -229,7 +256,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 12834, "event.action": "firewall-rule", "event.category": [ "network" @@ -249,7 +281,21 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 812, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.3.42", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.3.42", + "source.ip": "10.123.3.42", + "source.port": 4952, "tags": [ "cisco-asa", "forwarded" @@ -257,7 +303,18 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.connection_id": "89743274", + "cisco.asa.destination_interface": "outside", + "cisco.asa.mapped_destination_ip": "10.123.3.42", + "cisco.asa.mapped_destination_port": 12834, + "cisco.asa.mapped_source_ip": "192.0.2.43", + "cisco.asa.mapped_source_port": 443, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "10.123.3.42", + "destination.ip": "10.123.3.42", + "destination.nat.port": "12834", + "destination.port": 4952, "event.action": "firewall-rule", "event.category": [ "network" @@ -277,7 +334,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 938, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.43", + "10.123.3.42" + ], "service.type": "cisco", + "source.address": "192.0.2.43", + "source.ip": "192.0.2.43", + "source.port": 443, "tags": [ "cisco-asa", "forwarded" @@ -285,7 +357,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 25882, "event.action": "firewall-rule", "event.category": [ "network" @@ -305,7 +382,21 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1110, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.1.35", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.1.35", + "source.ip": "10.123.1.35", + "source.port": 52925, "tags": [ "cisco-asa", "forwarded" @@ -313,7 +404,18 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.connection_id": "89743275", + "cisco.asa.destination_interface": "outside", + "cisco.asa.mapped_destination_ip": "10.123.1.35", + "cisco.asa.mapped_destination_port": 25882, + "cisco.asa.mapped_source_ip": "192.0.2.43", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "10.123.1.35", + "destination.ip": "10.123.1.35", + "destination.nat.port": "25882", + "destination.port": 52925, "event.action": "firewall-rule", "event.category": [ "network" @@ -333,7 +435,23 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1237, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222", + "10.123.1.35" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.nat.ip": "192.0.2.43", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -341,7 +459,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 45392, "event.action": "firewall-rule", "event.category": [ "network" @@ -361,7 +484,21 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1405, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.3.42", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.3.42", + "source.ip": "10.123.3.42", + "source.port": 4953, "tags": [ "cisco-asa", "forwarded" @@ -369,7 +506,19 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.connection_id": "89743276", + "cisco.asa.destination_interface": "outside", + "cisco.asa.mapped_destination_ip": "10.123.3.130", + "cisco.asa.mapped_destination_port": 45392, + "cisco.asa.mapped_source_ip": "192.0.2.1", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "10.123.3.42", + "destination.ip": "10.123.3.42", + "destination.nat.ip": "10.123.3.130", + "destination.nat.port": "45392", + "destination.port": 4953, "event.action": "firewall-rule", "event.category": [ "network" @@ -389,7 +538,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1531, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.1", + "10.123.3.42" + ], "service.type": "cisco", + "source.address": "192.0.2.1", + "source.ip": "192.0.2.1", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -430,6 +594,11 @@ "network.bytes": 140, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.123.1.35" @@ -480,6 +649,11 @@ "network.bytes": 9999999, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.123.1.35" @@ -522,6 +696,10 @@ "log.offset": 2012, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "FJSG2NRFW01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -536,7 +714,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.130", + "destination.ip": "192.0.0.130", + "destination.port": 10879, "event.action": "firewall-rule", "event.category": [ "network" @@ -556,7 +739,21 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 2167, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.3.42", + "192.0.0.130" + ], "service.type": "cisco", + "source.address": "192.168.3.42", + "source.ip": "192.168.3.42", + "source.port": 4954, "tags": [ "cisco-asa", "forwarded" @@ -564,7 +761,19 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.connection_id": "89743277", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "10.0.0.130", + "cisco.asa.mapped_destination_port": 10879, + "cisco.asa.mapped_source_ip": "192.0.0.17", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.3.42", + "destination.ip": "192.168.3.42", + "destination.nat.ip": "10.0.0.130", + "destination.nat.port": "10879", + "destination.port": 4954, "event.action": "firewall-rule", "event.category": [ "network" @@ -584,7 +793,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 2293, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.0.17", + "192.168.3.42" + ], "service.type": "cisco", + "source.address": "192.0.0.17", + "source.ip": "192.0.0.17", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -621,6 +845,9 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.0.66", "10.1.2.60" @@ -666,6 +893,11 @@ "log.offset": 2567, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -711,6 +943,11 @@ "log.offset": 2726, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -756,6 +993,11 @@ "log.offset": 2887, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -801,6 +1043,11 @@ "log.offset": 3048, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -846,6 +1093,11 @@ "log.offset": 3209, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -891,6 +1143,11 @@ "log.offset": 3370, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -936,6 +1193,11 @@ "log.offset": 3531, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -981,6 +1243,11 @@ "log.offset": 3692, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1026,6 +1293,11 @@ "log.offset": 3851, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.13", "192.168.33.31" @@ -1071,6 +1343,11 @@ "log.offset": 4008, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1115,6 +1392,10 @@ "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.66", "10.1.2.42" @@ -1159,6 +1440,9 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.66", "10.1.5.60" @@ -1204,6 +1488,11 @@ "log.offset": 4387, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1249,6 +1538,11 @@ "log.offset": 4546, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -1294,6 +1588,11 @@ "log.offset": 4707, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1339,6 +1638,11 @@ "log.offset": 4866, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1384,6 +1688,11 @@ "log.offset": 5022, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1429,6 +1738,11 @@ "log.offset": 5178, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.126", "10.0.0.132" @@ -1474,6 +1788,11 @@ "log.offset": 5325, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.126", "10.0.0.132" @@ -1519,6 +1838,11 @@ "log.offset": 5472, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -1564,6 +1888,11 @@ "log.offset": 5635, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1610,6 +1939,11 @@ "log.offset": 5796, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.99" @@ -1625,7 +1959,17 @@ }, { "@timestamp": "2018-12-11T08:01:24.000-02:00", + "cisco.asa.connection_id": "447235", + "cisco.asa.destination_interface": "identity", + "cisco.asa.mapped_destination_ip": "10.0.13.13", + "cisco.asa.mapped_destination_port": 80, + "cisco.asa.mapped_source_ip": "192.168.77.12", + "cisco.asa.mapped_source_port": 11180, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "10.0.13.13", + "destination.ip": "10.0.13.13", + "destination.port": 80, "event.action": "firewall-rule", "event.category": [ "network" @@ -1645,37 +1989,23 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 5967, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "identity", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", - "service.type": "cisco", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "@timestamp": "2018-12-11T08:01:24.000-02:00", - "cisco.asa.message_id": "302015", - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 302015, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)", - "event.severity": 6, - "event.timezone": "-02:00", - "event.type": [ - "info" + "related.ip": [ + "192.168.77.12", + "10.0.13.13" ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "informational", - "log.offset": 6142, - "process.name": "", "service.type": "cisco", + "source.address": "192.168.77.12", + "source.ip": "192.168.77.12", + "source.port": 11180, "tags": [ "cisco-asa", "forwarded" @@ -1713,6 +2043,11 @@ "log.offset": 6322, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.168.1.33", @@ -1759,6 +2094,11 @@ "log.offset": 6472, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.168.1.33", @@ -1775,7 +2115,17 @@ }, { "@timestamp": "2018-12-11T08:01:31.000-02:00", + "cisco.asa.connection_id": "447236", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.mapped_destination_host": "OCSP_Server", + "cisco.asa.mapped_destination_port": 5678, + "cisco.asa.mapped_source_ip": "192.0.2.222", + "cisco.asa.mapped_source_port": 1234, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "OCSP_Server", + "destination.domain": "OCSP_Server", + "destination.port": 5678, "event.action": "firewall-rule", "event.category": [ "network" @@ -1795,8 +2145,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 6622, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", + "related.ip": [ + "192.0.2.222" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-asa", "forwarded" @@ -1804,7 +2168,17 @@ }, { "@timestamp": "2018-12-11T08:01:31.000-02:00", + "cisco.asa.connection_id": "447236", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.mapped_destination_host": "OCSP_Server", + "cisco.asa.mapped_destination_port": 5678, + "cisco.asa.mapped_source_ip": "192.0.2.222", + "cisco.asa.mapped_source_port": 1234, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "OCSP_Server", + "destination.domain": "OCSP_Server", + "destination.port": 5678, "event.action": "firewall-rule", "event.category": [ "network" @@ -1824,8 +2198,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 6792, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", + "related.ip": [ + "192.0.2.222" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-asa", "forwarded" @@ -1866,6 +2254,11 @@ "network.bytes": 14804, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -1915,6 +2308,11 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -1964,6 +2362,11 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -1994,20 +2397,22 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "deny", + "event.outcome": "tcp", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "info" ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7459, - "network.iana_number": 6, - "network.transport": "tcp", + "network.transport": "(no", + "observer.egress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -2038,20 +2443,22 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "deny", + "event.outcome": "tcp", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "info" ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7601, - "network.iana_number": 6, - "network.transport": "tcp", + "network.transport": "(no", + "observer.egress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -2098,6 +2505,11 @@ "log.offset": 7743, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.168.1.34", @@ -2114,7 +2526,17 @@ }, { "@timestamp": "2018-12-11T08:01:53.000-02:00", + "cisco.asa.connection_id": "447237", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.mapped_destination_ip": "192.168.1.34", + "cisco.asa.mapped_destination_port": 65000, + "cisco.asa.mapped_source_ip": "192.0.2.222", + "cisco.asa.mapped_source_port": 1234, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.1.34", + "destination.ip": "192.168.1.34", + "destination.port": 65000, "event.action": "firewall-rule", "event.category": [ "network" @@ -2134,8 +2556,23 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7894, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-asa", "forwarded" @@ -2143,7 +2580,17 @@ }, { "@timestamp": "2018-12-11T08:01:53.000-02:00", + "cisco.asa.connection_id": "447237", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.mapped_destination_ip": "192.168.1.34", + "cisco.asa.mapped_destination_port": 65000, + "cisco.asa.mapped_source_ip": "192.0.2.222", + "cisco.asa.mapped_source_port": 1234, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.1.34", + "destination.ip": "192.168.1.34", + "destination.port": 65000, "event.action": "firewall-rule", "event.category": [ "network" @@ -2163,8 +2610,23 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 8068, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-asa", "forwarded" @@ -2205,6 +2667,11 @@ "network.bytes": 11420, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -2254,6 +2721,11 @@ "network.bytes": 1416, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.44.4.4", "10.44.2.2" @@ -2295,6 +2767,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8549, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2335,6 +2812,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8670, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2375,6 +2857,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8791, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2415,6 +2902,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8912, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2455,6 +2947,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9033, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2495,6 +2992,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9154, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2535,6 +3037,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9275, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -2575,6 +3082,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9397, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -2620,6 +3132,12 @@ "log.offset": 9519, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "GIFRCHN01", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.95", "10.32.112.125" @@ -2663,6 +3181,11 @@ "log.offset": 9673, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Outside", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.2.3.5" ], @@ -2704,6 +3227,10 @@ "log.offset": 9783, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.16.30.2", "172.16.1.10" @@ -2753,6 +3280,11 @@ "log.offset": 9919, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.45", "192.88.99.129" @@ -2806,6 +3338,11 @@ "log.offset": 10170, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outsidet", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", "192.0.2.223" @@ -2814,7 +3351,6 @@ "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", - "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-asa", @@ -2859,6 +3395,11 @@ "log.offset": 10469, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outsidet", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", "192.0.2.223" @@ -2867,7 +3408,6 @@ "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", - "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-asa", @@ -2900,6 +3440,9 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 10766, + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.30.30.30", "192.0.2.1" @@ -2939,6 +3482,9 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 10843, + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.5.111.32", "192.0.2.32" @@ -2979,6 +3525,10 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 10935, + "observer.egress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.69.6.39", "192.0.0.19" diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index 695aec368e4..79f0ee61a35 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsvW1zIzeSIPx9fgUeRzznbofMttsve+Ob3QutpB7rpl+0re723sVEVICoJAmrCqgGUKToX3+BBKpYrEKREgVQ6j3Phwm3SCYSiUQi3/NbcgPrXwjjmsm/EGK4KeAXcub/mYNmileGS/EL+be/EELIG5nXBZCZVGRBRV5wMXdfJwLMSqobksOSMyCFnOvJXwiZcShy/ctf8Nf2f98SQUvwa06opu0nhJh1Bb+QuZJ11flrAI3mf68QOqLjsDi9PiWvuIIVLYpJ56sNGpu/NHiUoDWdQ8bzLcgOlRtYr6Ta/mQHOoR8WEAHEw+b8ByE4TMOaoNTABVdz2b89o5owC0tK3taGrTmUtwdx3f4d1r49QidGVDk/7cI3xVRWSsGGRcG1IwyiEG5a4RJWph4qGYBZFbIFZGKwBKE2YlWDtpwQS38uLidbwA/CEFVF5DZ/4yB1FtaApEzROGUMdCanElhlCzIa64NLkbMghpSUsMWkBOz4PoOWPrTrTWoFLhauA4vrvEPbj1Pzjth2D3oo6HZWfQ+uJa0qiDPmitTBfDs/XGvgDGKCl1QA3lDu8srQvNcgdb3wGUhtbkz1Wa0LkyGYvQXMqOFhofibJe/B7aVVCFsCynmD8XEgr4LJlvyJfJBdrnrfqfZxeqxjrSL/V3PtYt3isPt4rT3hM1CATVZAUso4ugBFh5BeCgtSlqsqALygkylEWAsprMZZxPyTqDMWYJaf1vI1Qmx/9cDV8ocFDVwQhZ8vrCPDX7d/uMu22LUwFyqdYydnXlY7fM3vrNX9lFs1JQlV7U+8d/p788o+TsVJwQM27kfJoUA5i5gFH3to+Cf666Chtui+KbvxISzssrsogEs9KLPzjtxuDx7c4W/3L8gk3msBS2ou9J6ZJ9pxMqnq7edtcnW2iFdgFaZAiZVru+HyAM0fKo1nwvIyfnpFekvvm3gzEwe1cCxxk0lV6AaEXMOMxAanojV8+rD+Zdl9ViE/7R6/rR6/rR6vmirh3zUQC7Orv1HE0HNhFd/GkMHGkMhcj5hK6lFt/P5PVjgTwtqP07bbNGn85/21Z/21Z/21daCe+0rDaxW3ISYRk5/Bza+YG+593TlNX0k7rWHSy7sK73bhfSF23gpUbyHjceljmrjXb67buNnzf/GTTmKWnBW8Hs8XHfUBu0T63RsC30nJ80o40WYm3facdcXZ/c7l2YhYiRZLThbOCHpbU4FM1CaPJttROMJuX775uqEXP/v6xNChVV0emBnUpnF8wk53QBnVJApEEoWVOUofl1c84RQUilpJJPFCUFRVrqQqJz1Za5V8tfaQEm0nBkLZEIuDclBSANbRoCX9IzWuqW9+2n/nXLbnAwY0UdfJ62dNulZB3IJaqW4sY+WqmHAr8ND2nOFdhxUl4WasPDGgFwtQAF+5h8ysqCaTAEEkVMNagn5cH9qK068bzPDy7dzK+N3C7EWdFtlGV99bP3QEh1tTs97x7xrhV23qncqH6ytdgNra8vV2prCkjBamdrTX9FVe3HQ5mOyBG03Le3nPdCEvJZzcg72YVPhjThYvI/Uodtp4KK5abVdFhmwRzgx9T3J3Y1nUhj7LNv7wYU2VJgGDR3E0fDyEARzavofDLHzNr5dglDjxSltfGtkwY0mlLwF8xs3wj4D/vQnA9ZoN6sXsi5yImAJykrQhu8qqjSQN2CoRY2SmZJlZ6lnr+Vcv7ii7AaMfj4Af84VMFOsT5z/gVu03oMTFo7DRQfNSZCQQ9vjbpQcmFA9Sp5DpYChwWQxyWHGrdogRYFoGTotrBJfhbEq9byvasflQH/Gb/w9vzz/nixpUfsb3yrm7ltwS5mxuoc7LzU4CNwdR6XNcQt+zx5HRZXhrC6owt/7g52McsYA9EGcEuKMAeRxThk9kuVxz+Tln2ey+0zsqmkO5GHXV05/z3Aj/WN5Mtgt6SFCLzlqCpzu+xRxs2RLdf8fhpk21EAJwjxF5Gidc5Oxgvbu8BNBD4TpeeieCGKLgdfpiSDGxWGIpdWYGsnxdDktB3qI9EhLthm4iEEsG2pErwnZmZ0vNm4Bi81ADxkoCQ+zInp6yAD6HitinIqDwOtRqCg6XpUg+Ry5BtuMRD4SoOC9yceOoVbXg5hDs3//p/W2UXsmBbOPAzXyqVu2I+JmydOKwy51z+wyfMYZ7d7n13Lu4g1NRkstclDoLAUvqAZbn/FbyIkGY4Fs/Xh7DT1usDSHMID9YIOlPYQB6HsdytATGN+/dBhjDvZ1D5rcjwaDkHoSvvxVatMVkUWfIzWInIt586EOsU3Hh/Tl0JcfwmCDH40S9vJq+WOTaTF63fvEHezeyC+VuMufU5P35/93yTuIOieRDX254BxpXW9ZTiiZ8yWI1kn25SoClkSH+S/SWiD5U1T+voyIxqhDQ1brTMHnBGfdDR7iAeO+p2uk8oVbmlzhRTrx3mxDyYd1BYTRoQSZAgFuFqDIx0thvv+ZSEVeFZKaH16SKdXIRU2AbMbntULVb8++D1F3v+B9Yxg0nfEZwb8QTIQ7inXcrPzFOxikWlGVJ1PqOhKts+0uJS+vPm3pe5QoKGj/SEmT2+IeUY82ptuD41TtiGf/LRWfc6y9cL/Z1lb20CGV/rUjMeLy6tPPARKEc3JIBBK0GA2pHOP12TDqUHE89PVZAM1BHSV2/SsuRS7PHxIldfh2g6UI5rBY6ZN2shUsS+5no42idblRtPCiWNPlTBYFMCPVlyiALfUeIefG8hzXhDnSQW4x3VJUX8u+2kJ2EPoJWnwlmz4VVbWUGpPdSinIdD04NEIUfK5BYxGU5mVVrP052S9joi5QtiCa50CefUfMQtXk5U8/PScrqokGEO0qOyjxJJTXO1BCV1JoSEcK9sVwBZO1aAvjRF1OndCzV1kHIZBndCqX0CEGF8HMyka8aaOAlqP3h30xbPPIpIKc1309LQahvgppjq1jgc8IN/+sX373/V+1E+kvKhSgDdL/HOzmn9YefE3XoMhLciEYrXRduMiKNSnvJddD0B8Y/AjkVoZW+eEl+Ve73RPyww/kXwmTyurLuAu/6An5b4X5H/aLXJNtonwVPEIh80DR8BOxdcUKMkaLYkrZTVoN2CHXFAxQ4+wKS0QQeSW5MGiaGAgnOCNzZKCUTJSfttEHdQWM0wIxRky1kcpq1mLttA77wZIWPHeMEUKKkJmsRW5fmAIQeS7mXjnam7y4fSMGkGPEAv112BE2GjmFdSFp/lTeOY8O0fwPICUYxVnA6vCmcPfLaAu7574RwvbZp2aj0cpZc2wT8qtc2aMZ2pxcEKmsMWYkuQGo9hDtSbx4XwjRlMRisCXPszxV1PWikTxzEFg1q7GsqnZ2tLcLl1yZmhbWaN/yvYuAi4OX3JrdGCtHYrhd+Kt+eU6UldYaHSpINKrmYNqv7aWEVomSnh6dEk3N/i5KqCShoKHgvzxvfK/voZQGyLXnd6YAH9rpekxQEuw24gIxX0Dgxa+U6argKTMbnrQ5r/lA7X8SupmVuQn5HW+dfQOaMk3PdY3V4p+Q/xoRRideZrx4hBi9XdUaR1dnp1de9/VFubyspOprvASfyC8uDaJ+Gu4P36YBDXE03UOu1G1Tvt78ZGOwOz0HLfMJefnTz2SFdC+BCkKLIuwrQKc+qkkb/xFZgQIHFtt8UG2IFL1ykW0iPrqa+GUTMXBXU4RtPe1+kypHwmFWE7CFkIWcr/uBuBlXAy2WkJ8IW1BFmXFEtJd6jfij01yQWvicnmLLZz5aURu7oNsF6lMGEXbELtGiKK2SKUUTRlB0NSrTULL21ErKUGN1MQrhfQ6SsVo1ELWhIqcqJ0Kqkhb8j1B+r1RlkD65z3I4mESyng6epHsRaYN1i8yLgs8Adxww8DUwKfIRBXtz3Jk2Kf0sOzbEBZNlVYAJMsCoE5WiAm8U74nBTr2ZMo/EyNd27SA7j7HyNmeOsl8phVlEOqZNfWqsnJdNllP+SIS/EHkKsluQf0iRutvCDrFoV29UTJde+6FP4YGISnajT4mBW+MvH1mC0p1yinxXHljgfB/KbGugsba5KdNjUuWQp3sHfZKNf6Z0u2KjYzSZNu0Xu/H14WulZDlBqDUW5WsGgiounVpf1oXh3xoOitCqKprql00vm5IKOg+V5hJSYHhnq61P01CKcPO1JnIlXGTM0LLqewY9xth/U8lh8hE3mrAFt9aNzEFPyJtaGzSTukDtraRmJC+XGjjwkHYKsNnM4r2EY2hCeMjNgo522AoKBHMMQa1qnfMlz61mg/wQFmTXjSD70CNeeJO3FVdH2+HmPF0s6NZyIjfFuul7ZSTqaxYp15xxp2804qGPunBOrDRu5dlksGSbTibr2BKoHChyD4XY0j/2VUEN8nMN9dFYyXK346KNfFxRTRCJfIRvELnvYxM1olKwRdAEMm1emgSv77xMgWuVJUC1ylJoz1VMUbQN9GV0qAl0pc4r8jgmZM98DL4xg+fyXm/OoWJzn1w7JFiweSB63RBiO4IoGyjxMRRrXRepw04jVpSsDZMlvHA4tMYLZmUPGmASyxeOBFsG5AiDwBIG7XCPtrFmdV8E2Ins7HL5pC1eHPQOdK90W+lioWHcqQLGZ3xj+IS1W9/KfYSnvK6cPpspcACti5Hnm4KJxkWV+yBLEG9vNh/rED5tW+ldS1Aq8u7ap8Zy3SQE9P1qxPeF7Q1QIFtVkrqSmkcUHHfiLTSnRe46TGEqf3N3R7vw1IUZNsx+LFEk6hIUZ/eVRcG9HaGKbcfGupVs7c1wYsnd78HWliByqXzC7M6dyenvj9C9pgntBtqadxFLXws+ILeVoLsRc5I+Za+6r4YX0lf9ezHjvVwL2uYWC2kIxTERFslwAm0h51mTqPIoQr1hxHsL9WP0TNmSfX/HdCvsWo3iI6z4y4Kzderbs0MuXCECvrm2KNYjcjk4bCkxAd/XBSBiYXEqhYHb1Bpri9ClcP66TT9Umufa/h8+qrRoEAo1gNnzOLMFFXPIBKxSy4KxwCWsOqF+VEKMUXxaG+hIiGGOvnaoW229+/yFRYeu+hPEHm61sIIna1u5i2hoCPbzixwyXf0tYNxiBZglWNNwUG9yvtQS1IRcgzuUWoOa0DlgK2+f6T6TqsFhALsB4/R25oZuud93+lZIRaZKruxnzV+9runMrtF+0pf5FVUmtpuuBRzbo+LvlBxUhx7rTskib9XGVFdKVuADiqne4lNBaAHKtNlFarOo/5sLb3nx0WkCgElIAYU5J0KKbxVUgJbMruwHNBuO+eSwWil7YVp7BU8S9bgX3EXYmvDPYGcrbhZeWXaynpzjglOsNhFEim/n0v73jpcAlZQsoDgm3DftBANfIAIWSTkjVjoYDnpCrjcypT/YoFtZlQbjM1fOV2trxLiSUZdsk3vx6wlPCStqbRqG9P8YHBP+hGt7kr4m2vs3rOKLn46rQEfXftwNC1v0ri1TOqXs632Gl8XyHLEgVGvJOPpL7WkE7Uk8sNf8Bn4hlFSLteaMFiTn+uaEVApnouAosa/DijJV9JDay3s+9K7ORtESDChNKqqxi5fGRg6uFwGTZWmlmNwK2g9La7amopHh0+Teg8fS+DpnmOBhcuKbybKqh3cwwbFRsuIilyufT8ukYFCZkzaTYpQYg23O6qJYk881LZzzM5cl5cJLDdFZqJAjT1fX6xlLXdqxdasSvubiBnJfC9QkolON3ilvoNhPvmpRm/B818EVg64QSUVdd7KTc0v0EWjQe3f9WHi9q7znlVwP2/W0QWdQJe8PdkrtYvVrIraO/3dr2j9E1rRnvEh/x9stv8LV2musIK8ZkCZyBGF3mwbFaZEFXtNkj8g1Ltmozf33sfMA2hdm1C8A7EYf1HIghsfYr24fugXVi/aGWrUwUGVYs4XL/G1qbNoyw7MGUq9FmN1Iu8xEK2Z/1f57WGlKrDwXhGPOXS1YAVTZP2EjvA1qvoBwMwTPFXbujz444VcP+zw96ReLyXLazNOVs60Hy5eNqnu8Xjjw9dievq42ggiMe/yOEyANXIkzt7rryTjuKXUWXHLXeEs+52W+PCdvnaR55hs3EDdtzxf9Wtyeh/Vq54B+DF9+x/18eY4k9SVvrZgYeg+2I3IuDdBtYeKYyMqCFddhI3Wp1yl72W9HdX2BtlMXdvqxR4YjJ750Z5tJuZfnezXZWP65PZqsReylyDca7YScufpM3++0cB/s1mYRQbX9je+/8u64aW3ayk1p2seoFgVoRxnpHpSVJEuqOJ0WgypA15SBC1IVdEQQaBA6aX+UrQPtqqpu5YmVVFbDaOoLuT3n6xeXV30dmviWsc6jMFaXfeBAwTvXQm4iLQ5JcikMueZzQVFYjLBoJVXK5rVfD+SXZdKrRneT2NUR/9Mi0h0+bbkslwHGefvuA+GCFXUOVpz5QbZuEP6zi2aA8ZVziDiwKL0nYb8IRuaOHttE59TmaQljxvWNVbkPwOsepXgdN+Zb/zS85/pmR8jVKD6fg0o3wi5Msk/dWIDHwY1oVqAXssgt9zhbfWTS6Fbo/QiehWHs3UvlZ++djvG8bcZxeR4uI7lzdJ7JssqOnHeFp+Jzr3CMq/Pv6Xr6rUVHCqxPnbnZ3HnNxqw0r5Y+UtZYF/NWWkqFnQesXG/wG5kS5weRP4oCOOyqP8PZ5+4hspsYaY38zApRSt5Q1vRTDiu3VgQd1Y6R4ttGQVW7pZCzNaMPtVZAdfTcYG2oqWMpzq0/ivLi0cwOu/hU3hKevxh/v+zLWh8DQ4vRx0HjY3cXLBbhq9u8Y4mn7w2Y/Hw4d++Q54wLWceKcXbqSPQ8+p2ykjSm02Hgkf0xMuDUnRm3WOK0KKzcI7pmDLSe1QW5sOsTJnPQliWaZr9hy4KLHG4jE6Dg2hymeT5QtuDCaIqpBokpKIxvllTxAjN4Ah48F38Xc0KRiN/a3wZ3JhLwoZy65kKPpBH71cmzNp+zAqUrX3TrJMyAZF5F2CTENx2eno8UGTo31/A9Tp1Q4pSvNsnL+6rct+2HlAtNcjCUFwEnw1TWpvO7ka3J4ui5mY3HlrZ5bIjH+ENqoKyKZNk8pySHGfUhIN/5sonh+2xNqxUvQRV0jYVcRvrHlTwL3Ej7AVrd/tcwa6rAna9eG25qbMxIghvb2AbDhk0Pva5Ro1gd/w6jsTFNIKuYLEt7n9Kw0ZmDTngn2bdScslz5z9rusiVoEcToXLJDg803t9b9ooXG62RdfPywqrBbYVJT48j65vV08r63+X0QL/Twdv7X3LqAzDh21XxdI1zzzGh2J389dUluRwoVF00knWt9dUluzGIWNjVVsPOoxrS9/GH+dzqsHLvREQ2lXnqiq9BxV1f6fC4EIvLiHq0iN8twYUMjlB53nEB+9Jhl0DbxkP4nOdtKGfEiVfGthoHZeARXv54Sl6776pO+Uw1072vPrruOU0gCpM1boHVXS+CS/2aQqi8tenCtCtx4wiOkKBXPN92iLTVlXRJeUGHgQzSusIJ1lfOQKmRSQvuDh3i648Xd/PGSukbQLkA7GBLPt1A8/lkRCLyMpvWeb6O7p/hZRa1DqgDt9ZwWKPznV6q+BAVlxG7HPRK7DJdH6Mggetu9qrruUrrnJu2sm7TF81jFBpst6nYcKJkE17YvUmXJRabgsujWeVnny7IM18r8akurK485QUWcGAe2MVtJbX95nPy7dDRIPpRmBshV2LLENLAamxmsdyGPjJpk9EjuOD6aaFnTZX7W1+a9BrmlK3Jx1FzreBTRR+jKN8vvEViLkhJuZgpWsLOdIyKKpzam75PwpZyeYXLkrcyd8nRm7aAnayzAFJkj/aFqQKWEKkspO2+cW9hRX6tBZqSb2QOBXnGxXLyzQnhkp2Qqf0/sP9HBS3WmuvJN+H4omFVNivoYHJ+bB1qW8M/uyK4KPq6UE6um+FXcrazUYORSTF1f516PJs2CBqUZeQgQssyrtztYfbpzW9UAfngEoC/+ebTm99O3198843LuV1SRfkoT66kuolZsrz3gv3WLNiNsI06waiIrUT4mp24XUra54Ay+1ysE5gwM6lAaM5iCpCOKykBxmV8L0ggPhALaLaifDic+MHeAex9HhuovT6xS9R1PU10Kcw010bFrnzHeu1kDrHuWxrtHW1qPtI5SQ8tdtkMBhuoNL7YZFP34utdLIgZH3U0NVtN5og9dKvBbkSBbfbLe8JC+eB+gvd3XFjkvf7/frjqRmV2k/8ehcXyjo/eI7ITyUdhjiaOuws/KY+QtLV1sh279JlpM9qbLDvsk/kc3W4Dzt0fmW5aVvNjxMOw6GtGeWFp3TRzufIy4/K8W9uGnbisOWhgHmhhMJ5V2ORcZ1ZFPGA/hyReY7q1rz46k2VZi74naoCdOKxx00Oxewu35u8Q1qlb3PRhmvVDcbumIv93GY6abXAz1PBDJMODsRsuvIWcrnXFGZfRskSPZcEj9iuqxDDo8NRR16KsMplKGF+/fXNF3jk/6iYpNYzI56OmElz/x2vyuQY10ru1LkSmoN+pM21yQ8chuibvm6KzYFpXq6WziA9pF6iMPUbAAq0Ochztg2oCwbEHw83jD2igBVVlgtOyYBO4F2gVsQC5BVrn0abSbsGM2+1qC3ROTV8rfCjcKQi2KKmKVVbSwl1XdDC++MHRJ8oG6VRRYGaL6LzAYBa3gKoFPJtjq6UEYOX09wRQKxp9EobrOBWdvTDonvHYD47v3FaCVT2jIy0yynAwSvzyEwtbi4jGewfwdF4tfxS3ZhH9fWciY0ZluY7ad70D3UI+LPJ0B8DLgkaXGCIDMeciYlHkEHSK3GiRzTK94oZFlx8imxVypWkZP3elC1uYZTroCaIuTGRcpBQnXFSgyuk6WsL7AHbFbtIAX9IiBa/wKquUNDKLH5JC6MsfM/Q4xoddJLubhZxneQpiW8Dx89+YyEp6mxkTy22wDdhydAEJHoWSi0RIc5EO6arQWTEtsthh0S3Y3yUEHr0zeAd27F6IXdixq3q7sH9KCPvnhLD/JSHs/54Q9l/TwDayKugUUoiUFnp880xkZV2g8j1dJ3gnG+DVTQK9pKwLPi+rNNq31TJpMY+dhOQh8xRKiYbPLL5vRGTaJSQmOEGtWBpr0gJOY03qta6rBLNImWjLqpOYqkYaa3rAbQIRYqSxhlkq2GjWJAFeC34rqJAaWAImXP5sqZLoUVj+LCuzAJoncKvJsspYkcCHbQEnCJIgXDVdm/huUQtZJ4Fc1VmCmAZT3HBGiwQFRDqjcxBsHTHrqgtb0GL9B+TTFHgvM2wDmgSyaweTBmuXWJsE+nReLX9O44PW2ZSbvyZpNMZ0FndWXA+wktFFtU5yzREqMBW/yk07H3+0WVsdwGAWzs8f3znigKPalwS46yYfr4NcB/aMF5DChtHZLMUh8lnM4uxtwCl0A53xCpMUsySijlfLH3NtqkEz/0iwtWJJYBd8BinMGI2O5hJyHq1gdBs2F2m4pJR5XYBmMgW1PXA+TyCbZKVX1ESd+d+BHsogjwJYwZxro2h8T8gGdgKNT0GVitQqGa01diJXieSry8x3LJ4AulFAywSKpCsFSoV2OuV6tZBcZ27CbHzoa6poEgbPRwphY0Beuvn2seFybaiIPuc412Zaq1jDAhuo4GYFpYBaR8c1vh7d1CTHBouTG2bxh10f2mlgF8w5zfPYd4DnscOqTeugBG8RLzOmpCyTdCWygBOYabzM0iRH+o5HKchc3URvz1Tp+C1LeaUrxSMDLajhpo6efVZwAfFa7Gyg6qgTdVq4WHwb361VSNf1NJsVMvpz3gJPkPJvbd7oUscCTSBxrA2dANXouQmFnCdhXTFPcoErqWILsHJaz1Ncs5JrlkIslDoJw6aYAyHAYHOl6HCjy3DXADp2xp+DGjsdT6xWsS2QJBVl0g2Ajm6JyviakVR8ngXmcT0Y7kqAiv9mVZkbyhsdbNTJ1BuwbsRrEiZLULjpZ+LEFgYebGxpUGXOkRQdXaq1/TBji1h1/gPQcFvx6IGAClQ5V1SYQc/dGJBXSQDHf3pdJ7KPH3tTQCMAVnKeUV1FHBjQBa1obKgKaJFCv1PAkA6u62gi4PGJbCHHbeHagSxVngDj+I5MncA3rJ1vOEE+gIbYiQBu4HEC40TD5/gMEGrQGg1qAlNK83kCwaur2F42rViKe6BYHl2R1oqFuuJGAGzijdjqwqx19K6aSyZiF0oEp8U+FKhr0hl7+2Zu4rOVAxo/otfO9IwNd11F79Za59Mkeei1KhK8hbUGleU8dtV7krEVTWQoBRkM04aWsb3By4wLbegsgWaw5MqkUMOXlUjQuslIVYuYbtZQW7RAR9HT2kjyvhZksHSbPZJwWN4nWvCcnCnIuSFnVOW+m6HG9u9hdNzkrIRUGpsQimBwiD7B/gZMFiRUqtPmQ3CRjnIXZVXINQwGC+6l30zW0Zp635HHLA2dzwjnnSmYwy0pab/RwiYWK+Z1fxhIciQLrnE4Q7O6P3psoER0XVVSGTJsPErIakEN4YZUCmZjrPCAtNz7DKEIEd5bHS0KhAvf2X2kL3TBReqJ/B1U7WpdPDUxcg5mAWqy+b5eyHrwohEiYAmqHUdkJKmo0kDegKE4EdzdVdqS4NlrOdcvrlzZ63Ny7kd8nRCzCEwpwmbA78GPPka0BXkL5jduBOjwOQ+ZOgnxZjiyu71FuLjbrAaq2GLCBQ/ihzN3j9Bfuyc+cRYGJkO8KGgtcNbvvMY5rk0T93AD916/9h17St+Ou91T24Tbzy8eMfbtQWQRa5ru1nkVlyUf4NbgrRhzFxxjGvWIQNoMrnuLE6pFMTLxErvnJhwHjv1zNRii4HMN2uxo2n14tvL9e+U7lQHH8rhVncTue6TavNNtd8ounBxGGBvb+jt2aNe/BHcec/b//vmGdrHL80Yo4Nph3kCrIV4S7z1Z2D4uU6qBuHTtFhsyuFXtKflfPA6+oh0F32IulWtfHyQjIVQTDYDjzujueVWKCk3ZEcb7DjpMu6UFqr0bpmG1wglou5CuQJXcqRvHQnqzpBvMwZe8gDmQApZQEKo1nwt3cJt5/WHWx5bMjyi/cf0dnD59lEnPFrNa8M819Mck0vDl6+B7WMfEw6agNBoNz92FZFIIwNwKsuJmMSYoCAlUhrQau4KDyovubVpYcqI8aZ+oQs45owWxGIyYPojF42KHS42MaXw82lWLtQ6j10lnW8leVmvsB54WnOpsIZPbBM6Ia801nKWyGWpkpWJ3BE+4HwBxl8Zii2+aH8TCCqBqclpoaQ3xrft2jsFy8qv/xYScinX7rwF0g7a8FobQfMJkWdUGVFgMJ3Hj242lM8++6p8FzljcOhBu/lm//O77v1rb97xzHA3Fvgqi7fk0ixsxu6vjhq5BkX9pfXL6hUcDkQvf+tj1P+l5Xmxw3uL6nedxYPLyPtn2dX9gil1nQt6++3Bh9w4KnPME/aU510xBRQVbW63Sq2dFPxeEIIVOyIc3v5BLYX54eUIu355f/Ocv5OOlMD//SJ6tFmsigJsFKMIWUvtRaVIpYAa/9f3P//P/e/51kCJgFgllXJ8eKFMnJQ2P49GJue+e1/za8eJlg1T4iudPC+mubNqD+YEN4+78wIfw7SmmG+vkE1empgV5ffo2iOwfUkA6X9ZhnPF/pIBJmLYW3S9GhOJG9gtPPIKn+AbvOIc5NbCijzAiHbn7ipzmuUI/rePyEDrt08vK6tA450NjIZdnb67cqzQaHiupPmL0Y8up5DRV/3aTyyuLyoj3y9LwwEkQUWho1x6nYaOJZW661nEFRAddmufcfpkWm4BtZ5Z/+J07IgNYkxAvuPQ3/HybBQaobHKtk+h1d33SKHnrMbySyrQieSB0cwyw4QFws94vefWRae/2w8W8eUyabb0ZI7yAkN14LC+uxw4tX6q1ZNyqnM5vNNBxiJXLioo5TFrTiUkx4/NaQU6ma4QJIsesobCcqQ5sPTAoGh3RloOLzhL0Oygi6v7dEq7oDgAFpTSQ+czu+HlG8UmbC53RzKXiJwBdGZUG+CwBS8wSVAsXKa5Dqv4nVQKi0jxrPHHp1PK+BW/3Memv1nUmPIIGe2EWoAQY8mFdwQn52Dxjr9EB9gO5ahxgg5fg3Zim1ozqOYIyMWIaN0h7v/gJoUURVCaqzRcxwY0qTMxbgrJvIBdGEm3wMeeCfLwcFSgME2STyavoItsClVWCsW8WsAIdO6PXgk1Q4uJexNip6OhvT4CtG62QFSDm0SdFIs5W+UiohY5ooE7loUUnACMIw3SCGaHklVQrqvLhnG5CTueY7KUItTf+FnPppmBWACKsekbumnjfGLc0tOiG6hwyBFvGY2bEYIdc+DxXTEsoubFiyY/YCG9xWVBxjDj+HRyUTYJIx0U52OC2y3ITSVlaC3aOBuz2yxM7UgkMuxAs4/WDu1vEnirDWV1QRbBfNGmQeHZx+8trOZezWXj6O7DMLCD58W4h+8Eu6G5jB+8Li7dF97Q2CxDGJ4uPoq3rmJ0T7pbQ45YcR/2jBjWKsKwNk8eltF9yHOHrmjHQegRn7Dx+WHO0wxJPEC9iVdy5VGsSKEwY4HYM4bSFI/RwtFIJA3y6ksK+K1ZuhZTD9odkoCht72oZrx/dyLtJietaijUDBYe83Y/3w/T0YS6I5qYOyE+CxQXgRbSHuqCa0FxW9nUxC+CKyJXYHJkjnKG3UshyJK8WZ3Jo7lrUH1eJsMo9F7mVP1LplgCUvOIFkFOP2GRAhrs4e0W7MXcnRxPG2/0/SrrCKAmufdZCXCqE9hggRMx69wcQwuXrXft6jdiUGE8IncqU1QOBzU9hQZdc1qhdMllWSpZ8JEMRjo3chaDTAovIZuRsN25cLFuxkxDJPoZbWicJIrCFYdThMgcgGFi/xS/16XZe2c19G2W7TZllLUy/nC22Rp9jGXjGDjHr76QF4Xs8BwGKs2ZLSBBM9OunFnCzwKc2NNuNeGQn7PuJNmo8+Nns6ZC2W4+2p5e79+TVC7dWwn0FTdPWCDe8BG3lutP2FFQwGkTypxCtKcTeg8DGgw88BnVH1jqkd/ejsdYPd9vT95mONuT0zlvzDuN9OxzsDXe8EQh3EAZf7u5e7t2dOurZuYsWZW9q/8lF66V6HAGyR463AuTLZccf9h9ZrNEGxzmyu8lHdVQJEvOO3UF+HJUdY+5twIytUo8laD0/dfTKndosshLMQj5ClIRueZKJQ8N/bfTAsZeSkkm9TjuiOu9l4f21FpEdfJnIE/Kfk5+++448e31+evWcnHNtuJjXXC8gx1L4IC6FnMvkfYF2RcIwW3bm8PDHjF8cyRhTMrFXcVf9pz3VEAbtjUGPfLShz/e5LgzT/tu6347jD3EKxUypCLVJ32SK0SJWd7reRt7TnNfarUCkIpqXvKDKiScrNu0dYviuh8ur8J5rnh+z00g3U/6jZYTGi9jri7m55OnqLE7FrruOYQ1fadjx/3onEX4y4AXvuIFOWUYedmVKlTIxYBCyQVJLNaeC/7Ejq1qkY4W7EvsASnd5aoTcM66CtaSJuv68ssvha+FafLneRVtZzb8CLcyCUQWkUpDLkgsaLLjriKcrajgIo/emxxf0mLt9TR91s671I1SJGNdena+t4KqoMtgMabPV3WL1iM2OvLC5i0SdQQ6KGsizaEllO/jDCp9XzYpt8OxKySXP2+Zh/nu0qgqvqQ4Ywzf/sc/atk4bVnA2m+T5kXbZLul7/Zn1yDaDw0Mxc3LJXfR80VfcR1rAtUpnzKHg99U84RZ1ps6POpXQ88BGnY6KGivVRBupnMS30EowFFf7Gr81sd/6Orz7kud5AceTcm9wvbvKucDxduTeQXKuGY9xnO1e+dU6HYbEuonOnpCqoPbI7PssFQHB1Loa8/JjKuQR7Mk7ZNCp1rb8VWpD3lC24GLEpMtpIsnxVZ/WHwVm+lcKrPiw+pFrcqYn5HVOK/IJ/+H0o1wKV3f6z+HjSRZ0CVZzKoAq8rkGtSbYg1BXUmhoNKpwcardb4a/OY689D3wmIWseNMFUrjtu75843g2WzoCqhsGeu+bo94VU5zylNZh1ufxprX0VhMjaxv6h5dromohgnasPmlfHhd5dm2kRmrsPMTMW5jpD4KSFRe5XGmiK2B8xpn95CRUJ+jzZIcXxG7P4bvJuSHPsCMsCLZ5hjB0+bxDLVILfMdfw5yyNfmotxvfthHYsl9IGz271q5wBIN95LXvmlqICtaqIZPZF3FA8bYPQKD6f6vSFMt5huTb3nZ6hXqsO69TrwM7xh0GGc3/5oDNHievd2yrPsPXu94bWXeBWx/vAjrczXEcdm3AYPtsNgmZ7hgGJxRuSLG/+BnLBmKOBBytcMMt5zDjwvvqUThhV7+SViNNBxG7gwrFEuG2ccD01L/YgrH12abeu++lNNKbsvVhG0PZojxyC/zNqkhwMrCOuseRZMjLlIt4E8Si3g27ZSwqTPt4BoRUt2wHj8W10d6U9wemdg6wTvv27cG6oqrhKfvnk81WVgs+aKVO7O2wtqxLfr/T9kz0mSWurYVU63QH/jddUfFvezvGNIhsd1Fv1PPQ02TJ8rcXCH3P3h5NJRrsqum3vntXo1yQgTBKVoeIjlzW04Fz4U487te01jbsKUdAHF11x3Hv4ZksKyrW7X3Ea4fj9J29sgRln6GMi5kMKwVU36SuEdojP3pWZIPZCtJ2RZ99TpUj8KouijX5j5oWfMYhJ+dY9+ycg0FUVjDNmJQ3/JGC7r/BlLj1N/YzLca0+ejdZjfh8Ko2qHIfOMJ0/11/3y7hp+x4d7TzyU/Ih3Xltr7xHFjiuBMcPzwFsyxqM9ke2hYH54hQX+tQ29o+Msdw1bXK5TZ2zrNYSdV4+zHE/P71yJF3euVEZqeGFlXaOUQ7SGFX3uu5b9BUUibSRLaRsuvY8yAVNWHXJBMZ1TGj/R3AypfTR4ZcqyLiMXegRjyV1hjNahXLG9KBqUFldB7PptyAjv48bYOOmv64DdpzfQLBArcGBKpW8Y0TCz8aN7eK3kJBL1UmtkblljhGLeGWzP2Ay6J69cL/95lH4YX/D5/XFHL70wJUODvPb+cRo+duM93gOXpcO6PWBtvJ/UA0a1JxMQOlRuKuw30fZV9dxX8v6YPu2SMg2fQlnnWOIXClMKwtk16pwBJHY78LF7e3bPcBM4hV90//gGGC1vjAT14tQB3HH2F1dp/x9OwMRz8+J2e4fhg1UOZIzVJG6HwGyg//hK0szB3NeSFp6LhDyM6B20W/1p1O0TtPmv9xqFfy/q1RwqdNrvkfYW8Nv0kkUy7/cUEEzKXh7gCrBdUjE6A0O3Zboc5RusXHhwvao042AWqQ4NLjsaZxelN/E05I0Xx+jIqK7f5G7dTDD6ODlq004VrX0ZVOhIzJUum8dQ+LoSCGoFRSH+jgULrS88IuTq4xOL1LOh0lQ6LtDO6jyM+uMbVz92PUkZ6HIXl/6bkDx3ERqnWRLVO+6P2QqndkB5HJM8t6tI7eplGnAsxvwFvUiZobfLUZV9J9kFC2/kg0xuukIpfXp/94c0Wu7DtF3omR6SsbbBNVUh+C7YeVDGOLYogtgN3og5zIdxPCaXuQhYbOtf062xZhmAbqRxBupOAOLRcUHzSFfAQl1+HRdgUZNRoQZ0NNfbQJn10sl7TguWPEABJ9QXi0rta7BCFS7AbWui+2I3F+k0AaGfbCmEpnHGfQJgGNR5mCIIw+gdvE56KpfJGKm/WeG8VkWSbtE3dHvB0e3iEULsFfcQVF39KM7WJZFVRkWj/WwFu7spPhv/ndNjVaQWxdqXFWSX6MtOoQwg4DghggUmFrAMnKFlSIQeOM1O2m/KqIyEjM9khtm9uHxc88/O316Vv/7r3oLd8+KEaqvu8/es82rm+ypSzqVAQ4beY4Cz/npp2M3YzzrQU3mjxzSOjn2K0DC3ubibo98ASRDu6mqBNJs9ce14+CG58uMNkuOliCwkyBWV0QJgWDylhD+dqd4Uh7hdUqpfR1hLcGezNC2yJaSWWItPT99d9PQym4QbLH5jup5sdPsOwXGGy5WKfUNTsJNor5+8W7q8sr8obellzk7Vjv8LHavR09DXNriOLItvw2Brvbta1WfQqXLEZPz3ZVjtnseAWbj12E32w5udqx5SzzUvny3Hfp9VjsxLA43qE8cq+AZsflf/m64bYwR+RDTTL27UZ/iTWhHym70Y+rRiu+DeqWrrj3hOg6kKJONfmbNkqK+b9NC8puCq4N5H974f920n7KxQxY+KMZV7CiRVCRodOi8xtCRU60JCNsqWDOtVFra9kfU1hU1Cx8s/4WB9LHYYAkOqWOhaYrhHb1WkyqThfyVp9sMQdh1Pov/zcAAP//rhmfyQ==" + return "eJzsvW1zIzeSJ/5+PgX+jvifux0y224/7I1vdi+0knqsm37QtrrbexcTUQFWJUlYKKAaQJGiP/0FEqhisQpFShRAqffsFw5bJBM/JIBEZiIfviU3sP6F5Ezn8i+EGGY4/ELO/P8WoHPFKsOk+IX8218IIeSNLGoOZCYVWVBRcCbm7utEgFlJdUMKWLIcCJdzPfkLITMGvNC//AV/bf/5lghagh9zQjVtPyHErCv4hcyVrKvOXwMwmn9eIXWE41CcXp+SV0zBinI+6Xy1gbH5S4OjBK3pHDJWbFF2UG5gvZJq+5MdcAj5sIAOEk+bsAKEYTMGaoMpAEXXsxm7vSMMuKVlZVdLg9ZMirtjfId/p9yPR+jMgCL/vwV8V6CyVjlkTBhQM5pDDM5dI03S0sRFNQsgMy5XRCoCSxBmJ6wCtGGCWvpxsZ1vCD8IoKo5ZPY/Y4B6S0sgcoYQTvMctCZnUhglOXnNtMHBiFlQQ0pq8gUUxCyYvgNKv7q1BpUCq6XrcDGNf3DjeXbeCWF3oY8GszPofbCWtKqgyJojUwVw9v64V8AYRYXm1EDR8O7yitCiUKD1PbAspDZ35tqM1txkKEZ/ITPKNTwUsx3+HmgrqUJouRTzhyKxpO+CZEu+RF7I7u6632p2UT3WknbR33Vdu7hTLG4X094VNgsF1GQclsDj6AGWHkF6KC1KyldUAXlBptIIMBbpbMbyCXknUOYsQa2/5XJ1Quy/euRKWYCiBk7Igs0X9rLBr9v/ucu0cmpgLtU6xszOPK32+huf2St7KTZqypKpWp/47/TnZ5T8nYoTAibfOZ9cCgG5O4BR9LWPgn2uuwoaTovinb4TCcvLKrODBlDoRX8778RwefbmCn+5f8BcFrEGtKTuyuuReaYRK5+u3nbGJltjh3QBWmUKcqkKfT8gD9DwqdZsLqAg56dXpD94kJVlSUWRcSYgo2pelyDM8eD64YkdnrTDWxNtDgWZrvEYc5lTTmhdMGM/2TWdZvr9S/COc7jvLbm5DjeMN5JQt1M4A2GIrlEDntWcr9vdI3bOolJsyTjMYSL5PffwgWvx2wIEoahZ6s3wVr/MF1TMGw3d65uSF2RJeb1z928mIWD1BCchYLV/EtNaaTOR098h70uxdIdCgVMT3LAo9hEHWVElmJjvPNAOMTvOtumitUoAuTw/CG5eKwXCZJbG8WSPG9SDRfgaQNwBrRQzNq8VFI8DeDN+B/t+2HQ5fxy8dAmKzuFBjH408B1mB+ZBOZcrKO6yw8uaU8OWkOWyFscTJkYaygmOaXX5DvYFM5poJnJwQt1JmxXVJLequRVAiuQcqOpMcNtHOjNdNA/3kb5iCiq5AtVYKecwA6HhiThOX304/7Icpxbwn47TPx2nfzpOv2jHKfmogVycXfuPJoKaCav+9Kce6E8NsfMJO1pbuJ3P77EF/nTC7se0vS36fP7TRfuni/ZPF+3WgHtdtBryWjET2jRBb8pmwN5w7+nKa/rI3GtPl1zYW3r3K9QX7iZOCXGnm3jbxmNSR7XxLt9dtyE4zT/jphxFLTjj7B4X1x21QXvFOh3bUt+5k2Y0Zzy8m3facdcXZ/dbl2YgYiRZLVi+cELS25wKZqA0eTbbiMYTcv32zdUJuf7f1yeECqvo9MjOpDKL5xNyuiGeU0GmQChZUFWg+HWhUSeEkkpJI3PJTwiKstJFVclZX+ZaJX+tDZREy5mxRCbk0pAChDSwZQR4SZ/TWre8dz/t31NumpPBRvQBXJPWTpv0rAO5BLVSzNhLS9Uw2K/DRdpzhHYsVHcLNZFlGwNytQDl/Cn+IiMLqskUQBA51aCWUAznp7ZCzfZNZnj4dk5l/GwhakG3VZbx0cfGDw3R0eb0vLfMu0bYdap6q/LB2mo3sLa2XK3dw0tOK1N7/iu6ag8O2ny5LEHbSUv7eY80Ia/lnJyDvdhUeCKOFuuDOnQ6DV00N622m0cm7AEn5r5nuTvxuRQGH/DkjDChDRWmgaGDGA0rDwFY9D3BIXTexrdDEGq8OKWNb825Pyl5C+Y3ZoS9BvzqTwZbo52sXsiaF0TAEpSVoM2+q6jSQN6AoRYaJTMly85Qz17LuX5xRfMbMPr5gPw5U5Abvj5p36coeQ9OWLgdLjowJ0FGDm2Pu3FyYEL1OHkOlYIcDSaLpIAZs2qDFBxhGTrlVomvwqhKPe+r2nF3oF/jN/6cX55/7970vJenUczdt+CW5viC7NZLDRYCZ8dQaXO7Bb9nl6OiyrC85lTh7/3CTkZ3xoD0QTsltDMGlMd3yuiSLI+7Ji//XJPda2JHTbMgDzu+cvp7hhPpL8uTQbekhwi95NAUON33KWKzbEt1/h+GTBtqoITe4+gTAYfhR1nOae8MPxF4IEzPQ/dEgC0GXqcnAoyJw4Cl1ZgayfF0d1oB9BDpkZZtM3AvBrFsqBG9JmRndr7YuAUsmoEeMlASHmZF9PSQAfU9VsQ4FwcPr0fhouh4VYLsc+waTDMS+0iAg/dmX34MtboevDk08/d/Wm8btWdS5PZyoEY+dct2RNwsWVpx2OXumR2GzVhOu+f5tZy794YmoqUWBSh0loIXVIOpz9gtFEQDRl1t/Xh7DD1usDSLMKD9YIOlXYQB6XstytATGN+/dNjGHMzrHjy5Hw8GT+pJ9uWvUpuuiOT9HalBFEzMmw91aNt0fEhfDn/ZIRts8KNRxl5eLX9sY/jHjnufuYPZG/mlMnf5c2r2/vz/LnsHr85JZENfLjhHWtdbVhBK5mwJonWSfbmKgGXRYf6LtBZI8RSVvy/jRWPUoSGrdabgc4K17j4e4gLjvH2+2YUbmlzhQTrx3mxDyYd1BSSnQwkyBQLMLECRj5fCfP8zkYq84pKaH16SKdW4i5oHMswmQNVvz7wPUXe/4HnjM2g64zOCfyEYCHcU67gZ+Yt3MEi1omqQnRlN6+hItM60u5y8vPq0pe9RzF/rLylpYlvcJephY7g9uJ2qHfMwcUaxOcPcC/ebbW1lDx9S6V87AiMurz79HGBBOCaHRGBBi2jI5Ri3z2ajDhXHQ2+fBdAC1FHern/Focjl+UNeSR3e7mMpkjnsrfRJO9l4niX3s9FG0brcKFp4UKzpciY5h9xI9SUKYMu9R4i5sXuOaZI71kFhkW4pqq9lX20hOxj9BC2+Mp8+FVW1lBqD3UopyHQ9WDRCFHyuQWMSlGZlxdd+neyXMVAXaL4gmhVAnn1HzELV5OVPPz3H1FANINpRdnDiSSivd+CErqTQkI4V+RezK1yKcONTqMupE3r2KOsgBfKMTuUSOsxgIhhZ2Yg3bRTQcvT85F/MtnlkVkHB6r6eFoNRX4U0x9axwGaEmX/WL7/7/q/aifQXFQrQBvQ/B7P5p7UHX9M1KPKSXIicVhqT4KVAk/Jecj1E/YGPH4HYytAoP7wk/2qne0J++IH8K8mlwpIXuExu0BPy37j5H/aLTJNtpnwVXEIhi0DS8BOxdcUKspxyPqX5TVoN2IFrEgaocXaFZSKIopJMmKa6SBAobo4MlJKJ4tM2+qCuIGeUI2JEqo1UVrMWa6d12A+WlLPCbYwQKEJmshaFvWE4IHgm5l452hu8uH0iBpRjvAX647Dj2WhkFdZc0uKp3HMeDtHsDyAlGMXygNXhTeHul9EWdtd9I4TttU/NRqOVs2bZJuRXubJLM7Q5mSBSWWPMSHIDUO1h2pO48b4QpimJyWBLVmRFqlfXi0byzEFg1qzGtKra2dHeLlwyZWrKrdG+5XsXARcHK5k1u/GtHJnhZuGP+uU5UVZaa3SoINOomoNpv7aXE1olCnp6dE40Ofu7OKGSPAUNBf/leeN7fQ+lNECu/X5vauVM12OCkmC1EfcQ8wU8vPiRMl1xljKy4Umb85oN1P4noZtZmZtwv+Ops3dAk6bpd11jtfgr5L/GC6MTLzPGH+GN3o5qjaOrs9Mrr/v6pFxWVlL1NV6CV+QXFwZRPw33hy/TgIb4sPgaca7UbVO+3vxkY7A7PQct8wl5+dPPZIV8L4EKQjkP+wrQqY9q0sZ/RFagXA08gmU+qDZEil66yDYTH11N/LKZGDirKZ5tPe9+k6pAxmFUE+QLIbmcr/sPcTOmBlosIT+RfEEVzY1joj3Ua8SPTnNBauFjeviWz3w0ozZ2Qrd7qE/5iLDj7RItitIqmVI0zwiKrkZlGkrWnlpJc9RY3RuF8D4HmedY4xEpakNFQVVBhFQl5eyPUHyvVGWQP4WPcjiYRbKeDq6kezFpg7oF84KzGeCMAwa+hlyKYkTB3ix3pk1KP8uOCTGRy7LiYIIbYNSJSlGBN4r1xGAn30yZR9rI13bs4HYe28rbO3N0+5VSmEWkZdrkp8aKedlEORWPxPgLUaRguyX5hxSpqy3sEIt29EbFdOG1H/ocHoioZCf6lBi4Nf7wkSUo3UmnKHbFgQXW96GbbQ001jQ3aXq5VAUU6e5BH2TjryndjtjoGE2kTfvF7vv68LZSspwg1RqT8nUOgiomnVpf1tywbw0DRWhV8Sb7ZVPLpqSCzkOpuYRwfN7ZKuvTFJQizHytiVwJ9zJmaFn1PYMeMdbfVHIYfMSMJvmCWetGFqAn5E2tDZpJXaL2VFIzEpdLDRy4SDsF2GxmcS/hGJoQLnIzoOMdloICkbsNQa1qXbAlK6xmg/shLMiuG0H2oce88CRvK6aONsPNerq3oFu7E5nh66bulZGor1lQrjjjTt9oxEUfdeGcWGncyrPJYMg2nEzWsSVQOVDkHkqx5X/so4Ia5Oca6qNtJbu73S7ayMcV1QRBFCP7BsF9H5upEZWCLYYmkGnz0iS4fedlCqxVlgBqlaXQnquYomib6MvoVBPoSp1b5HFMyJ75GLxjBtflve6cQ8XmPrl2yGPB5oLoVUOI7Qii+UCJj6FY65qnfnYasaJkbXJZwguHoTVeMCp7UACT2H3hWLBlQI5sEFjCoBzu0SbWjO6TADsvO7tcPmmTFwe1A90t3Wa6WGr47lRBzmZsY/iEtVtfyn1kT3ldOX00U2ABWhcjKzYJE42LqvCPLEHc3mw+1iJ82rbSu5agVOTdtQ+NZboJCOj71YivC9troEC2siR1JTWLKDjutLfQnBaFqzCFofzN2R2twlNzMyyY/ViiSNQlKJbfVxYF53aELLYdE+tmsrUnw4kld74HU1uCKKTyAbM7Zyanvz9C9ZrmaTdQ1rwLLH0u+IDdVoLuBuYkfcpadV8ND6TP+vdixnu5FrSNLRbSEIptIizIcAAtl/OsCVR5FKHebMR7C/Vj1EzZkn1/x3ArrFq93e6wi6qSnOXr1Kdnh1y4QgC+uLbg6xG5HGy2lJiB72sOCCwsTqUwcJtaY20BXQrnr9vUQ6VFoe2/8FLFVm8IKFQAZs/l7LpkZv12nQlkwdjDZdOSs60VQo1RbFob6EiIYYy+b/BptfXu9RcWHbrqdxB7uNXiWr0e/+SgIdiPL/J9Zzv6W8C4xQwwy7Cm4KDexHypJagJuQa3KLUGNaFzwFLePtJ9JlWDYUC7IeP09tw13XK/79StkIpMlVzZz5q/el3TmV2j9aQviyuqTGw3XUs4tkfFn6l+H9/jnam2V2/CIyUr8A+Kqe7iU0EoB2Xa6CK1GdT/zT1vefHRKQKAQUgBhbkgQopvFVSAlsyu6Ac0G4555TTNR1t7xbQNOl8w98LWPP8MZrZiZuGVZSfryTkOOMVsE0Gk+HYu7X/vuAlQSckCimPCedPOY+ALBGBByhmx0sEw0BNyvZEp/cYG3cyqNIjPXDpfra0R41JGXbBN4cWvZzwlOa+1aTak/5/BMuFPmLYr6XOivX/DKr746bgKdHTtx52wsEXvyjKlU8q+3md4WZTniIJQrWXO0F9qVyNoT+KCvWY38AuhpFqsNcspJwXTNyekUtgTBVuJfR1WlKmih+Re3vOid3k2ipZgsJk51VjFS2MhB1eLoGmdL7ce7YepNVtd0cjwanL3wWNpfJ01THAxOfGdy7Kqh2cwwbJRsmKikCsfT5tLkUNlTtpIilFmDKY5qzlfk8815c75WciSMuGlhugMxOXI1dX1esZSl3ZM3aqEr5m4gcLnAjWB6FSjd8obKPaTr1poE1bsWjg+qAqRVNR1Ozs5t0QfQAPv3fVj4XpXec8ruR6W62kfnUGVrN/YKbWL1Y+JaN3+361p/xBZ054xnv6Mt1N+haO1x1hBUedAmpcjCLvbNChGeRa4TZNdItc4ZKM29+/HzgVob5hRvwDkN/qgkgMxPMZ+dHvRLahetCfUqoWBLMM6X7jI3ybHpk0zPGso9UqE2Ym0w0y0yrHxffP/w0xTYuW5IAxj7mqBLfLtn7AQ3gaaTyDcNMFziZ37Xx+c8KuHdZ6e9I2Vy3La9NOVs60Ly6eNqnvcXtjw9dievq42ggDGPX7HeSANHIkzN7qryTjuKXUWXHLXeMs+52W+PCdvnaR55gs3ENdtzyf9WmzPw3q1c0A/hi+/436+PEeW+pS3VkwMvQfbL3IuDNBNYeI2kZUFK6bDRupSr1PWst9+1fUJ2k5d2OnHHmmOnPjQnW065V6e79VkY/nn9miyFthLUWw02gk5c/mZvt4pdx/s1mYRoNr+xvdfeXfctDZt5qY07WVUCw7acUa6C2UlyZIqRqd8kAXoijIwQSpORwSBBqGT1kfZWtCuqupGnlhJZTWMJr+Q2XW+fnF51dehiS8Z6zwKY3nZBzYUvHMu5OalxYEkl8KQazYXFIXFyBatpEpZvPbrgfyym/Sq0d0kVnXE/7RAus2n7S4rZGDjvH33gTCR87oAK858I1vXCP/ZRdPA+Mo5RBxZlN6TsF8EX+aO/raJzqnN1RJGxvSNVbkPwHWPVLyOG/OtvxreM32z48nVKDafg0rXwi7Msk/dtwCPwbVoVqAXkhd29zhbfaTT6NbT+xE8C8O3dy+Vn713OsbzthjH5Xk4jeTOr/O5LKvsyHFXuCo+9grbuDr/nq6n31o4UmB+6sz15i7qfMxK82rpI0WNdZG30lIqrDxg5XqDb6RLnG9E/igK4LCq/gx7n7uLyE5ipDTyMytEKXlD86aecli5tSLoqHaMFN82CqraLYWcrRm9qbUCqqPHBmtDTR1LcW79UZTxRzM77OBTeUtY8WL8/rI3a30MhBbRx0HhY3cWLIrw0W3uscTd9wab/HzYd++Q64wJWcd64+zkkeh59DNlJWlMp8PAI/tjZMKpKzNubYlTzq3cI7rOc9B6VnNyYccnuSxA2y3RFPsNWxZMFHAbmQGcaXOY5vlA2YIDoymmGhBTUPi+WVLFOEbwBDx47v1dzAlFJn5rfxucmUiwD+XUFRd6JI3Yj06etfGcFShd+aRbJ2EGLPMqwiYgvqnw9HwkydC5uYb3ceqAEqd8tUFe3lflvm0/pExoUoChjAecDFNZm87vRqYm+dFjMxuPLW3j2BDH+EVqoKx4smieU1LAjPonIF/5snnD99GaViteguJ0jYlcRvrLlTwLnEj7AVrd/tcwa7LAna9eG2ZqLMxIghPb2AbDgk0PPa5RX7E6/p2cxkaaQFblsizteUqzjc4cdcI6wb6VkktWOP9ZU0WuBD0aCFXI/PCHxvt7y14xvtEa825cXlg1uK0w6OlxZH0zelpZ/7ucHuh3Onh6/0tO/QNM+HRVLF3h3HMMKHYrf311SS4HClUXRrKqtT67ZDeCiIldbTbsPKohfR9/mI+tDiv3TkRkU1mkzvgaZNz1lQ6PhVgsI+rRIn61BPdkcITM844L2KcOuwDa9j2EzVnRPuWMOPHK2FbjIA08ws0fT8lr513VKa+pprv31UdXPad5iMJgjVvI664XwYV+TSGU3tpUYdoVuHEER0jQK15sO0Ta7Eq6pIzT4UMGaV3hBPMrZ6DUSKcFd4YO8fXHe3fzxkrpC0C5B9jBlHy4gWbzyYhEZGU2rYtiHd0/w8osah5Qh26t4bBC5zu9VPEpKiYjVjnopdhluj5GQgLT3ehVV3OV1gUzbWbdpi6aRxRqbLfJ2HCiZPO8sHuSLkosNgeXR7PKzz5dkGc+V+JTza2uPGUcEzgwDuzitpLafvM5+XboaBD9V5gbIVdiyxDSkNdYzGK5TX2k02ZOj+CC64eFnjVZ7m99atJrmNN8TT6OmmucTRV9jKR8P/AWi5kgJWVipmgJO8MxKqqwa2/6OglbyuUVDkveysIFR2/KAnaizgKgyB7tC0MFLCNSWUjbdePewor8Wgs0Jd/IAjh5xsRy8s0JYTI/IVP7L7D/ooLytWZ68k34fdHkVTbjdNA5P7YOta3hn10RHBR9XSgn103zKznbWajByKRI3V+nHmdTBkGDshs5CGhZxpW7PWSf3vxGFZAPLgD4m28+vfnt9P3FN9+4mNslVZSN7smVVDcxU5b3HrDfmgG7L2yjTjAqYisRPmcnbpWS9jqgub0u1glMmJlUIDTLYwqQjispAeIyvhck8D4Qi2i2omzYnPjB3gGsfR6bqD0+sVPUdT1NdCjMtNBGxc58x3ztZA6x7l0a7R5tcj7SOUkPTXbZNAYbqDQ+2WST9+LzXSyJGRt1NDVTTeaIPXSqwWpEgWn203vCQvngeoL3d1xY8F7/fz8cdaMyu85/j7LFio6P3gPZCfJRNkfzjrsLn5RHCNraWtmOXfrMtBHtTZQd1sl8jm63wc7d/zLdlKxmx3gPw6SvGWXc8rop5nLlZcbleTe3DStxWXPQwDxQwmA8qrCJuc6sinjAfA4JvMZwa599dCbLshZ9T9QAnTiscNND0b2FW/N3COvULTZ9mGb9UGzXVBT/LsOvZhtshhp2iGR4MLrhwFvgdK0rljMZLUr0WBY8ol9RJYaPDk8duhZllclUwvj67Zsr8s75UTdBqWEgn48aSnD9H6/J5xrUSO3WmotMQb9SZ9rgho5DdE3eN0lnwbCuVkvPI16kXaIydhsBS7Q6yHG0j6oJPI49mG4Rv0ED5VSVCVbLkk3gXqBVxATklmhdROtKu0UzbrWrLdIFNX2t8KF0pyDyRUlVrLSSlu66ooP2xQ9+faL5IJwqCs1sEX0v5DCLm0DVEp7NsdRSArJy+nsCqhWN3gnDVZyKvr3w0T1jsS8cX7mtBKt6RgctMppjY5T46SeWthYRjfcO4em8Wv4obs0i+v2eiyw3Kit01LrrHeqW8mEvT3cgvOQ0usQQGYg5ExGTIoekU8RGi2yW6RUzeXT5IbIZlytNy/ixK13awizTUU/w6pKLjImU4oSJClQ5XUcLeB/QrvKbNMSXlKfYK6zKKiWNzOI/SSH15Y8Zehzj0+bJziaX86xIwWxLOH78Wy6ykt5mxsRyG2wTtjuaQ4JLoWQiEWgm0oGuuM74lGexn0W3aH+XkHj0yuAd2rFrIXZpx87q7dL+KSHtnxPS/peEtP97Qtp/TUPbyIrTKaQQKS31+OaZyMqao/I9XSe4Jxvi1U0CvaSsOZuXVRrt22qZlM9jByF5yiyFUqLhcx7fNyIy7QISE6ygVnkaa9ISTmNN6rWuqwS9SHPRplUnMVWNNNb0gNsEIsRIYw2zVLTRrElCvBbsVlAhNeQJNuHyZ8uVRJfC8mdZmQXQIoFbTZZVlvMEPmxLOMEjCdJV07WJ7xa1lHUSylWdJXjTyBUzLKc8QQKRzugcRL6OGHXVpS0oX/8BxTQF7mWGZUCTUHblYNKgdoG1SahP59Xy5zQ+aJ1NmflrkkJjuc7i9orrEVYyuqjWSY45UoVcxc9y087HH63XVocwmIXz88d3jjjiqPYlIe6qycerINehPWMcUtgwOpulWEQ2i5mcvU04hW6gM1ZhkGKWRNSxavljoU01KOYfibZWeRLanM0ghRmj0dFcQsGiJYxu02YizS4pZVFz0LlMwW1PnM0TyCZZ6RU1UXv+d6iHIsijEFYwZ9ooGt8TsqGdQONTUKVitUrGa42VyFUi+eoi890WT0DdKKBlAkXSpQKlgp1OuV4tJNOZ6zAbn/qaKppkgxcjibAxKC9df/vYdJk2VETvc1xoM61VrGaBDVVwvYJSUK2jY42vRzc5ybHJYueGWfxm14dWGthFc06LIvYZYEXsZ9WmdFCCu4iVWa6kLJNUJbKEE5hprMzSBEf6ikcp2FzdRC/PVOn4JUtZpSvFIhPl1DBTR48+40xAvBI7G6o6akedli4m38Z3a3Hpqp5mMy6jX+ct8QQh/9bmjS51LNEEEsfa0AmgRo9N4HKeZOuKeZIDXEkVW4CV03qe4piVTOcpxEKpk2zYFH0gBBgsrhSdbnQZ7gpAx474c1Rjh+OJ1Sq2BZIko0y6BtDRLVEZXzOSis2zQD+uB9NdCVDx76wqc015o5ON2pl6Q9a1eE2yyRIkbvqeOLGFgScbWxpUmXMkRYdLtbYfZvkiVp7/gDTcViz6Q0AFqpwrKsyg5m4MyqskhONfva4S2cePvS6gEQgrOc+oriI2DOiSVjQ2VQWUp9DvFOTIB1d1NBHx+Ey2lOOWcO1QlqpIgDi+I1Mn8A1r5xtOEA+gIXYggGt4nMA40fA5/gYIFWiNRjWBKaXZPIHg1VVsL5tWeYpzoPIiuiKtVR6qihuBsInXYqtLs9bRq2oucxE7USLYLfahRF2RztjTN3MTf1s5ovFf9NqenrHprqvo1VrrYpokDr1WPMFdWGtQWcFiZ70naVvRvAylYIPJtaFlbG/wMmNCGzpLoBksmTIp1PBlJRKUbjJS1SKmmzVUFi1QUfS0NpK8rwUZDN1GjyRslveJclaQMwUFM+SMqsJXM9RY/j0Mx3XOSsilsQ6hSAab6BOsb5BLTkKpOm08BBPpOHdRVlyuYdBYcC//ZrKOVtT7jnvM8tD5jLDfmYI53JKS9gstbN5ixbzuNwNJDpIzjc0ZmtH90mMBJaLrqpLKkGHhUUJWC2oIM6RSMBvbCg8Iy71PE4oQ473V0UIgTPjK7iN1oTkTqTvyd6Da0bo4NTFyDmYBarL5vl7IenCjESJgCaptR2QkqajSQN6AodgR3J1V2rLg2Ws51y+uXNrrc3LuW3ydELMIdCnCYsDvwbc+RtiCvAXzGzMCdHidh5s6CfNm2LK7PUU4uJusBqryxYQJFsSHPXePUF+7Jz6xFwYGQ7zgtBbY63deYx/Xpoh7uIB7r177jjmlL8fdzqktwu37F48Y+3Yhsog5TXervIrDkg9wa/BUjLkLjtGNekQgbRrXvcUO1YKPdLzE6rkJ24Fj/VwNhij4XIM2O4p2Hx6tfP9a+U5lwLY8blQnsfseqTbudNudsguTQ4RvY1t/xwrt+pfgzGP2/t/f39AOdnneCAUcO7w30GqIF8R7zy1sL5cp1UBcuHaLhgxOVbtK/hePg1e0reBb5FK58vVBNhJCNdEA2O6M7u5XpajQND9Ce99BhWk3tEC1d7Np8lphB7RdoCtQJXPqxrFAb4Z0jTnYknGYA+GwBE6o1mwu3MJt+vWHtz6WZH5E+Y3j79jp00fp9GyR1YJ9rqHfJpGGD18H72EVEw/rgtJoNKxwBzKXQgDGVpAVM4sxQUFIIDOk1dgVHJRedG/TwrIT5Ul7RXE5ZznlxCIYMX0QxeOiw6FG2jQ+Hu+qxVqH4XXC2VayF9Ua+4KnnFGdLWRym8AZca25hr1UNk2NrFTstuAJ1wMg7tBYtHin+UYsOQeqJqdcS2uIb523c3wsJ7/6X0zIqVi3/zegbtCW18IQWkxyWVa1ARUWw0nc+HZi6cyzr/prgT0WtxaEmX/WL7/7/q/W9j3vLEfDsa+CsP0+zeK+mN3VcUPXoMi/tD45/cLDQHDhUx87/yf9nhcbzFu7fud6HBi8vE+2fd1vmGLHmZC37z5c2LmDAuc8QX9pwXSuoKIiX1ut0qtnvB8LQpBDJ+TDm1/IpTA/vDwhl2/PL/7zF/LxUpiffyTPVos1EcDMAhTJF1L7VmlSKcgNfuv7n//n//f86yBHwCwSyrg+P1CmTkoabsejE+++ex7za7cXLxtQ4SNePC3QXdm0B/mBBePufMGH8PYU04118okpU1NOXp++DYL9QwpI58s6bGf8HylgEuathfvFiFCcyH7hiUvwFO/gHeswpwZW9BFapOPuviKnRaHQT+t2eQhOe/XmZXXoO+dD30Iuz95cuVtp9HmspPqIrx9bTiWnqfq7m1xeWSgj3i/LwwM7QUThoR17nIeNJpa57lrHFRAduLQomP0y5ZsH204v//A9d8QNYE1CPODSn/Dz7S0wgLKJtU6i1931SqPkrUd4JZVpRfJA6Bb4wIYLwMx6v+TVR+a9mw8T8+Yyaab1ZozxAkJ247G8uB4dWr5Ua5kzq3I6v9FAxyFWLisq5jBpTadcihmb1woKMl0jTRAFRg2F5Ux1YOmBQdLoiLYcHHSWoN4Bj6j7d1O4ojsAFJTSQOYju+PHGcVnbSF0RjMXip+AdGVUGuKzBFtiliBbmKc4Dqnqn1QJmEqLrPHEpVPL+xa8ncekP1rXmfAIGuyFWYASYMiHdQUn5GNzjb1GB9gP5KpxgA1ugndjmlrTqucIysSIadyA9n7xE0I5DyoT1eaLGOBGFQbmLUHZO5AJI4k2eJkzQT5ejgqUHANkk8mr6CLbEpVVgrZvlrACHTui15JNkOLibsTYoejob0+A1rVWyDiIefROkYjZKh8JtdARDdSpPJR3HmAEyTGcYEYoeSXViqpi2KebkNM5BnspQu2Jv8VYuimYFYAIq56Rqybe941bGsq7T3UODMGS8RgZMZghEz7OFcMSSmasWPItNsJTXHIqjvGOfwcHZRMg0nFRDia47bLcvKQsrQU7RwN2++aJ/VIJOVYhWMarB3e3F3uqDMtrThXBetGkAfHs4vaX13IuZ7Nw93fIM7OA5Mu7BfaDHdCdxg7uC4vbwj2tzQKE8cHio7B1HbNywt0CetyQ49A/alCjgGVtcnlcTvshxwFf13kOWo9gxsrjhxVHOyzwBHERq+LOpVqTQGLCANsxhNMWRuhhtFIJH/h0JYW9V6zcCimH7Q/JQFHantUyXj26kXuTEle1FHMGOIOinY/3w/T0YSaIZqYOyE+CyQXgRbSnuqCa0EJW9nYxC2CKyJXYLJljnKG3UshyJK4We3Jo5krUH1eJsMo9E4WVP1LplgGUvGIcyKkHNhmw4S7OXtFOzJ3J0YDxdv6PEq4wyoJrH7UQlwuhOQYYETPf/QGMcPF61z5fIzYnxgNCpzJl9kBg8lNY0CWTNWqXuSwrJUs2EqEIxwZ3IeiUYxLZjJztxsbEshU7CUH2EW5pnSQIYAth1OYyBwAMjN/iS726nVt2c95Gt90mzbIWpp/OFlujLzANPMsPMevvpAXhfTwHAYrlzZSQIRjo1w8tYGaBV22otxvxYCf59xNt1PjjZzOnQ8puPdqcXu6ek1cv3FgJ5xU0TVsj3LAStJXrTttTUMHoI5JfhWhFIfYuBBYefOAyqDturUNqdz/a1vrhbnP6PtPRmpzeeWreYbxvhoO54Yw3AuEOwuDLnd3LvbNTR107d9CizE3tX7lotVSPI0D2yPFWgHy52/GH/UsWq7XBcZbsbvJRHVWCxDxjd5AfR92OMec22IytUo8paD0/dfTMndosshLMQj7CKwnd8iQTB8N/bXTBsZaSkkm9Tjtedd5L7v21FsiOfZnIE/Kfk5+++448e31+evWcnDNtmJjXTC+gwFT4IBYu5zJ5XaBdL2EYLTtzOPwy4xdHIsaUTOxV3JX/aVc1hKA9MeiRj9b0+T7HJcew/zbvt+P4Q0yhN1MqQmXSN5FilMeqTtebyHtasFq7EYhURLOScaqceLJi056hHO/1cHoVnnPNimNWGulGyn+0G6HxIvbqYm4Oebo8i1Ox66zjs4bPNOz4f72TCD8Z7AXvuIFOWkYRdmVKlTIwYPBkg6yWak4F+2NHVLVItxXuyuwDON3dUyPsnjEVzCVNVPXnlR0ObwtX4svVLtqKav4VKDeLnCoglYJClkzQYMJdRzxdUcNAGL03PJ7TY872NX3UybrSj1Al2rj26HxtBVdFlcFiSJup7harRyx25IXNXSTqDApQ1ECRRQsq27E/rPB51YzYPp5dKblkRVs8zH+PVhX3mupgY/jiP/Za29ZpwwrOZpKsONIs2yF9rT+zHplmsHkoRk4umXs9X/QV95EScK3SGbMp+H01T7hFnanzo04m9DwwUaejosZKNdFGKifxLbUSDMXRvsZvTey3vg7PvmRFweF4Uu4NjndXORdY3o7cO0jONe0xjjPdKz9ap8KQWDevsyek4tQumb2fpSIgcrWuxrz8GAp5BHvyDhF0qrUtf5XakDc0XzAxYtIVNJHk+KrP648CI/0rBVZ8WP3IFTnTE/K6oBX5hP/j9KNCCpd3+s/h5UkWdAlWc+JAFflcg1oTrEGoKyk0NBpVODnVzjfD3xxHXvoaeLmlrFhTBVK46bu6fOM4mykdAepmA733xVHvihS7PKV1mPX3eFNaequIkbUN/cXLNFG1EEE7Vp+0N497eXZlpEZy7DzFzFuY6ReCkhUThVxpoivI2Yzl9pOTUJ6gj5MdHhA7PYd3E3NDnmFFWBD55hrCp8vnHW6RWuA9/hrmNF+Tj3q78G37Alv2E2mjR9faEY5gsI/c9l1TC6FgrhpuMnsjDjje1gEIZP9vZZpiOs+QfdvTTq9Qj1Xndep1YMY4w+BG8785YLLHiesdm6qP8PWu90bWXeDUx6uADmdzHIdd+2CwvTabgEy3DIMVChek2J/8jGkDMVsCjma44ZQLmDHhffUonLCqX0mrkaKDiO6gRLFE2DYOmJ76F1swtj7b1HP3tZRGalO2PmxjaL4oj1wCfzMqMpwMrKPuciRp8jJlIl4Hsahnw04ZkwrTXp4BIdVN28FlcWW0N+n9ga6dA9Rp7749qCuqmj1l/3yymcpqwQal1Ik9HdaWdcHvd5qeid6zxJW1kGqdbsH/pisq/m1vxZgGyHYV9UY9D11Nli1/e4HU98zt0VSiwayaeuu7ZzW6CzIQRsnqENFRyHo6cC7caY/7Ma21DXvSERCjy+447jk8k2VFxbo9j3jssJ2+s1eWoOw1lDExk2GlgOqb1DlCe+RHz4pskK0gbVX02edUMQKvas7X5D9qytmMQUHOMe/ZOQeDUFYwzXIpb9gjPbr/BlPixt/Yz5SPafPRq81unsOr2qDKfWAL0/1n/X07hO+y493Rzic/IR/WlZv6xnNgmeNWcHzxFMyyqMVke7AtBueIUF/rUNnaPphjuOpa5XIbnfMsVlI13n58Yn7/emTJO7VyIm+nhhdV2j5EO1hhR97ruW9gKikTaSLboOw4dj1IRU3YNZmLjOqYr/0dwsqn00emXCsecZk7VCOuSmuMZrWK5Q3p0NSgMjqPZ1NuSEe/nrZJRw1/3Cbtd30CwQK3BgSqVvGNE0s/2m5uFb2Fgl6oTGyNyg1xjFzCLZn7AYdF9eqF/+8zD+GF/w8f1xRy+1MOKhyd56fziK/nbjLdx3P0uHZarQ2mU/iGaNakYmIGSo28uw7nfZR5dRX/vawPumePALKpSzzrLEPgSOGztkx6pAJDHG37Xbh3e7vtPmAEser+6R8wDNAab/jJqgWo4/gjrM7uI56enWHrx+fkDMcPQwNljlQsZYTPZ6B880/YisLcUZwXkj4ddxjZWXA76Ne6Uyl650qzPw71St6/NEp4tck1+yPsrWE3iWTK5T8uiIC5NMwtYLWgeqQDlM6PXVaos5Ru8PHmgnapk3WAGgS49PZYUzi9yb8JB6RoNj9GRsV2faO26+GH0UbLVpowrevoSidSxmCpdN66h72hIEJQKqkPdLAoXel5YQcn1/g4vUs6HSVCoq0M7l+Rn11jaOfuy6gjPQ8DeX/puQPjuAjVmmfLlDd6/0nVO7KDYIrMbj1aRy/TqFMRZjfgLepExQ2+2rQr6V5IKFt/JBrf66Qil9en/3hzRa7sPUXeiZHuKxu0iTKpD0H7YSXDaFEM5QvIb/RBTuS7CeG0NchCTefaep1tiTAMA/UtCDdScIeWC4oNikI+gpLrcLRVQUaNBsRsqKmP1uGzi3JJOSvcRgyA6AvCo1W13iUIkWM3sNZ9sR1p5zcBpJFpL4ypdMawB20S0riUKRiS0ydwmthcNJkvUjGz3nOiclmWSevE3RG3w+EdQuEU/BVTwPuWZmwXy4pTkWn9WA1v7chOhv/mZ9vkaAXRulTjrJLsGGHVIcAOAUEECCpsDSBb8wUVYlA4I3W5KT8qAhl5sz1S2eb2YvE9D397ffrW33svesO3F4qRqu/7j16zjembbCl5nYoBp00fZ+H73LSdsZt2vrVgRpNnDoR+jtU6MLG36ajbI08QdHA2vE4kzV57rB8FMz5cYLKddLAEhZECs5qTXIocKmMN5Wu3hiPlFVarlNLXMd4a7E0LbQu0ksoQafn767+fhkJwg2yPve+kmh8/wLKfYLDlYp1SV+wkWCjm7xfvri6vyBt6WzJRtG29w8tq53b0MMytJooj0/LTGMxu17Ra9Smcshg9PNtlOWaz4yVsPnYSfjPl5GrHlrPMS+XLc1+l16PYiZAfb1EeuVZAM+Pyv3zecJuYI4qhJhn7dKO/xJrQjxTd6NtVoxXfPuqWLrn3hOg6EKJONfmbNkqK+b9NOc1vONMGir+98H87aT9lYgZ5+KMZU7CiPKjI0Cnv/IZQURAtyci2VDBn2qi1teyPKSwqaha+WH+LgfQxDECiU+pYMF0itMvXyqXqVCFv9ckWOQij1n/5vwEAAP//HijnmA==" } diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index 94cd0b8b7bd..21dc57d3315 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -35,6 +35,12 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "Outside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.233.123.123" @@ -79,6 +85,12 @@ "log.offset": 200, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Inside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -122,6 +134,11 @@ "log.offset": 381, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -168,6 +185,12 @@ "log.offset": 545, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "Inside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -207,6 +230,10 @@ "input.type": "log", "log.level": "critical", "log.offset": 734, + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index 37b0b3de1b6..b1b3a633ad1 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -1,7 +1,12 @@ [ { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8256, "event.action": "firewall-rule", "event.category": [ "network" @@ -21,9 +26,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1772, "tags": [ "cisco-ftd", "forwarded" @@ -31,7 +51,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11757", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1772, + "cisco.ftd.mapped_source_ip": "100.66.205.104", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1772, "event.action": "firewall-rule", "event.category": [ "network" @@ -51,9 +81,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 150, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.205.104", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.205.104", + "source.ip": "100.66.205.104", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -94,6 +140,12 @@ "network.bytes": 38110, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -144,6 +196,12 @@ "network.bytes": 44010, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -194,6 +252,12 @@ "network.bytes": 7652, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -244,6 +308,12 @@ "network.bytes": 7062, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -294,6 +364,12 @@ "network.bytes": 5738, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -344,6 +420,12 @@ "network.bytes": 4176, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -394,6 +476,12 @@ "network.bytes": 1715, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -444,6 +532,12 @@ "network.bytes": 45595, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -494,6 +588,12 @@ "network.bytes": 27359, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -544,6 +644,12 @@ "network.bytes": 4457, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -594,6 +700,12 @@ "network.bytes": 26709, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -644,6 +756,12 @@ "network.bytes": 22097, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -694,6 +812,12 @@ "network.bytes": 2209, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -744,6 +868,12 @@ "network.bytes": 10404, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -794,6 +924,12 @@ "network.bytes": 123694, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -844,6 +980,12 @@ "network.bytes": 35835, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -894,6 +1036,12 @@ "network.bytes": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -911,7 +1059,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1188, "event.action": "firewall-rule", "event.category": [ "network" @@ -931,9 +1084,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 3552, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-ftd", "forwarded" @@ -941,7 +1109,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11758", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.80.32", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -961,9 +1139,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 3703, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.80.32", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.80.32", + "source.ip": "100.66.80.32", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1004,6 +1198,12 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1021,7 +1221,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11759", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.252.6", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1041,9 +1251,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 4071, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.6", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.6", + "source.ip": "100.66.252.6", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1084,6 +1310,12 @@ "network.bytes": 164, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1101,7 +1333,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8257, "event.action": "firewall-rule", "event.category": [ "network" @@ -1121,9 +1358,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 4439, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1773, "tags": [ "cisco-ftd", "forwarded" @@ -1131,7 +1383,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11760", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1773, + "cisco.ftd.mapped_source_ip": "100.66.252.226", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1773, "event.action": "firewall-rule", "event.category": [ "network" @@ -1151,9 +1413,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 4589, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.226", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.226", + "source.ip": "100.66.252.226", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -1161,7 +1439,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8258, "event.action": "firewall-rule", "event.category": [ "network" @@ -1181,9 +1464,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 4784, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1774, "tags": [ "cisco-ftd", "forwarded" @@ -1191,7 +1489,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11761", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1774, + "cisco.ftd.mapped_source_ip": "100.66.252.226", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1774, "event.action": "firewall-rule", "event.category": [ "network" @@ -1211,9 +1519,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 4934, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.226", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.226", + "source.ip": "100.66.252.226", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -1221,7 +1545,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11762", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.238.126", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1241,9 +1575,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 5129, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.238.126", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.238.126", + "source.ip": "100.66.238.126", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1251,7 +1601,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11763", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.93.51", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1271,9 +1631,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 5326, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.93.51", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.93.51", + "source.ip": "100.66.93.51", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1314,6 +1690,12 @@ "network.bytes": 111, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1364,6 +1746,12 @@ "network.bytes": 237, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1381,7 +1769,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8259, "event.action": "firewall-rule", "event.category": [ "network" @@ -1401,9 +1794,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 5871, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1775, "tags": [ "cisco-ftd", "forwarded" @@ -1411,7 +1819,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11764", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1775, + "cisco.ftd.mapped_source_ip": "100.66.225.103", + "cisco.ftd.mapped_source_port": 443, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1775, "event.action": "firewall-rule", "event.category": [ "network" @@ -1431,9 +1849,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 6021, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.225.103", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.225.103", + "source.ip": "100.66.225.103", + "source.port": 443, "tags": [ "cisco-ftd", "forwarded" @@ -1441,7 +1875,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1189, "event.action": "firewall-rule", "event.category": [ "network" @@ -1461,9 +1900,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 6218, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-ftd", "forwarded" @@ -1471,7 +1925,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11772", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.240.126", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1491,9 +1955,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 6369, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.240.126", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.240.126", + "source.ip": "100.66.240.126", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1501,7 +1981,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11773", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.44.45", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1521,9 +2011,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 6566, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.44.45", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.44.45", + "source.ip": "100.66.44.45", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1564,6 +2070,12 @@ "network.bytes": 87, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1614,6 +2126,12 @@ "network.bytes": 221, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1631,7 +2149,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8265, "event.action": "firewall-rule", "event.category": [ "network" @@ -1651,9 +2174,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 7110, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1452, "tags": [ "cisco-ftd", "forwarded" @@ -1661,7 +2199,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11774", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1452, + "cisco.ftd.mapped_source_ip": "100.66.179.219", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1452, "event.action": "firewall-rule", "event.category": [ "network" @@ -1681,9 +2229,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 7260, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.179.219", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.179.219", + "source.ip": "100.66.179.219", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -1691,7 +2255,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11775", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.157.232", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1711,9 +2285,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 7455, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.157.232", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.157.232", + "source.ip": "100.66.157.232", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1721,7 +2311,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11776", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.178.133", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1741,9 +2341,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 7652, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.178.133", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.178.133", + "source.ip": "100.66.178.133", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1784,6 +2400,12 @@ "network.bytes": 101, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1834,6 +2456,12 @@ "network.bytes": 126, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1851,7 +2479,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8266, "event.action": "firewall-rule", "event.category": [ "network" @@ -1871,9 +2504,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 8203, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1453, "tags": [ "cisco-ftd", "forwarded" @@ -1881,7 +2529,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11777", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1453, + "cisco.ftd.mapped_source_ip": "100.66.133.112", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1453, "event.action": "firewall-rule", "event.category": [ "network" @@ -1901,9 +2559,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 8353, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.133.112", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.133.112", + "source.ip": "100.66.133.112", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -1944,6 +2618,12 @@ "network.bytes": 862, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1961,7 +2641,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11779", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.204.197", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1981,9 +2671,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 8733, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.204.197", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.204.197", + "source.ip": "100.66.204.197", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -2024,6 +2730,12 @@ "network.bytes": 104, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2074,6 +2786,12 @@ "network.bytes": 176, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2091,7 +2809,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8267, "event.action": "firewall-rule", "event.category": [ "network" @@ -2111,9 +2834,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 9284, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1454, "tags": [ "cisco-ftd", "forwarded" @@ -2121,7 +2859,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11780", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1454, + "cisco.ftd.mapped_source_ip": "100.66.128.3", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1454, "event.action": "firewall-rule", "event.category": [ "network" @@ -2141,9 +2889,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 9434, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2151,7 +2915,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8268, "event.action": "firewall-rule", "event.category": [ "network" @@ -2171,9 +2940,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 9625, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1455, "tags": [ "cisco-ftd", "forwarded" @@ -2181,7 +2965,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11781", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1455, + "cisco.ftd.mapped_source_ip": "100.66.128.3", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1455, "event.action": "firewall-rule", "event.category": [ "network" @@ -2201,9 +2995,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 9775, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2211,7 +3021,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8269, "event.action": "firewall-rule", "event.category": [ "network" @@ -2231,9 +3046,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 9966, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1456, "tags": [ "cisco-ftd", "forwarded" @@ -2241,7 +3071,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11782", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1456, + "cisco.ftd.mapped_source_ip": "100.66.128.3", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1456, "event.action": "firewall-rule", "event.category": [ "network" @@ -2261,9 +3101,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 10116, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2271,7 +3127,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11783", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.100.4", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2291,9 +3157,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 10307, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.100.4", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.100.4", + "source.ip": "100.66.100.4", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -2334,6 +3216,12 @@ "network.bytes": 104, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2351,7 +3239,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8270, "event.action": "firewall-rule", "event.category": [ "network" @@ -2371,9 +3264,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 10675, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1457, "tags": [ "cisco-ftd", "forwarded" @@ -2381,7 +3289,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11784", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1457, + "cisco.ftd.mapped_source_ip": "100.66.198.40", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1457, "event.action": "firewall-rule", "event.category": [ "network" @@ -2401,9 +3319,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 10825, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2411,7 +3345,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8271, "event.action": "firewall-rule", "event.category": [ "network" @@ -2431,9 +3370,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 11018, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1458, "tags": [ "cisco-ftd", "forwarded" @@ -2441,7 +3395,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11785", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1458, + "cisco.ftd.mapped_source_ip": "100.66.198.40", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1458, "event.action": "firewall-rule", "event.category": [ "network" @@ -2461,9 +3425,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 11168, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2471,7 +3451,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11786", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.1.107", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2491,9 +3481,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 11361, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.1.107", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.1.107", + "source.ip": "100.66.1.107", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -2534,6 +3540,12 @@ "network.bytes": 593, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2551,7 +3563,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8272, "event.action": "firewall-rule", "event.category": [ "network" @@ -2571,9 +3588,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 11738, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1459, "tags": [ "cisco-ftd", "forwarded" @@ -2581,7 +3613,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11787", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1459, + "cisco.ftd.mapped_source_ip": "100.66.198.40", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1459, "event.action": "firewall-rule", "event.category": [ "network" @@ -2601,9 +3643,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 11888, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2644,6 +3702,12 @@ "network.bytes": 375, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2661,7 +3725,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8273, "event.action": "firewall-rule", "event.category": [ "network" @@ -2681,9 +3750,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 12256, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1460, "tags": [ "cisco-ftd", "forwarded" @@ -2691,7 +3775,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11788", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1460, + "cisco.ftd.mapped_source_ip": "100.66.192.44", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1460, "event.action": "firewall-rule", "event.category": [ "network" @@ -2711,9 +3805,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 12406, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.192.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.192.44", + "source.ip": "100.66.192.44", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2741,6 +3851,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 12599, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2751,7 +3865,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8277, "event.action": "firewall-rule", "event.category": [ "network" @@ -2771,9 +3890,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 12769, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.156.80", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.156.80", + "source.ip": "172.31.156.80", + "source.port": 1385, "tags": [ "cisco-ftd", "forwarded" @@ -2781,7 +3915,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11797", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.156.80", + "cisco.ftd.mapped_destination_port": 1385, + "cisco.ftd.mapped_source_ip": "100.66.19.254", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.156.80", + "destination.ip": "172.31.156.80", + "destination.port": 1385, "event.action": "firewall-rule", "event.category": [ "network" @@ -2801,9 +3945,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 12920, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.156.80" + ], "service.type": "cisco", + "source.address": "100.66.19.254", + "source.ip": "100.66.19.254", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2831,6 +3991,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13115, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2861,6 +4025,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13285, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2891,6 +4059,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13455, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2921,6 +4093,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13625, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2951,6 +4127,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13795, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2981,6 +4161,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13965, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -3024,6 +4208,12 @@ "network.bytes": 575, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3074,6 +4264,12 @@ "network.bytes": 5391, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3091,7 +4287,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8278, "event.action": "firewall-rule", "event.category": [ "network" @@ -3111,9 +4312,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 14509, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.156.80", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.156.80", + "source.ip": "172.31.156.80", + "source.port": 1386, "tags": [ "cisco-ftd", "forwarded" @@ -3121,7 +4337,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11798", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.156.80", + "cisco.ftd.mapped_destination_port": 1386, + "cisco.ftd.mapped_source_ip": "100.66.115.46", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.156.80", + "destination.ip": "172.31.156.80", + "destination.port": 1386, "event.action": "firewall-rule", "event.category": [ "network" @@ -3141,9 +4367,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 14660, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.115.46", + "172.31.156.80" + ], "service.type": "cisco", + "source.address": "100.66.115.46", + "source.ip": "100.66.115.46", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -3181,6 +4423,12 @@ "log.offset": 14855, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3228,6 +4476,12 @@ "log.offset": 15020, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3275,6 +4529,12 @@ "log.offset": 15185, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3322,6 +4582,12 @@ "log.offset": 15350, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3369,6 +4635,12 @@ "log.offset": 15515, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3416,6 +4688,12 @@ "log.offset": 15680, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3463,6 +4741,12 @@ "log.offset": 15845, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3510,6 +4794,12 @@ "log.offset": 16010, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3557,6 +4847,12 @@ "log.offset": 16175, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3604,6 +4900,12 @@ "log.offset": 16340, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3651,6 +4953,12 @@ "log.offset": 16505, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3698,6 +5006,12 @@ "log.offset": 16670, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3745,6 +5059,12 @@ "log.offset": 16835, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3762,7 +5082,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8279, "event.action": "firewall-rule", "event.category": [ "network" @@ -3782,9 +5107,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 17000, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1275, "tags": [ "cisco-ftd", "forwarded" @@ -3792,7 +5132,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11799", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1275, + "cisco.ftd.mapped_source_ip": "100.66.205.99", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1275, "event.action": "firewall-rule", "event.category": [ "network" @@ -3812,9 +5162,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 17150, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.205.99", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.205.99", + "source.ip": "100.66.205.99", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -3822,7 +5188,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1190, "event.action": "firewall-rule", "event.category": [ "network" @@ -3842,9 +5213,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 17343, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-ftd", "forwarded" @@ -3852,7 +5238,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11800", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.14.30", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -3872,9 +5268,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 17494, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.14.30", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.14.30", + "source.ip": "100.66.14.30", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index b18307a7571..ae2b729ada8 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -76,6 +76,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -175,6 +181,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -272,6 +284,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -371,6 +389,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -469,6 +493,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -566,6 +596,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -666,6 +702,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -763,6 +805,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -861,6 +909,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -960,6 +1014,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1060,6 +1120,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "205.251.196.144" @@ -1153,6 +1219,12 @@ "network.iana_number": 6, "network.protocol": "dns", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1251,6 +1323,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1348,6 +1426,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1446,6 +1530,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1545,6 +1635,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1642,6 +1738,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1739,6 +1841,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1836,6 +1944,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1931,6 +2045,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -2030,6 +2150,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" diff --git a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json index 4397eb76e17..2364b5ed1a1 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json @@ -21,6 +21,10 @@ "input.type": "log", "log.level": "debug", "log.offset": 0, + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, "service.type": "cisco", diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json index 3540a3f6a15..605eba1e2a7 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json @@ -11,6 +11,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 0, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -31,6 +34,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 194, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -51,6 +57,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 386, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ChangeReconciliation.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -71,6 +80,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 568, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -91,6 +103,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 774, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "lights_out_mgmt.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -111,6 +126,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 943, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -131,6 +149,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1072, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -151,6 +172,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1191, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -171,6 +195,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1316, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -191,6 +218,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1440, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -211,6 +241,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1575, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -231,6 +264,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1721, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -251,6 +287,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1867, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -271,6 +310,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1984, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -291,6 +333,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2128, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -311,6 +356,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2285, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -331,6 +379,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2436, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -351,6 +402,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2580, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -371,6 +425,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2737, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -391,6 +448,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2888, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -411,6 +471,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3032, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -431,6 +494,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3143, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, @@ -451,6 +517,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3267, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, @@ -471,6 +540,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3440, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, @@ -491,6 +563,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3564, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, @@ -511,6 +586,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3739, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -531,6 +609,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3874, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -551,6 +632,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4002, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -571,6 +655,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4113, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -591,6 +678,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4238, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "index.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -611,6 +701,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4357, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -631,6 +724,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4492, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -651,6 +747,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4686, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -671,6 +770,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4870, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index ba0bb71f417..83616ceec8b 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -56,6 +56,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -132,6 +138,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -204,6 +216,12 @@ "message": "APP-DETECT failed FTP login attempt", "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -276,6 +294,12 @@ "message": "APP-DETECT failed FTP login attempt", "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.100.30", "10.0.1.20" diff --git a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json index 2b46be5b166..e2939392ef5 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json @@ -31,6 +31,10 @@ "message": "Intrusion attempt", "network.application": "webserver", "network.protocol": "http", + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, "related.ip": [ @@ -71,6 +75,10 @@ "log.level": "debug", "log.offset": 150, "message": "Some message here (1:36330:2).", + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, "service.type": "cisco", @@ -106,6 +114,10 @@ "log.level": "debug", "log.offset": 247, "message": "Some message here (1:36330:2)", + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, "service.type": "cisco", @@ -153,6 +165,10 @@ "This one has a type id", "And two messages" ], + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index 36a494d8f89..90fd65d46cd 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -30,6 +30,11 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "LB-DMZ", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "203.0.113.42" ], @@ -71,6 +76,10 @@ "log.offset": 201, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -98,7 +107,6 @@ "destination.address": "172.24.177.3", "destination.domain": "example.org", "destination.ip": "172.24.177.3", - "destination.nat.port": "80", "destination.port": 80, "event.action": "firewall-rule", "event.category": [ @@ -123,6 +131,12 @@ "log.offset": 360, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "eth0", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "wan", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.10.10.1", "172.24.177.3" diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 05fc4af2cbc..371218e511b 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -30,6 +30,11 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.30", "192.0.0.8" @@ -74,6 +79,11 @@ "log.offset": 139, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.30", "192.0.0.8" @@ -119,6 +129,11 @@ "log.offset": 294, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.16", "192.0.0.89" @@ -164,6 +179,12 @@ "log.offset": 465, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "INT-FW01", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.29.2.101", "192.0.2.10" @@ -209,6 +230,12 @@ "log.offset": 632, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "INT-FW01", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.29.2.3", "192.0.2.57" @@ -224,7 +251,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 12834, "event.action": "firewall-rule", "event.category": [ "network" @@ -243,7 +275,21 @@ "input.type": "log", "log.level": "informational", "log.offset": 812, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.3.42", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.3.42", + "source.ip": "10.123.3.42", + "source.port": 4952, "tags": [ "cisco-ftd", "forwarded" @@ -251,7 +297,18 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.connection_id": "89743274", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.mapped_destination_ip": "10.123.3.42", + "cisco.ftd.mapped_destination_port": 12834, + "cisco.ftd.mapped_source_ip": "192.0.2.43", + "cisco.ftd.mapped_source_port": 443, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "10.123.3.42", + "destination.ip": "10.123.3.42", + "destination.nat.port": "12834", + "destination.port": 4952, "event.action": "firewall-rule", "event.category": [ "network" @@ -270,7 +327,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 938, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.43", + "10.123.3.42" + ], "service.type": "cisco", + "source.address": "192.0.2.43", + "source.ip": "192.0.2.43", + "source.port": 443, "tags": [ "cisco-ftd", "forwarded" @@ -278,7 +350,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 25882, "event.action": "firewall-rule", "event.category": [ "network" @@ -297,7 +374,21 @@ "input.type": "log", "log.level": "informational", "log.offset": 1110, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.1.35", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.1.35", + "source.ip": "10.123.1.35", + "source.port": 52925, "tags": [ "cisco-ftd", "forwarded" @@ -305,7 +396,18 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.connection_id": "89743275", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.mapped_destination_ip": "10.123.1.35", + "cisco.ftd.mapped_destination_port": 25882, + "cisco.ftd.mapped_source_ip": "192.0.2.43", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "10.123.1.35", + "destination.ip": "10.123.1.35", + "destination.nat.port": "25882", + "destination.port": 52925, "event.action": "firewall-rule", "event.category": [ "network" @@ -324,7 +426,23 @@ "input.type": "log", "log.level": "informational", "log.offset": 1237, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222", + "10.123.1.35" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.nat.ip": "192.0.2.43", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -332,7 +450,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 45392, "event.action": "firewall-rule", "event.category": [ "network" @@ -351,7 +474,21 @@ "input.type": "log", "log.level": "informational", "log.offset": 1405, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.3.42", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.3.42", + "source.ip": "10.123.3.42", + "source.port": 4953, "tags": [ "cisco-ftd", "forwarded" @@ -359,7 +496,19 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.connection_id": "89743276", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.mapped_destination_ip": "10.123.3.130", + "cisco.ftd.mapped_destination_port": 45392, + "cisco.ftd.mapped_source_ip": "192.0.2.1", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "10.123.3.42", + "destination.ip": "10.123.3.42", + "destination.nat.ip": "10.123.3.130", + "destination.nat.port": "45392", + "destination.port": 4953, "event.action": "firewall-rule", "event.category": [ "network" @@ -378,7 +527,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 1531, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.1", + "10.123.3.42" + ], "service.type": "cisco", + "source.address": "192.0.2.1", + "source.ip": "192.0.2.1", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -418,6 +582,11 @@ "network.bytes": 140, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.123.1.35" @@ -467,6 +636,11 @@ "network.bytes": 9999999, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.123.1.35" @@ -508,6 +682,10 @@ "log.offset": 2012, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "FJSG2NRFW01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -522,7 +700,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.130", + "destination.ip": "192.0.0.130", + "destination.port": 10879, "event.action": "firewall-rule", "event.category": [ "network" @@ -541,7 +724,21 @@ "input.type": "log", "log.level": "informational", "log.offset": 2167, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.3.42", + "192.0.0.130" + ], "service.type": "cisco", + "source.address": "192.168.3.42", + "source.ip": "192.168.3.42", + "source.port": 4954, "tags": [ "cisco-ftd", "forwarded" @@ -549,7 +746,19 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.connection_id": "89743277", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "10.0.0.130", + "cisco.ftd.mapped_destination_port": 10879, + "cisco.ftd.mapped_source_ip": "192.0.0.17", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.168.3.42", + "destination.ip": "192.168.3.42", + "destination.nat.ip": "10.0.0.130", + "destination.nat.port": "10879", + "destination.port": 4954, "event.action": "firewall-rule", "event.category": [ "network" @@ -568,7 +777,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 2293, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.0.17", + "192.168.3.42" + ], "service.type": "cisco", + "source.address": "192.0.0.17", + "source.ip": "192.0.0.17", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -604,6 +828,9 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.0.66", "10.1.2.60" @@ -648,6 +875,11 @@ "log.offset": 2567, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -692,6 +924,11 @@ "log.offset": 2726, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -736,6 +973,11 @@ "log.offset": 2887, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -780,6 +1022,11 @@ "log.offset": 3048, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -824,6 +1071,11 @@ "log.offset": 3209, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -868,6 +1120,11 @@ "log.offset": 3370, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -912,6 +1169,11 @@ "log.offset": 3531, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -956,6 +1218,11 @@ "log.offset": 3692, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1000,6 +1267,11 @@ "log.offset": 3851, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.13", "192.168.33.31" @@ -1044,6 +1316,11 @@ "log.offset": 4008, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1087,6 +1364,10 @@ "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.66", "10.1.2.42" @@ -1130,6 +1411,9 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.66", "10.1.5.60" @@ -1174,6 +1458,11 @@ "log.offset": 4387, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1218,6 +1507,11 @@ "log.offset": 4546, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -1262,6 +1556,11 @@ "log.offset": 4707, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1306,6 +1605,11 @@ "log.offset": 4866, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1350,6 +1654,11 @@ "log.offset": 5022, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1394,6 +1703,11 @@ "log.offset": 5178, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.126", "10.0.0.132" @@ -1438,6 +1752,11 @@ "log.offset": 5325, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.126", "10.0.0.132" @@ -1482,6 +1801,11 @@ "log.offset": 5472, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -1526,6 +1850,11 @@ "log.offset": 5635, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1571,6 +1900,11 @@ "log.offset": 5796, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.99" @@ -1586,7 +1920,17 @@ }, { "@timestamp": "2018-12-11T08:01:24.000-02:00", + "cisco.ftd.connection_id": "447235", + "cisco.ftd.destination_interface": "identity", + "cisco.ftd.mapped_destination_ip": "10.0.13.13", + "cisco.ftd.mapped_destination_port": 80, + "cisco.ftd.mapped_source_ip": "192.168.77.12", + "cisco.ftd.mapped_source_port": 11180, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "10.0.13.13", + "destination.ip": "10.0.13.13", + "destination.port": 80, "event.action": "firewall-rule", "event.category": [ "network" @@ -1606,35 +1950,23 @@ "input.type": "log", "log.level": "informational", "log.offset": 5967, - "service.type": "cisco", - "tags": [ - "cisco-ftd", - "forwarded" - ] - }, - { - "@timestamp": "2018-12-11T08:01:24.000-02:00", - "cisco.ftd.message_id": "302015", - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 302015, - "event.dataset": "cisco.ftd", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)", - "event.severity": 6, - "event.timezone": "-02:00", - "event.type": [ - "info" + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "identity", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.77.12", + "10.0.13.13" ], - "fileset.name": "ftd", - "host.hostname": "127.0.0.1", - "input.type": "log", - "log.level": "informational", - "log.offset": 6147, "service.type": "cisco", + "source.address": "192.168.77.12", + "source.ip": "192.168.77.12", + "source.port": 11180, "tags": [ "cisco-ftd", "forwarded" @@ -1672,6 +2004,12 @@ "log.offset": 6332, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.1.33", "192.0.0.12" @@ -1717,6 +2055,12 @@ "log.offset": 6487, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.1.33", "192.0.0.12" @@ -1732,7 +2076,17 @@ }, { "@timestamp": "2018-12-11T08:01:31.000-02:00", + "cisco.ftd.connection_id": "447236", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.mapped_destination_host": "OCSP_Server", + "cisco.ftd.mapped_destination_port": 5678, + "cisco.ftd.mapped_source_ip": "192.0.2.222", + "cisco.ftd.mapped_source_port": 1234, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "OCSP_Server", + "destination.domain": "OCSP_Server", + "destination.port": 5678, "event.action": "firewall-rule", "event.category": [ "network" @@ -1752,7 +2106,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 6642, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-ftd", "forwarded" @@ -1760,7 +2129,17 @@ }, { "@timestamp": "2018-12-11T08:01:31.000-02:00", + "cisco.ftd.connection_id": "447236", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.mapped_destination_host": "OCSP_Server", + "cisco.ftd.mapped_destination_port": 5678, + "cisco.ftd.mapped_source_ip": "192.0.2.222", + "cisco.ftd.mapped_source_port": 1234, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "OCSP_Server", + "destination.domain": "OCSP_Server", + "destination.port": 5678, "event.action": "firewall-rule", "event.category": [ "network" @@ -1780,7 +2159,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 6817, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-ftd", "forwarded" @@ -1821,6 +2215,12 @@ "network.bytes": 14804, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -1869,6 +2269,12 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "192.168.1.35" @@ -1917,6 +2323,12 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "192.168.1.35" @@ -1946,20 +2358,23 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "deny", + "event.outcome": "tcp", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "info" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", "log.offset": 7504, - "network.iana_number": 6, - "network.transport": "tcp", + "network.transport": "(no", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -1989,20 +2404,23 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "deny", + "event.outcome": "tcp", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "info" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", "log.offset": 7651, - "network.iana_number": 6, - "network.transport": "tcp", + "network.transport": "(no", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -2048,6 +2466,12 @@ "log.offset": 7798, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.1.34", "192.0.0.12" @@ -2063,7 +2487,17 @@ }, { "@timestamp": "2018-12-11T08:01:53.000-02:00", + "cisco.ftd.connection_id": "447237", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.mapped_destination_ip": "192.168.1.34", + "cisco.ftd.mapped_destination_port": 65000, + "cisco.ftd.mapped_source_ip": "192.0.2.222", + "cisco.ftd.mapped_source_port": 1234, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.168.1.34", + "destination.ip": "192.168.1.34", + "destination.port": 65000, "event.action": "firewall-rule", "event.category": [ "network" @@ -2083,7 +2517,23 @@ "input.type": "log", "log.level": "informational", "log.offset": 7954, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-ftd", "forwarded" @@ -2091,7 +2541,17 @@ }, { "@timestamp": "2018-12-11T08:01:53.000-02:00", + "cisco.ftd.connection_id": "447237", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.mapped_destination_ip": "192.168.1.34", + "cisco.ftd.mapped_destination_port": 65000, + "cisco.ftd.mapped_source_ip": "192.0.2.222", + "cisco.ftd.mapped_source_port": 1234, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.168.1.34", + "destination.ip": "192.168.1.34", + "destination.port": 65000, "event.action": "firewall-rule", "event.category": [ "network" @@ -2111,7 +2571,23 @@ "input.type": "log", "log.level": "informational", "log.offset": 8133, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-ftd", "forwarded" @@ -2152,6 +2628,12 @@ "network.bytes": 11420, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.10.10.10" @@ -2199,6 +2681,11 @@ "network.bytes": 1416, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.44.4.4", "10.44.2.2" @@ -2239,6 +2726,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 8624, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2278,6 +2770,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 8745, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2317,6 +2814,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 8866, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2356,6 +2858,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 8987, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2395,6 +2902,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 9108, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2434,6 +2946,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 9229, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2473,6 +2990,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 9350, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -2512,6 +3034,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 9472, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -2556,6 +3083,12 @@ "log.offset": 9594, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "GIFRCHN01", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.95", "10.32.112.125" @@ -2598,6 +3131,11 @@ "log.offset": 9748, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Outside", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.2.3.5" ], @@ -2638,6 +3176,10 @@ "log.offset": 9858, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.16.30.2", "172.16.1.10" @@ -2686,6 +3228,11 @@ "log.offset": 9994, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.45", "192.88.99.129" @@ -2717,7 +3264,6 @@ "destination.address": "192.0.2.223", "destination.ip": "192.0.2.223", "destination.nat.ip": "192.0.2.225", - "destination.nat.port": "80", "destination.port": 80, "event.action": "firewall-rule", "event.category": [ @@ -2740,6 +3286,11 @@ "log.offset": 10245, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outsidet", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", "192.0.2.223" @@ -2748,7 +3299,6 @@ "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", - "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-ftd", @@ -2769,7 +3319,6 @@ "cisco.ftd.threat_level": "very-high", "destination.address": "192.0.2.223", "destination.ip": "192.0.2.223", - "destination.nat.ip": "192.0.2.223", "destination.nat.port": "8080", "destination.port": 80, "event.action": "firewall-rule", @@ -2794,6 +3343,11 @@ "log.offset": 10544, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outsidet", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", "192.0.2.223" @@ -2802,7 +3356,6 @@ "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", - "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-ftd", @@ -2834,6 +3387,9 @@ "input.type": "log", "log.level": "notification", "log.offset": 10843, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.30.30.30", "192.0.2.1" @@ -2872,6 +3428,9 @@ "input.type": "log", "log.level": "notification", "log.offset": 10920, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.5.111.32", "192.0.2.32" @@ -2911,6 +3470,10 @@ "input.type": "log", "log.level": "notification", "log.offset": 11012, + "observer.egress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.69.6.39", "192.0.0.19" diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 89bd797ebff..7d48283bdaa 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -59,6 +59,12 @@ "network.iana_number": 1, "network.protocol": "icmp", "network.transport": "icmp", + "observer.egress.interface.name": "output", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "input", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -142,6 +148,12 @@ "network.iana_number": 1, "network.protocol": "icmp", "network.transport": "icmp", + "observer.egress.interface.name": "output", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "input", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -233,6 +245,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -331,6 +349,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -417,6 +441,12 @@ "log.offset": 2515, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "52.59.244.233" @@ -521,6 +551,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "52.59.244.233" @@ -610,6 +646,12 @@ "log.offset": 3919, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "213.211.198.62" @@ -710,6 +752,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "213.211.198.62" @@ -789,6 +837,12 @@ "log.offset": 5177, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "output", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "input", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -881,6 +935,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "input", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "output", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index 2d02ecd67d3..c9105b957ab 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -47,6 +47,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -114,6 +118,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -181,6 +189,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -248,6 +260,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -321,6 +337,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], @@ -397,6 +417,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], @@ -477,6 +501,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], @@ -565,6 +593,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "firepower", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], @@ -644,6 +676,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "firepower", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" ], @@ -733,6 +769,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "firepower", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" ], diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index e9a6b15f242..2fe9194946a 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -79,6 +79,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "s1p1", + "observer.hostname": "CISCO-SENSOR-3D", + "observer.ingress.interface.name": "s1p2", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "Alerts", "related.ip": [ "3.3.3.3", diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index a87e2d4ec41..7671bb649b9 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -196,10 +196,11 @@ processors: if: "ctx._temp_.cisco.message_id == '106007'" field: "message" pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" - - dissect: + - grok: if: "ctx._temp_.cisco.message_id == '106010'" field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" - dissect: if: "ctx._temp_.cisco.message_id == '106013'" field: "message" @@ -212,14 +213,16 @@ processors: if: "ctx._temp_.cisco.message_id == '106013'" field: "network.direction" value: inbound - - dissect: + - grok: if: "ctx._temp_.cisco.message_id == '106014'" field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address} %{}dst %{_temp_.cisco.destination_interface}:%{destination.address} %{}" - - dissect: + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}(%{GREEDYDATA})?" + - grok: if: "ctx._temp_.cisco.message_id == '106015'" field: "message" - pattern: "%{event.outcome} %{network.transport} (no connection) from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106016'" field: "message" @@ -262,9 +265,64 @@ processors: field: "message" pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - dissect: + if: "ctx._temp_.cisco.message_id == '111004'" + field: "message" + pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" + - set: + field: event.outcome + value: "success" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" + - set: + field: event.outcome + value: "failure" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" + - remove: + field: _temp_.cisco.cli_outcome + ignore_missing: true + - append: + field: event.type + value: "change" + if: "ctx._temp_.cisco.message_id == '111004'" + - grok: + if: "ctx._temp_.cisco.message_id == '111009'" + field: "message" + patterns: + - "^%{NOTSPACE} '%{NOTSPACE:host.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" + - grok: + if: "ctx._temp_.cisco.message_id == '111010'" + field: "message" + patterns: + - "User '%{NOTSPACE:host.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" + - dissect: + if: "ctx._temp_.cisco.message_id == '113019'" + field: "message" + pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}" + - dissect: + if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: "Built %{network.direction} %{network.transport} connection %{_temp_.cisco.connection_id} for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - dissect: + if: "ctx._temp_.cisco.message_id == '303002'" + field: "message" + pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" + - dissect: + if: "ctx._temp_.cisco.message_id == '302012'" + field: "message" + pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}" + - grok: + if: "ctx._temp_.cisco.message_id == '302020'" + field: "message" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr %{IP:destination.address}/%{NUMBER} (%{DATA})?gaddr %{IP:_temp_.natsrcip}/%{NUMBER} laddr %{IP:source.address}/%{NUMBER}(%{GREEDYDATA})?" + - dissect: + if: "ctx._temp_.cisco.message_id == '302022'" + field: "message" + pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - grok: if: "ctx._temp_.cisco.message_id == '304001'" field: "message" - pattern: "%{source.address} %{}ccessed URL %{destination.address}:%{url.original}" + patterns: + - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" - set: if: "ctx._temp_.cisco.message_id == '304001'" field: "event.outcome" @@ -273,6 +331,10 @@ processors: if: "ctx._temp_.cisco.message_id == '304002'" field: "message" pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '305011'" + field: "message" + pattern: "Built %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '313001'" field: "message" @@ -435,10 +497,76 @@ processors: field: "server.port" value: "{{source.port}}" ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "message" + pattern: "User priv level changed: Uname: %{host.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.type" + value: + - "group" + - "change" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.category" + value: "iam" + - dissect: + if: "ctx._temp_.cisco.message_id == '507003'" + field: "message" + pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" + - dissect: + if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '609001'" + field: "message" + pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '609002'" + field: "message" + pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" + - dissect: + if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: 'User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{host.user.name}' + - dissect: + if: "ctx._temp_.cisco.message_id == '710003'" + field: "message" + pattern: "%{network.transport} access denied by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '710005'" + field: "message" + pattern: "%{network.transport} request discarded from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713049'" + field: "message" + pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '716002'" + field: "message" + pattern: "Group %{} User %{source.user.name} IP %{source.address} WebVPN session terminated: User Requested." + - dissect: + if: "ctx._temp_.cisco.message_id == '722051'" + field: "message" + pattern: "Group %{} User %{source.user.name} IP %{source.address} IPv4 Address %{_temp_.cisco.assigned_ip} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '733100'" + field: "message" + pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}" - dissect: if: "ctx._temp_.cisco.message_id == '734001'" field: "message" pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" + - dissect: + if: "ctx._temp_.cisco.message_id == '805001'" + field: "message" + pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - dissect: + if: "ctx._temp_.cisco.message_id == '805002'" + field: "message" + pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - split: field: "_temp_.cisco.dap_records" separator: ",\\s+" @@ -448,7 +576,7 @@ processors: # Handle 302xxx messages (Flow expiration a.k.a "Teardown") # - set: - if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' + if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' field: "event.action" value: "flow-expiration" - grok: @@ -1245,22 +1373,22 @@ processors: - set: field: source.nat.ip value: "{{_temp_.cisco.mapped_source_ip}}" - if: "(ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip || ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port)" + if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip" ignore_empty_value: true - set: field: source.nat.port value: "{{_temp_.cisco.mapped_source_port}}" - if: "(ctx?._temp_?.cisco.mapped_source_ip != ctx?.source?.ip || ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port)" + if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port" ignore_empty_value: true - set: field: destination.nat.ip value: "{{_temp_.cisco.mapped_destination_ip}}" - if: "(ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip || ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port)" + if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip" ignore_empty_value: true - set: field: destination.nat.port value: "{{_temp_.cisco.mapped_destination_port}}" - if: "(ctx?._temp_?.cisco?.mapped_destination_ip != ctx?.destination?.ip || ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port)" + if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" ignore_empty_value: true # @@ -1377,6 +1505,32 @@ processors: ctx.event.type.add('denied'); } } + + # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. + - set: + field: observer.hostname + value: "{{ host.hostname }}" + ignore_empty_value: true + - set: + field: observer.vendor + value: "Cisco" + ignore_empty_value: true + - set: + field: observer.type + value: "firewall" + ignore_empty_value: true + - set: + field: observer.product + value: "{< .internal_prefix >}" + ignore_empty_value: true + - set: + field: observer.egress.interface.name + value: "{{ cisco.{< .internal_prefix >}.source_interface }}" + ignore_empty_value: true + - set: + field: observer.ingress.interface.name + value: "{{ cisco.{< .internal_prefix >}.destination_interface }}" + ignore_empty_value: true - append: field: related.ip value: "{{source.ip}}"