diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 54d4fa40f173..ae85d44a68cf 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -758,6 +758,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Migrate microsoft/m365_defender to httpjson v2 config {pull}23018[23018] - Add top_level_domain enrichment for suricata/eve fileset. {pull}23046[23046] - Add top_level_domain enrichment for zeek/dns fileset. {pull}23046[23046] +- Add `observer.egress.zone` and `observer.ingress.zone` for cisco/asa and cisco/ftd filesets. {pull}23068[23068] +- Allow cisco/asa and cisco/ftd filesets to override network directionality based off of zones. {pull}23068[23068] - Add `network.direction` to netflow/log fileset. {pull}23052[23052] - Allow cef and checkpoint modules to override network directionality based off of zones {pull}23066[23066] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index e75e0a72467d..c079c5bca642 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -512,6 +512,14 @@ filebeat.modules: # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html #var.log_level: 7 + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] + ftd: enabled: true @@ -530,6 +538,14 @@ filebeat.modules: # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html #var.log_level: 7 + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] + ios: enabled: true diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml index c9c670fc095a..b0fb55ed7cb6 100644 --- a/x-pack/filebeat/module/cisco/_meta/config.yml +++ b/x-pack/filebeat/module/cisco/_meta/config.yml @@ -17,6 +17,14 @@ # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html #var.log_level: 7 + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] + ftd: enabled: true @@ -35,6 +43,14 @@ # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html #var.log_level: 7 + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] + ios: enabled: true diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml index 9cd38cbc3d7a..2e85cd4dfee1 100644 --- a/x-pack/filebeat/module/cisco/asa/config/input.yml +++ b/x-pack/filebeat/module/cisco/asa/config/input.yml @@ -24,3 +24,17 @@ processors: target: '' fields: ecs.version: 1.7.0 + +{{ if .external_zones }} + - add_fields: + target: _temp_ + fields: + external_zones: {{ .external_zones | tojson }} +{{ end }} + +{{ if .internal_zones }} + - add_fields: + target: _temp_ + fields: + internal_zones: {{ .internal_zones | tojson }} +{{ end }} diff --git a/x-pack/filebeat/module/cisco/asa/manifest.yml b/x-pack/filebeat/module/cisco/asa/manifest.yml index 58b1bed572a6..3c185f7980c2 100644 --- a/x-pack/filebeat/module/cisco/asa/manifest.yml +++ b/x-pack/filebeat/module/cisco/asa/manifest.yml @@ -24,6 +24,8 @@ var: default: asa - name: internal_PREFIX default: ASA + - name: external_zones + - name: internal_zones ingest_pipeline: ../shared/ingest/asa-ftd-pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/cisco/ftd/config/input.yml b/x-pack/filebeat/module/cisco/ftd/config/input.yml index 8573365f7f34..8a3ec3e9ab45 100644 --- a/x-pack/filebeat/module/cisco/ftd/config/input.yml +++ b/x-pack/filebeat/module/cisco/ftd/config/input.yml @@ -23,3 +23,17 @@ processors: target: '' fields: ecs.version: 1.7.0 + +{{ if .external_zones }} + - add_fields: + target: _temp_ + fields: + external_zones: {{ .external_zones | tojson }} +{{ end }} + +{{ if .internal_zones }} + - add_fields: + target: _temp_ + fields: + internal_zones: {{ .internal_zones | tojson }} +{{ end }} diff --git a/x-pack/filebeat/module/cisco/ftd/manifest.yml b/x-pack/filebeat/module/cisco/ftd/manifest.yml index e18956c1dc8c..31eb9659a6b8 100644 --- a/x-pack/filebeat/module/cisco/ftd/manifest.yml +++ b/x-pack/filebeat/module/cisco/ftd/manifest.yml @@ -24,6 +24,9 @@ var: default: ftd - name: internal_PREFIX default: FTD + - name: external_zones + - name: internal_zones + ingest_pipeline: ../shared/ingest/asa-ftd-pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index b7b065dea1c0..093665fca983 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -78,8 +78,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -187,8 +189,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -294,8 +298,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -403,8 +409,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -511,8 +519,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -618,8 +628,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -728,8 +740,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -835,8 +849,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -943,8 +959,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1052,8 +1070,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1162,8 +1182,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1265,8 +1287,10 @@ "network.protocol": "dns", "network.transport": "tcp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1373,8 +1397,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1480,8 +1506,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1588,8 +1616,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1697,8 +1727,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1804,8 +1836,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -1911,8 +1945,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -2018,8 +2054,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -2123,8 +2161,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -2232,8 +2272,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index 681c8052cb07..f8745332a6fe 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -57,8 +57,10 @@ "network.protocol": "http", "network.transport": "tcp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -142,8 +144,10 @@ "network.protocol": "http", "network.transport": "tcp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -223,8 +227,10 @@ "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", + "observer.egress.zone": "input-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "inside", + "observer.ingress.zone": "output-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -304,8 +310,10 @@ "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", + "observer.egress.zone": "input-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "inside", + "observer.ingress.zone": "output-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 7490bc1ac57d..6a38a072bfc6 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -60,8 +60,10 @@ "network.protocol": "icmp", "network.transport": "icmp", "observer.egress.interface.name": "output", + "observer.egress.zone": "input-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "input", + "observer.ingress.zone": "output-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -152,8 +154,10 @@ "network.protocol": "icmp", "network.transport": "icmp", "observer.egress.interface.name": "output", + "observer.egress.zone": "input-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "input", + "observer.ingress.zone": "output-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -253,8 +257,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -361,8 +367,10 @@ "network.protocol": "dns", "network.transport": "udp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -457,8 +465,10 @@ "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -571,8 +581,10 @@ "network.protocol": "http", "network.transport": "tcp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -670,8 +682,10 @@ "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -780,8 +794,10 @@ "network.protocol": "http", "network.transport": "tcp", "observer.egress.interface.name": "inside", + "observer.egress.zone": "output-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "outside", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -868,8 +884,10 @@ "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "output", + "observer.egress.zone": "input-zone", "observer.hostname": "firepower", "observer.ingress.interface.name": "input", + "observer.ingress.zone": "output-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -969,8 +987,10 @@ "network.protocol": "http", "network.transport": "tcp", "observer.egress.interface.name": "input", + "observer.egress.zone": "output-zone", "observer.hostname": "siem-ftd", "observer.ingress.interface.name": "output", + "observer.ingress.zone": "input-zone", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index 0b669eb5dffb..de4be40b0b57 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -81,8 +81,10 @@ "network.protocol": "http", "network.transport": "tcp", "observer.egress.interface.name": "s1p1", + "observer.egress.zone": "Inside-DMZ-Interface-Inline", "observer.hostname": "CISCO-SENSOR-3D", "observer.ingress.interface.name": "s1p2", + "observer.ingress.zone": "Inside-DMZ-Interface-Inline", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 69ea41e8ca0b..72920d75a0e4 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -723,6 +723,7 @@ processors: EgressZone: target: egress_zone id: ["430001", "430002", "430003"] + ecs: [observer.egress.zone] Endpoint Profile: target: endpoint_profile id: ["430002", "430003"] @@ -795,6 +796,7 @@ processors: IngressZone: target: ingress_zone id: ["430001", "430002", "430003"] + ecs: [observer.ingress.zone] InitiatorBytes: target: initiator_bytes id: ["430003"] @@ -1390,6 +1392,70 @@ processors: value: "{{_temp_.cisco.mapped_destination_port}}" if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" ignore_empty_value: true + # + # Zone-based Network Directionality + # + # If external and internal zones are specified and our ingress/egress zones are + # populated, then we can classify traffic directionality based off of our defined + # zones rather than the logs. + - set: + field: network.direction + value: inbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + - set: + field: network.direction + value: outbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: internal + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: external + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: unknown + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.egress?.zone != null && + ctx?.observer?.ingress?.zone != null && + ( + ( + !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + ) || + ( + !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + ) + ) # # Populate ECS event.code diff --git a/x-pack/filebeat/modules.d/cisco.yml.disabled b/x-pack/filebeat/modules.d/cisco.yml.disabled index 2dc8389a8d26..d181f01abd30 100644 --- a/x-pack/filebeat/modules.d/cisco.yml.disabled +++ b/x-pack/filebeat/modules.d/cisco.yml.disabled @@ -20,6 +20,14 @@ # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html #var.log_level: 7 + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] + ftd: enabled: true @@ -38,6 +46,14 @@ # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html #var.log_level: 7 + # Set internal security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.internal_zones: [ "Internal" ] + + # Set external security zones. used to override parsed network.direction + # based on zone egress and ingress + #var.external_zones: [ "External" ] + ios: enabled: true