x-pack/filebeat/module/cisco: fix event.{outcome,type} handling

[efd6]

What does this PR do?

This fixes handling of event.outcome and event.type field in Cisco ASA and FTD modules to more correctly match the field descriptions in ECS.

Why is it important?

Currently the fields do not conform to ECS. This is #29581.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
  - [ ] I have made corresponding changes to the documentation
  - [ ] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• Check that new golden values are sane.

How to test this PR locally

Run TESTING_FILEBEAT_MODULES=cisco MODULES_PATH=module mage -v pythonIntegTest in x-pack/filebeat.

First commit is boring, being just the update for golden files to prune @timestamp fields.

Related issues

• Closes Filebeat module cisco asa ECS event.outcome / event.type wrong #29581.

Use cases

N/A

Screenshots

N/A

Logs

N/A

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-01-12T04:17:40.728+0000

• Duration: 99 min 1 sec

• Commit: 63b5e98

Test stats 🧪

Test	Results
Failed	0
Passed	2437
Skipped	153
Total	2590

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[efd6]

/test

[adriansr]

I don't see allowed or dropped specified as valid values for event.outcome, only success and failure. My understanding is that this should go into event.type. Am I missing something?

[efd6]

These are temporary values that are used to communicate to the painless later what the combination of outcome and type should be. If state is squashed to a binary of success/failure it is not possible to reconstruct the possibility of a successful denial. I could have done if with a second variable, but this feels better.

[efd6]

These get sorted out here 76fe29f#diff-35840a6c4edae3a4fc97e0a1c84d5576fcfd9bb64faf12e7a6800347a5728cb1R1857-R1872. If you'd like I can add commentary explaining this.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b ciscoasa-outcome upstream/ciscoasa-outcome
git merge upstream/master
git push upstream ciscoasa-outcome

[adriansr]

LGTM