diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b7c0eedd120..dcfe6e3c9ab 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -370,8 +370,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - The `logstash` module can now automatically detect the log file format (JSON or plaintext) and process it accordingly. {issue}9964[9964] {pull}18095[18095] - Improve ECS categorization field mappings in envoyproxy module. {issue}16161[16161] {pull}18395[18395] - Improve ECS categorization field mappings in coredns module. {issue}16159[16159] {pull}18424[18424] +- Improve ECS categorization field mappings in cisco module. {issue}16028[16028] {pull}18537[18537] - The s3 input can now automatically detect gzipped objects. {issue}18283[18283] {pull}18764[18764] + *Heartbeat* - Allow a list of status codes for HTTP checks. {pull}15587[15587] diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml index d1eee3cd1a6..0cffa76a01f 100644 --- a/x-pack/filebeat/module/cisco/asa/config/input.yml +++ b/x-pack/filebeat/module/cisco/asa/config/input.yml @@ -20,3 +20,7 @@ publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index d5e641cfc9a..72e5c6a96a1 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -9,15 +9,23 @@ "destination.ip": "10.233.123.123", "destination.port": 53, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2020-04-17T14:08:08.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", "event.severity": 6, "event.start": "2020-04-17T16:08:08.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "SNL-ASA-VPN-A01", "input.type": "log", @@ -26,6 +34,10 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "10.123.123.123", + "10.233.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", @@ -43,13 +55,21 @@ "destination.address": "10.123.123.123", "destination.ip": "10.123.123.123", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "SNL-ASA-VPN-A01", "input.type": "log", @@ -57,6 +77,10 @@ "log.offset": 200, "network.iana_number": 1, "network.transport": "icmp", + "related.ip": [ + "10.123.123.123", + "10.123.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", @@ -74,19 +98,31 @@ "destination.ip": "10.123.123.123", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.level": "warning", "log.offset": 381, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.123.123.123", + "10.123.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", @@ -106,13 +142,21 @@ "destination.ip": "10.123.123.123", "destination.port": 57621, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "SNL-ASA-VPN-A01", "input.type": "log", @@ -120,6 +164,10 @@ "log.offset": 545, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "10.123.123.123", + "10.123.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", @@ -134,18 +182,30 @@ "destination.address": "10.123.123.123", "destination.ip": "10.123.123.123", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106017, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "SNL-ASA-VPN-A01", "input.type": "log", "log.level": "critical", "log.offset": 734, + "related.ip": [ + "10.123.123.123", + "10.123.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index a1c30ba9001..09cce4899fc 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -3,12 +3,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -27,12 +34,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -57,15 +71,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1758, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 67000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:49.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -77,6 +99,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.211.242", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.211.242", "source.ip": "100.66.211.242", @@ -96,15 +122,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1757, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 67000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:49.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -116,6 +150,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.211.242", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.211.242", "source.ip": "100.66.211.242", @@ -135,15 +173,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1755, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 67000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:49.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -155,6 +201,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.185.90", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.185.90", "source.ip": "100.66.185.90", @@ -174,15 +224,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1754, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 67000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:49.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -194,6 +252,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.185.90", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.185.90", "source.ip": "100.66.185.90", @@ -213,15 +275,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1752, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 68000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:48.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -233,6 +303,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.160.197", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.160.197", "source.ip": "100.66.160.197", @@ -252,15 +326,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1749, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 68000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:48.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -272,6 +354,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.205.14", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.205.14", "source.ip": "100.66.205.14", @@ -291,15 +377,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1750, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 68000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:48.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -311,6 +405,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.124.33", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.124.33", "source.ip": "100.66.124.33", @@ -330,15 +428,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1747, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 69000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:47.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -350,6 +456,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.35.9", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.35.9", "source.ip": "100.66.35.9", @@ -369,15 +479,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1742, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 69000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:47.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -389,6 +507,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.211.242", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.211.242", "source.ip": "100.66.211.242", @@ -408,15 +530,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1741, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 69000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:47.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -428,6 +558,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.218.21", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.218.21", "source.ip": "100.66.218.21", @@ -447,15 +581,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1739, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 69000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:47.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -467,6 +609,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.27", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.198.27", "source.ip": "100.66.198.27", @@ -486,15 +632,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1740, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 69000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:47.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -506,6 +660,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.27", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.198.27", "source.ip": "100.66.198.27", @@ -525,15 +683,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1738, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 70000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:46.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -545,6 +711,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.202.211", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.202.211", "source.ip": "100.66.202.211", @@ -564,15 +734,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1756, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 67000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:49.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -584,6 +762,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.124.15", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.124.15", "source.ip": "100.66.124.15", @@ -603,15 +785,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1737, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 70000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:46.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -623,6 +813,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.124.15", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.124.15", "source.ip": "100.66.124.15", @@ -642,15 +836,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1736, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 71000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:45.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -662,6 +864,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.209.247", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.209.247", "source.ip": "100.66.209.247", @@ -681,15 +887,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1765, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 30000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", "event.severity": 6, "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -701,6 +915,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.35.162", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.35.162", "source.ip": "100.66.35.162", @@ -714,12 +932,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -738,12 +963,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -768,15 +1000,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -788,6 +1028,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.80.32", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.80.32", "source.ip": "100.66.80.32", @@ -801,12 +1045,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -831,15 +1082,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -851,6 +1110,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.6", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.252.6", "source.ip": "100.66.252.6", @@ -864,12 +1127,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -888,12 +1158,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -912,12 +1189,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -936,12 +1220,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -960,12 +1251,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -984,12 +1282,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1014,15 +1319,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1034,6 +1347,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.238.126", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.238.126", "source.ip": "100.66.238.126", @@ -1053,15 +1370,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1073,6 +1398,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.93.51", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.93.51", "source.ip": "100.66.93.51", @@ -1086,12 +1415,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1110,12 +1446,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1134,12 +1477,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1158,12 +1508,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1182,12 +1539,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1212,15 +1576,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1232,6 +1604,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.240.126", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.240.126", "source.ip": "100.66.240.126", @@ -1251,15 +1627,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1271,6 +1655,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.44.45", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.44.45", "source.ip": "100.66.44.45", @@ -1284,12 +1672,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1308,12 +1703,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1332,12 +1734,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1356,12 +1765,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1386,15 +1802,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1406,6 +1830,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.157.232", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.157.232", "source.ip": "100.66.157.232", @@ -1425,15 +1853,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1445,6 +1881,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.178.133", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.178.133", "source.ip": "100.66.178.133", @@ -1458,12 +1898,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1482,12 +1929,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1512,15 +1966,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1453, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1532,6 +1994,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.133.112", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.133.112", "source.ip": "100.66.133.112", @@ -1545,12 +2011,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1575,15 +2048,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1595,6 +2076,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.157.232", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.157.232", "source.ip": "100.66.157.232", @@ -1614,15 +2099,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1634,6 +2127,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.204.197", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.204.197", "source.ip": "100.66.204.197", @@ -1647,12 +2144,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1671,12 +2175,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1695,12 +2206,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1719,12 +2237,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1743,12 +2268,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1767,12 +2299,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1791,12 +2330,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1821,15 +2367,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1841,6 +2395,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.100.4", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.100.4", "source.ip": "100.66.100.4", @@ -1854,12 +2412,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1878,12 +2443,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1902,12 +2474,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1926,12 +2505,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1950,12 +2536,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -1980,15 +2573,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1457, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2000,6 +2601,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.198.40", "source.ip": "100.66.198.40", @@ -2013,12 +2618,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2037,12 +2649,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2067,15 +2686,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2087,6 +2714,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.1.107", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.1.107", "source.ip": "100.66.1.107", @@ -2100,12 +2731,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2124,12 +2762,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2148,12 +2793,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305012", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2172,12 +2824,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2196,12 +2855,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2220,12 +2886,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305012", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2244,12 +2917,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305012", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2268,12 +2948,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305012", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2292,12 +2979,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305012", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2316,12 +3010,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305012", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2340,12 +3041,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305012", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2370,15 +3078,23 @@ "destination.ip": "172.31.156.80", "destination.port": 1382, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 325000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", "event.severity": 6, "event.start": "2018-10-10T14:29:31.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2390,6 +3106,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.115.46", + "172.31.156.80" + ], "service.type": "cisco", "source.address": "100.66.115.46", "source.ip": "100.66.115.46", @@ -2409,15 +3129,23 @@ "destination.ip": "172.31.156.80", "destination.port": 1385, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2429,6 +3157,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.156.80" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2442,12 +3174,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2466,12 +3205,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2496,13 +3242,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2513,6 +3267,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2532,13 +3290,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2549,6 +3315,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2568,13 +3338,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2585,6 +3363,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2604,13 +3386,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2621,6 +3411,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2640,13 +3434,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2657,6 +3459,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2676,13 +3482,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2693,6 +3507,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2712,13 +3530,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2729,6 +3555,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2748,13 +3578,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2765,6 +3603,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2784,13 +3626,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2801,6 +3651,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2820,13 +3674,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2837,6 +3699,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2856,13 +3722,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2873,6 +3747,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2892,13 +3770,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2909,6 +3795,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2928,13 +3818,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2945,6 +3843,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2958,12 +3860,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -2982,12 +3891,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -3006,12 +3922,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -3030,12 +3953,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json index 095a1a09764..cff051f89ae 100644 --- a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json @@ -7,16 +7,26 @@ ], "cisco.asa.message_id": "734001", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 734001, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "input.type": "log", "log.level": "informational", "log.offset": 0, + "related.ip": [ + "1.2.3.4" + ], "service.type": "cisco", "source.address": "1.2.3.4", "source.geo.city_name": "Moscow", diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index 918c899a47d..0cdbce9fc70 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -2,12 +2,19 @@ { "cisco.asa.message_id": "999999", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 999999, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-7-999999: This message is not filtered.", "event.severity": 7, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "host.hostname": "beats", "input.type": "log", @@ -28,13 +35,21 @@ "destination.ip": "192.168.33.12", "destination.port": 443, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106001, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106001: Inbound TCP connection denied from 10.13.12.11/45321 to 192.168.33.12/443 flags URG+SYN+RST on interface eth0", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "beats", "input.type": "log", @@ -45,6 +60,10 @@ "network.transport": "tcp", "process.name": "asa", "process.pid": 1234, + "related.ip": [ + "10.13.12.11", + "192.168.33.12" + ], "service.type": "cisco", "source.address": "10.13.12.11", "source.ip": "10.13.12.11", diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index 5264b5568b5..5af2ac66dca 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -5,12 +5,20 @@ "cisco.asa.message_id": "302021", "destination.domain": "target.destination.hostname.local", "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302021, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr target.destination.hostname.local/10005 gaddr 10.0.55.66/0 laddr Prod-host.name.addr/0", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -35,12 +43,20 @@ "destination.address": "192.0.2.15", "destination.ip": "192.0.2.15", "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302021, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 192.0.2.15/0 gaddr 192.0.2.134/57808 laddr 192.0.2.134/57808 type 8 code 0", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "MYHOSTNAME", "input.type": "log", @@ -49,6 +65,10 @@ "log.offset": 169, "network.iana_number": 1, "network.transport": "icmp", + "related.ip": [ + "192.0.2.134", + "192.0.2.15" + ], "service.type": "cisco", "source.address": "192.0.2.134", "source.ip": "192.0.2.134", diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 753a5e6e160..8747c17b868 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -9,13 +9,21 @@ "destination.ip": "203.0.113.42", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "event.outcome": "deny", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "not-ip.log", @@ -23,6 +31,9 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "203.0.113.42" + ], "service.type": "cisco", "source.address": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", "source.domain": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", @@ -40,12 +51,20 @@ "destination.address": "172.24.177.29", "destination.ip": "172.24.177.29", "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302021, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -54,6 +73,10 @@ "log.offset": 201, "network.iana_number": 1, "network.transport": "icmp", + "related.ip": [ + "192.168.132.46", + "172.24.177.29" + ], "service.type": "cisco", "source.address": "192.168.132.46", "source.ip": "192.168.132.46", @@ -80,13 +103,21 @@ "destination.nat.port": "80", "destination.port": 80, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 338204, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "localhost", "input.type": "log", @@ -95,6 +126,10 @@ "log.offset": 360, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.10.10.1", + "172.24.177.3" + ], "server.domain": "example.org", "service.type": "cisco", "source.address": "10.10.10.1", diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index 123c3949203..ce31629c9fc 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -9,13 +9,21 @@ "destination.ip": "192.0.0.8", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -23,6 +31,10 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.1.2.30", + "192.0.0.8" + ], "service.type": "cisco", "source.address": "10.1.2.30", "source.ip": "10.1.2.30", @@ -42,13 +54,21 @@ "destination.ip": "192.0.0.8", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -56,6 +76,10 @@ "log.offset": 139, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.1.2.30", + "192.0.0.8" + ], "service.type": "cisco", "source.address": "10.1.2.30", "source.ip": "10.1.2.30", @@ -76,13 +100,21 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -90,6 +122,10 @@ "log.offset": 294, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.1.2.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.1.2.16", "source.ip": "10.1.2.16", @@ -109,13 +145,21 @@ "destination.ip": "192.0.2.10", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", "event.outcome": "deny", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "INT-FW01", "input.type": "log", @@ -124,6 +168,10 @@ "log.offset": 465, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "172.29.2.101", + "192.0.2.10" + ], "service.type": "cisco", "source.address": "172.29.2.101", "source.ip": "172.29.2.101", @@ -143,13 +191,21 @@ "destination.ip": "192.0.2.57", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", "event.outcome": "allow", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "host.hostname": "INT-FW01", "input.type": "log", @@ -158,6 +214,10 @@ "log.offset": 632, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "172.29.2.3", + "192.0.2.57" + ], "service.type": "cisco", "source.address": "172.29.2.3", "source.ip": "172.29.2.3", @@ -171,12 +231,19 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -192,12 +259,19 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42.130/12834)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -213,12 +287,19 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -234,12 +315,19 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -255,12 +343,19 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -276,12 +371,19 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -303,15 +405,23 @@ "destination.ip": "10.123.1.35", "destination.port": 52925, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 5025000000000, "event.end": "2013-04-29T12:59:50.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", "event.severity": 6, "event.start": "2013-04-29T13:36:05.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -320,6 +430,10 @@ "network.bytes": 140, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "192.0.2.222", + "10.123.1.35" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", @@ -341,15 +455,23 @@ "destination.ip": "10.123.1.35", "destination.port": 52925, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 36000000000000, "event.end": "2013-04-29T12:59:50.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", "event.severity": 6, "event.start": "2013-04-29T04:59:50.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -358,6 +480,10 @@ "network.bytes": 9999999, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "192.0.2.222", + "10.123.1.35" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", @@ -374,12 +500,20 @@ "destination.address": "172.24.177.29", "destination.ip": "172.24.177.29", "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302021, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "host.hostname": "FJSG2NRFW01", "input.type": "log", @@ -388,6 +522,10 @@ "log.offset": 2012, "network.iana_number": 1, "network.transport": "icmp", + "related.ip": [ + "192.168.132.46", + "172.24.177.29" + ], "service.type": "cisco", "source.address": "192.168.132.46", "source.ip": "192.168.132.46", @@ -400,12 +538,19 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -421,12 +566,19 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -445,13 +597,21 @@ "destination.ip": "10.1.2.60", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106007, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -461,6 +621,10 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "192.0.0.66", + "10.1.2.60" + ], "service.type": "cisco", "source.address": "192.0.0.66", "source.ip": "192.0.0.66", @@ -480,13 +644,21 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -494,6 +666,10 @@ "log.offset": 2567, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -513,13 +689,21 @@ "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -527,6 +711,10 @@ "log.offset": 2726, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.46", + "192.0.0.88" + ], "service.type": "cisco", "source.address": "10.0.0.46", "source.ip": "10.0.0.46", @@ -546,13 +734,21 @@ "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -560,6 +756,10 @@ "log.offset": 2887, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.46", + "192.0.0.88" + ], "service.type": "cisco", "source.address": "10.0.0.46", "source.ip": "10.0.0.46", @@ -579,13 +779,21 @@ "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -593,6 +801,10 @@ "log.offset": 3048, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.46", + "192.0.0.88" + ], "service.type": "cisco", "source.address": "10.0.0.46", "source.ip": "10.0.0.46", @@ -612,13 +824,21 @@ "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -626,6 +846,10 @@ "log.offset": 3209, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.46", + "192.0.0.88" + ], "service.type": "cisco", "source.address": "10.0.0.46", "source.ip": "10.0.0.46", @@ -645,13 +869,21 @@ "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -659,6 +891,10 @@ "log.offset": 3370, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.46", + "192.0.0.88" + ], "service.type": "cisco", "source.address": "10.0.0.46", "source.ip": "10.0.0.46", @@ -678,13 +914,21 @@ "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -692,6 +936,10 @@ "log.offset": 3531, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.46", + "192.0.0.88" + ], "service.type": "cisco", "source.address": "10.0.0.46", "source.ip": "10.0.0.46", @@ -711,13 +959,21 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -725,6 +981,10 @@ "log.offset": 3692, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -744,13 +1004,21 @@ "destination.ip": "192.168.33.31", "destination.port": 25, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -758,6 +1026,10 @@ "log.offset": 3851, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.13", + "192.168.33.31" + ], "service.type": "cisco", "source.address": "10.0.0.13", "source.ip": "10.0.0.13", @@ -777,13 +1049,21 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -791,6 +1071,10 @@ "log.offset": 4008, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -808,13 +1092,21 @@ "destination.ip": "10.1.2.42", "destination.port": 137, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106006, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -823,6 +1115,10 @@ "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "192.0.2.66", + "10.1.2.42" + ], "service.type": "cisco", "source.address": "192.0.2.66", "source.ip": "192.0.2.66", @@ -839,13 +1135,21 @@ "destination.ip": "10.1.5.60", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106007, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -855,6 +1159,10 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "192.0.2.66", + "10.1.5.60" + ], "service.type": "cisco", "source.address": "192.0.2.66", "source.ip": "192.0.2.66", @@ -874,13 +1182,21 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -888,6 +1204,10 @@ "log.offset": 4387, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -907,13 +1227,21 @@ "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -921,6 +1249,10 @@ "log.offset": 4546, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.46", + "192.0.0.88" + ], "service.type": "cisco", "source.address": "10.0.0.46", "source.ip": "10.0.0.46", @@ -940,13 +1272,21 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -954,6 +1294,10 @@ "log.offset": 4707, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -973,13 +1317,21 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "deny", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -987,6 +1339,10 @@ "log.offset": 4866, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -1006,13 +1362,21 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "deny", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1020,6 +1384,10 @@ "log.offset": 5022, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -1039,13 +1407,21 @@ "destination.ip": "10.0.0.132", "destination.port": 8111, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1053,6 +1429,10 @@ "log.offset": 5178, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "192.0.2.126", + "10.0.0.132" + ], "service.type": "cisco", "source.address": "192.0.2.126", "source.ip": "192.0.2.126", @@ -1072,13 +1452,21 @@ "destination.ip": "10.0.0.132", "destination.port": 8111, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1086,6 +1474,10 @@ "log.offset": 5325, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "192.0.2.126", + "10.0.0.132" + ], "service.type": "cisco", "source.address": "192.0.2.126", "source.ip": "192.0.2.126", @@ -1105,13 +1497,21 @@ "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1119,6 +1519,10 @@ "log.offset": 5472, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.46", + "192.0.0.88" + ], "service.type": "cisco", "source.address": "10.0.0.46", "source.ip": "10.0.0.46", @@ -1138,13 +1542,21 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1152,6 +1564,10 @@ "log.offset": 5635, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -1172,13 +1588,21 @@ "destination.ip": "192.0.0.99", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1186,6 +1610,10 @@ "log.offset": 5796, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.99" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -1199,12 +1627,19 @@ "@timestamp": "2018-12-11T08:01:24.000-02:00", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1221,12 +1656,19 @@ "@timestamp": "2018-12-11T08:01:24.000-02:00", "cisco.asa.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1249,13 +1691,21 @@ "destination.ip": "192.0.0.12", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1264,6 +1714,10 @@ "network.iana_number": 17, "network.transport": "udp", "process.name": "", + "related.ip": [ + "192.168.1.33", + "192.0.0.12" + ], "service.type": "cisco", "source.address": "192.168.1.33", "source.ip": "192.168.1.33", @@ -1283,13 +1737,21 @@ "destination.ip": "192.0.0.12", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1298,6 +1760,10 @@ "network.iana_number": 17, "network.transport": "udp", "process.name": "", + "related.ip": [ + "192.168.1.33", + "192.0.0.12" + ], "service.type": "cisco", "source.address": "192.168.1.33", "source.ip": "192.168.1.33", @@ -1311,12 +1777,19 @@ "@timestamp": "2018-12-11T08:01:31.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1333,12 +1806,19 @@ "@timestamp": "2018-12-11T08:01:31.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1361,15 +1841,23 @@ "destination.ip": "192.168.1.34", "destination.port": 5678, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2018-12-11T08:01:31.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", "event.severity": 6, "event.start": "2018-12-11T10:01:31.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1379,6 +1867,10 @@ "network.iana_number": 6, "network.transport": "tcp", "process.name": "", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", @@ -1398,15 +1890,23 @@ "destination.ip": "192.168.1.35", "destination.port": 5678, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 68000000000, "event.end": "2018-12-11T08:01:38.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "event.severity": 6, "event.start": "2018-12-11T10:00:30.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1416,6 +1916,10 @@ "network.iana_number": 6, "network.transport": "tcp", "process.name": "", + "related.ip": [ + "192.0.2.222", + "192.168.1.35" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", @@ -1435,15 +1939,23 @@ "destination.ip": "192.168.1.35", "destination.port": 5678, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 68000000000, "event.end": "2018-12-11T08:01:38.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "event.severity": 6, "event.start": "2018-12-11T10:00:30.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1453,6 +1965,10 @@ "network.iana_number": 6, "network.transport": "tcp", "process.name": "", + "related.ip": [ + "192.0.2.222", + "192.168.1.35" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", @@ -1470,13 +1986,21 @@ "destination.ip": "192.168.1.34", "destination.port": 5679, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106015, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "event.outcome": "deny", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1485,6 +2009,10 @@ "network.iana_number": 6, "network.transport": "tcp", "process.name": "", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", @@ -1502,13 +2030,21 @@ "destination.ip": "192.168.1.34", "destination.port": 5679, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106015, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "event.outcome": "deny", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1517,6 +2053,10 @@ "network.iana_number": 6, "network.transport": "tcp", "process.name": "", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", @@ -1536,13 +2076,21 @@ "destination.ip": "192.0.0.12", "destination.port": 5000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1551,6 +2099,10 @@ "network.iana_number": 17, "network.transport": "udp", "process.name": "", + "related.ip": [ + "192.168.1.34", + "192.0.0.12" + ], "service.type": "cisco", "source.address": "192.168.1.34", "source.ip": "192.168.1.34", @@ -1564,12 +2116,19 @@ "@timestamp": "2018-12-11T08:01:53.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1586,12 +2145,19 @@ "@timestamp": "2018-12-11T08:01:53.000-02:00", "cisco.asa.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1614,15 +2180,23 @@ "destination.ip": "10.10.10.10", "destination.port": 1235, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 86399000000000, "event.end": "2018-12-11T08:01:53.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", "event.severity": 6, "event.start": "2018-12-10T10:01:54.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1632,6 +2206,10 @@ "network.iana_number": 6, "network.transport": "tcp", "process.name": "", + "related.ip": [ + "192.0.2.222", + "10.10.10.10" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", @@ -1651,15 +2229,23 @@ "destination.ip": "10.44.2.2", "destination.port": 500, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 122000000000, "event.end": "2012-08-15T23:30:09.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016 Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", "event.severity": 6, "event.start": "2012-08-16T01:28:07.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1668,6 +2254,10 @@ "network.bytes": 1416, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "10.44.4.4", + "10.44.2.2" + ], "service.type": "cisco", "source.address": "10.44.4.4", "source.ip": "10.44.4.4", @@ -1684,19 +2274,31 @@ "destination.address": "192.88.99.47", "destination.ip": "192.88.99.47", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106016, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8549, + "related.ip": [ + "0.0.0.0", + "192.88.99.47" + ], "service.type": "cisco", "source.address": "0.0.0.0", "source.ip": "0.0.0.0", @@ -1712,19 +2314,31 @@ "destination.address": "192.88.99.57", "destination.ip": "192.88.99.57", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106016, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8670, + "related.ip": [ + "0.0.0.0", + "192.88.99.57" + ], "service.type": "cisco", "source.address": "0.0.0.0", "source.ip": "0.0.0.0", @@ -1740,19 +2354,31 @@ "destination.address": "192.88.99.47", "destination.ip": "192.88.99.47", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106016, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8791, + "related.ip": [ + "0.0.0.0", + "192.88.99.47" + ], "service.type": "cisco", "source.address": "0.0.0.0", "source.ip": "0.0.0.0", @@ -1768,19 +2394,31 @@ "destination.address": "192.88.99.47", "destination.ip": "192.88.99.47", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106016, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8912, + "related.ip": [ + "0.0.0.0", + "192.88.99.47" + ], "service.type": "cisco", "source.address": "0.0.0.0", "source.ip": "0.0.0.0", @@ -1796,19 +2434,31 @@ "destination.address": "192.88.99.57", "destination.ip": "192.88.99.57", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106016, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9033, + "related.ip": [ + "0.0.0.0", + "192.88.99.57" + ], "service.type": "cisco", "source.address": "0.0.0.0", "source.ip": "0.0.0.0", @@ -1824,19 +2474,31 @@ "destination.address": "192.88.99.57", "destination.ip": "192.88.99.57", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106016, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9154, + "related.ip": [ + "0.0.0.0", + "192.88.99.57" + ], "service.type": "cisco", "source.address": "0.0.0.0", "source.ip": "0.0.0.0", @@ -1852,19 +2514,31 @@ "destination.address": "192.168.1.255", "destination.ip": "192.168.1.255", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106016, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9275, + "related.ip": [ + "0.0.0.0", + "192.168.1.255" + ], "service.type": "cisco", "source.address": "0.0.0.0", "source.ip": "0.0.0.0", @@ -1880,19 +2554,31 @@ "destination.address": "192.168.1.255", "destination.ip": "192.168.1.255", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106016, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9397, + "related.ip": [ + "0.0.0.0", + "192.168.1.255" + ], "service.type": "cisco", "source.address": "0.0.0.0", "source.ip": "0.0.0.0", @@ -1911,13 +2597,21 @@ "destination.ip": "10.32.112.125", "destination.port": 25, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", "input.type": "log", @@ -1926,6 +2620,10 @@ "log.offset": 9519, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "192.0.2.95", + "10.32.112.125" + ], "service.type": "cisco", "source.address": "192.0.2.95", "source.ip": "192.0.2.95", @@ -1942,13 +2640,21 @@ "cisco.asa.message_id": "313001", "cisco.asa.source_interface": "Outside", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 313001, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", "event.outcome": "deny", "event.severity": 3, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "host.hostname": "GIFRCHN01", "input.type": "log", @@ -1957,6 +2663,9 @@ "log.offset": 9673, "network.iana_number": 1, "network.transport": "icmp", + "related.ip": [ + "10.2.3.5" + ], "service.type": "cisco", "source.address": "10.2.3.5", "source.ip": "10.2.3.5", @@ -1973,13 +2682,21 @@ "destination.address": "172.16.1.10", "destination.ip": "172.16.1.10", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 313004, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -1987,6 +2704,10 @@ "log.offset": 9783, "network.iana_number": 1, "network.transport": "icmp", + "related.ip": [ + "172.16.30.2", + "172.16.1.10" + ], "service.type": "cisco", "source.address": "172.16.30.2", "source.ip": "172.16.30.2", @@ -2010,13 +2731,21 @@ "destination.ip": "192.88.99.129", "destination.port": 80, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 338002, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", "event.outcome": "allow", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -2024,6 +2753,10 @@ "log.offset": 9919, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.1.1.45", + "192.88.99.129" + ], "server.domain": "bad.example.com", "service.type": "cisco", "source.address": "10.1.1.45", @@ -2052,13 +2785,20 @@ "destination.ip": "192.0.2.223", "destination.port": 80, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 338004, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", "event.outcome": "monitored", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -2066,6 +2806,10 @@ "log.offset": 10170, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.1.1.1", + "192.0.2.223" + ], "service.type": "cisco", "source.address": "10.1.1.1", "source.ip": "10.1.1.1", @@ -2093,13 +2837,21 @@ "destination.ip": "192.0.2.223", "destination.port": 80, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 338008, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", @@ -2107,6 +2859,10 @@ "log.offset": 10469, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.1.1.1", + "192.0.2.223" + ], "service.type": "cisco", "source.address": "10.1.1.1", "source.ip": "10.1.1.1", @@ -2124,18 +2880,30 @@ "destination.address": "192.0.2.1", "destination.ip": "192.0.2.1", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 304001, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", "log.level": "notification", "log.offset": 10766, + "related.ip": [ + "10.30.30.30", + "192.0.2.1" + ], "service.type": "cisco", "source.address": "10.30.30.30", "source.ip": "10.30.30.30", @@ -2151,18 +2919,30 @@ "destination.address": "192.0.2.32", "destination.ip": "192.0.2.32", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 304001, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", "log.level": "notification", "log.offset": 10843, + "related.ip": [ + "10.5.111.32", + "192.0.2.32" + ], "service.type": "cisco", "source.address": "10.5.111.32", "source.ip": "10.5.111.32", @@ -2179,18 +2959,30 @@ "destination.address": "192.0.0.19", "destination.ip": "192.0.0.19", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 304002, "event.dataset": "cisco.asa", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", "event.outcome": "deny", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", "log.level": "notification", "log.offset": 10935, + "related.ip": [ + "10.69.6.39", + "192.0.0.19" + ], "service.type": "cisco", "source.address": "10.69.6.39", "source.ip": "10.69.6.39", diff --git a/x-pack/filebeat/module/cisco/ftd/config/input.yml b/x-pack/filebeat/module/cisco/ftd/config/input.yml index f4dd703f40a..a505d3030eb 100644 --- a/x-pack/filebeat/module/cisco/ftd/config/input.yml +++ b/x-pack/filebeat/module/cisco/ftd/config/input.yml @@ -19,3 +19,7 @@ publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index 7d4e7865cef..94cd0b8b7bd 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -10,15 +10,23 @@ "destination.ip": "10.233.123.123", "destination.port": 53, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2020-04-17T14:08:08.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 110577675 for Outside:10.123.123.123/53723(LOCAL\\Elastic) to Inside:10.233.123.123/53 duration 0:00:00 bytes 148 (zzzzzz)", "event.severity": 6, "event.start": "2020-04-17T16:08:08.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "SNL-ASA-VPN-A01", "input.type": "log", @@ -27,6 +35,10 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "10.123.123.123", + "10.233.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", @@ -45,13 +57,21 @@ "destination.address": "10.123.123.123", "destination.ip": "10.123.123.123", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny icmp src Inside:10.123.123.123 dst Outside:10.123.123.123 (type 11, code 0) by access-group \"Inside_access_in\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "SNL-ASA-VPN-A01", "input.type": "log", @@ -59,6 +79,10 @@ "log.offset": 200, "network.iana_number": 1, "network.transport": "icmp", + "related.ip": [ + "10.123.123.123", + "10.123.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", @@ -77,19 +101,31 @@ "destination.ip": "10.123.123.123", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src dmz:10.123.123.123/6316 dst outside:10.123.123.123/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3afb522, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "warning", "log.offset": 381, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.123.123.123", + "10.123.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", @@ -110,13 +146,21 @@ "destination.ip": "10.123.123.123", "destination.port": 57621, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny udp src Inside:10.123.123.123/57621(LOCAL\\Elastic) dst Outside:10.123.123.123/57621 by access-group \"Inside_access_in\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "SNL-ASA-VPN-A01", "input.type": "log", @@ -124,6 +168,10 @@ "log.offset": 545, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "10.123.123.123", + "10.123.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", @@ -139,18 +187,30 @@ "destination.address": "10.123.123.123", "destination.ip": "10.123.123.123", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106017, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "SNL-ASA-VPN-A01", "input.type": "log", "log.level": "critical", "log.offset": 734, + "related.ip": [ + "10.123.123.123", + "10.123.123.123" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index 6d92b864cda..37b0b3de1b6 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -3,12 +3,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -26,12 +33,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11757 for outside:100.66.205.104/80 (100.66.205.104/80) to inside:172.31.98.44/1772 (172.31.98.44/1772)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -55,15 +69,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1758, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 67000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11749 for outside:100.66.211.242/80 to inside:172.31.98.44/1758 duration 0:01:07 bytes 38110 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:49.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -74,6 +96,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.211.242", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.211.242", "source.ip": "100.66.211.242", @@ -93,15 +119,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1757, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 67000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11748 for outside:100.66.211.242/80 to inside:172.31.98.44/1757 duration 0:01:07 bytes 44010 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:49.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -112,6 +146,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.211.242", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.211.242", "source.ip": "100.66.211.242", @@ -131,15 +169,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1755, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 67000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11745 for outside:100.66.185.90/80 to inside:172.31.98.44/1755 duration 0:01:07 bytes 7652 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:49.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -150,6 +196,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.185.90", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.185.90", "source.ip": "100.66.185.90", @@ -169,15 +219,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1754, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 67000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11744 for outside:100.66.185.90/80 to inside:172.31.98.44/1754 duration 0:01:07 bytes 7062 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:49.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -188,6 +246,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.185.90", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.185.90", "source.ip": "100.66.185.90", @@ -207,15 +269,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1752, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 68000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11742 for outside:100.66.160.197/80 to inside:172.31.98.44/1752 duration 0:01:08 bytes 5738 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:48.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -226,6 +296,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.160.197", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.160.197", "source.ip": "100.66.160.197", @@ -245,15 +319,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1749, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 68000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11738 for outside:100.66.205.14/80 to inside:172.31.98.44/1749 duration 0:01:08 bytes 4176 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:48.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -264,6 +346,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.205.14", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.205.14", "source.ip": "100.66.205.14", @@ -283,15 +369,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1750, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 68000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11739 for outside:100.66.124.33/80 to inside:172.31.98.44/1750 duration 0:01:08 bytes 1715 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:48.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -302,6 +396,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.124.33", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.124.33", "source.ip": "100.66.124.33", @@ -321,15 +419,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1747, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 69000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11731 for outside:100.66.35.9/80 to inside:172.31.98.44/1747 duration 0:01:09 bytes 45595 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:47.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -340,6 +446,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.35.9", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.35.9", "source.ip": "100.66.35.9", @@ -359,15 +469,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1742, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 69000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11723 for outside:100.66.211.242/80 to inside:172.31.98.44/1742 duration 0:01:09 bytes 27359 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:47.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -378,6 +496,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.211.242", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.211.242", "source.ip": "100.66.211.242", @@ -397,15 +519,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1741, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 69000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11715 for outside:100.66.218.21/80 to inside:172.31.98.44/1741 duration 0:01:09 bytes 4457 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:47.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -416,6 +546,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.218.21", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.218.21", "source.ip": "100.66.218.21", @@ -435,15 +569,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1739, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 69000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11711 for outside:100.66.198.27/80 to inside:172.31.98.44/1739 duration 0:01:09 bytes 26709 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:47.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -454,6 +596,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.27", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.198.27", "source.ip": "100.66.198.27", @@ -473,15 +619,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1740, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 69000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11712 for outside:100.66.198.27/80 to inside:172.31.98.44/1740 duration 0:01:09 bytes 22097 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:47.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -492,6 +646,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.27", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.198.27", "source.ip": "100.66.198.27", @@ -511,15 +669,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1738, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 70000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11708 for outside:100.66.202.211/80 to inside:172.31.98.44/1738 duration 0:01:10 bytes 2209 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:46.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -530,6 +696,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.202.211", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.202.211", "source.ip": "100.66.202.211", @@ -549,15 +719,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1756, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 67000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11746 for outside:100.66.124.15/80 to inside:172.31.98.44/1756 duration 0:01:07 bytes 10404 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:49.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -568,6 +746,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.124.15", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.124.15", "source.ip": "100.66.124.15", @@ -587,15 +769,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1737, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 70000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11706 for outside:100.66.124.15/80 to inside:172.31.98.44/1737 duration 0:01:10 bytes 123694 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:46.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -606,6 +796,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.124.15", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.124.15", "source.ip": "100.66.124.15", @@ -625,15 +819,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1736, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 71000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11702 for outside:100.66.209.247/80 to inside:172.31.98.44/1736 duration 0:01:11 bytes 35835 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:33:45.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -644,6 +846,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.209.247", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.209.247", "source.ip": "100.66.209.247", @@ -663,15 +869,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1765, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 30000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11753 for outside:100.66.35.162/80 to inside:172.31.98.44/1765 duration 0:00:30 bytes 0 SYN Timeout", "event.severity": 6, "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -682,6 +896,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.35.162", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.35.162", "source.ip": "100.66.35.162", @@ -695,12 +913,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1188", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -718,12 +943,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11758 for outside:100.66.80.32/53 (100.66.80.32/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -747,15 +979,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11758 for outside:100.66.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -766,6 +1006,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.80.32", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.80.32", "source.ip": "100.66.80.32", @@ -779,12 +1023,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11759 for outside:100.66.252.6/53 (100.66.252.6/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -808,15 +1059,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11759 for outside:100.66.252.6/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 164", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -827,6 +1086,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.6", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.252.6", "source.ip": "100.66.252.6", @@ -840,12 +1103,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1773 to outside:100.66.98.44/8257", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -863,12 +1133,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11760 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1773 (172.31.98.44/1773)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -886,12 +1163,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1774 to outside:100.66.98.44/8258", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -909,12 +1193,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11761 for outside:100.66.252.226/80 (100.66.252.226/80) to inside:172.31.98.44/1774 (172.31.98.44/1774)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -932,12 +1223,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11762 for outside:100.66.238.126/53 (100.66.238.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -955,12 +1253,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11763 for outside:100.66.93.51/53 (100.66.93.51/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -984,15 +1289,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11762 for outside:100.66.238.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 111", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1003,6 +1316,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.238.126", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.238.126", "source.ip": "100.66.238.126", @@ -1022,15 +1339,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11763 for outside:100.66.93.51/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 237", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1041,6 +1366,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.93.51", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.93.51", "source.ip": "100.66.93.51", @@ -1054,12 +1383,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1775 to outside:100.66.98.44/8259", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1077,12 +1413,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11764 for outside:100.66.225.103/443 (100.66.225.103/443) to inside:172.31.98.44/1775 (172.31.98.44/1775)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1100,12 +1443,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1189", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1123,12 +1473,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11772 for outside:100.66.240.126/53 (100.66.240.126/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1146,12 +1503,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11773 for outside:100.66.44.45/53 (100.66.44.45/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1175,15 +1539,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11772 for outside:100.66.240.126/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 87", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1194,6 +1566,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.240.126", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.240.126", "source.ip": "100.66.240.126", @@ -1213,15 +1589,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11773 for outside:100.66.44.45/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 221", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1232,6 +1616,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.44.45", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.44.45", "source.ip": "100.66.44.45", @@ -1245,12 +1633,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1452 to outside:100.66.98.44/8265", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1268,12 +1663,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11774 for outside:100.66.179.219/80 (100.66.179.219/80) to inside:172.31.98.44/1452 (172.31.98.44/1452)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1291,12 +1693,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11775 for outside:100.66.157.232/53 (100.66.157.232/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1314,12 +1723,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11776 for outside:100.66.178.133/53 (100.66.178.133/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1343,15 +1759,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11775 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 101", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1362,6 +1786,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.157.232", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.157.232", "source.ip": "100.66.157.232", @@ -1381,15 +1809,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11776 for outside:100.66.178.133/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 126", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1400,6 +1836,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.178.133", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.178.133", "source.ip": "100.66.178.133", @@ -1413,12 +1853,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1453 to outside:100.66.98.44/8266", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1436,12 +1883,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11777 for outside:100.66.133.112/80 (100.66.133.112/80) to inside:172.31.98.44/1453 (172.31.98.44/1453)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1465,15 +1919,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1453, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11777 for outside:100.66.133.112/80 to inside:172.31.98.44/1453 duration 0:00:00 bytes 862 TCP FINs", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1484,6 +1946,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.133.112", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.133.112", "source.ip": "100.66.133.112", @@ -1497,12 +1963,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11779 for outside:100.66.204.197/53 (100.66.204.197/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1526,15 +1999,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11778 for outside:100.66.157.232/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1545,6 +2026,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.157.232", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.157.232", "source.ip": "100.66.157.232", @@ -1564,15 +2049,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11779 for outside:100.66.204.197/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 176", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1583,6 +2076,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.204.197", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.204.197", "source.ip": "100.66.204.197", @@ -1596,12 +2093,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1619,12 +2123,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11780 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1454 (172.31.98.44/1454)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1642,12 +2153,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1665,12 +2183,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11781 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1455 (172.31.98.44/1455)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1688,12 +2213,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1711,12 +2243,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11782 for outside:100.66.128.3/80 (100.66.128.3/80) to inside:172.31.98.44/1456 (172.31.98.44/1456)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1734,12 +2273,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11783 for outside:100.66.100.4/53 (100.66.100.4/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1763,15 +2309,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11783 for outside:100.66.100.4/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 104", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1782,6 +2336,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.100.4", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.100.4", "source.ip": "100.66.100.4", @@ -1795,12 +2353,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1818,12 +2383,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11784 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1457 (172.31.98.44/1457)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1841,12 +2413,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1864,12 +2443,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11785 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1458 (172.31.98.44/1458)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1887,12 +2473,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11786 for outside:100.66.1.107/53 (100.66.1.107/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1916,15 +2509,23 @@ "destination.ip": "172.31.98.44", "destination.port": 1457, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11784 for outside:100.66.198.40/80 to inside:172.31.98.44/1457 duration 0:00:00 bytes 593 TCP FINs", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1935,6 +2536,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.198.40", "source.ip": "100.66.198.40", @@ -1948,12 +2553,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -1971,12 +2583,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11787 for outside:100.66.198.40/80 (100.66.198.40/80) to inside:172.31.98.44/1459 (172.31.98.44/1459)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2000,15 +2619,23 @@ "destination.ip": "172.31.98.44", "destination.port": 56132, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302016: Teardown UDP connection 11786 for outside:100.66.1.107/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 375", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2019,6 +2646,10 @@ "network.transport": "udp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.1.107", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.1.107", "source.ip": "100.66.1.107", @@ -2032,12 +2663,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2055,12 +2693,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11788 for outside:100.66.192.44/80 (100.66.192.44/80) to inside:172.31.98.44/1460 (172.31.98.44/1460)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2078,12 +2723,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305012", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2101,12 +2753,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1385 to outside:100.66.98.44/8277", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2124,12 +2783,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11797 for outside:100.66.19.254/80 (100.66.19.254/80) to inside:172.31.156.80/1385 (172.31.156.80/1385)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2147,12 +2813,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305012", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2170,12 +2843,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305012", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2193,12 +2873,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305012", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2216,12 +2903,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305012", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2239,12 +2933,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305012", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2262,12 +2963,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305012", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2291,15 +2999,23 @@ "destination.ip": "172.31.156.80", "destination.port": 1382, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 325000000000, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11564 for outside:100.66.115.46/80 to inside:172.31.156.80/1382 duration 0:05:25 bytes 575 TCP FINs", "event.severity": 6, "event.start": "2018-10-10T14:29:31.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2310,6 +3026,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.115.46", + "172.31.156.80" + ], "service.type": "cisco", "source.address": "100.66.115.46", "source.ip": "100.66.115.46", @@ -2329,15 +3049,23 @@ "destination.ip": "172.31.156.80", "destination.port": 1385, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2018-10-10T12:34:56.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 11797 for outside:100.66.19.254/80 to inside:172.31.156.80/1385 duration 0:00:00 bytes 5391 TCP Reset-I", "event.severity": 6, "event.start": "2018-10-10T14:34:56.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2348,6 +3076,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.156.80" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2361,12 +3093,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.156.80/1386 to outside:100.66.98.44/8278", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2384,12 +3123,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11798 for outside:100.66.115.46/80 (100.66.115.46/80) to inside:172.31.156.80/1386 (172.31.156.80/1386)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2413,13 +3159,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2429,6 +3183,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2448,13 +3206,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2464,6 +3230,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2483,13 +3253,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2499,6 +3277,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2518,13 +3300,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2534,6 +3324,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2553,13 +3347,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2569,6 +3371,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2588,13 +3394,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2604,6 +3418,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2623,13 +3441,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2639,6 +3465,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2658,13 +3488,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2674,6 +3512,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2693,13 +3535,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2709,6 +3559,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2728,13 +3582,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2744,6 +3606,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2763,13 +3629,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2779,6 +3653,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2798,13 +3676,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2814,6 +3700,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2833,13 +3723,21 @@ "destination.ip": "172.31.98.44", "destination.port": 8277, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-106023: Deny tcp src outside:100.66.19.254/80 dst inside:172.31.98.44/8277 by access-group \"inbound\" [0x0, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2849,6 +3747,10 @@ "network.transport": "tcp", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.98.44" + ], "service.type": "cisco", "source.address": "100.66.19.254", "source.ip": "100.66.19.254", @@ -2862,12 +3764,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1275 to outside:100.66.98.44/8279", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2885,12 +3794,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302013: Built outbound TCP connection 11799 for outside:100.66.205.99/80 (100.66.205.99/80) to inside:172.31.98.44/1275 (172.31.98.44/1275)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2908,12 +3824,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305011: Built dynamic UDP translation from inside:172.31.98.44/56132 to outside:100.66.98.44/1190", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -2931,12 +3854,19 @@ "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.ftd.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302015: Built outbound UDP connection 11800 for outside:100.66.14.30/53 (100.66.14.30/53) to inside:172.31.98.44/56132 (172.31.98.44/56132)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index 66cd5472c56..b18307a7571 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -48,16 +48,25 @@ "dns.question.type": "A", "dns.response_code": "NOERROR", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57379, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 145, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: a host address, DNS_TTL: 70", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -67,6 +76,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 93, @@ -131,16 +147,25 @@ "dns.question.type": "AAAA", "dns.response_code": "NOERROR", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 51389, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -150,6 +175,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 93, @@ -212,16 +244,25 @@ "dns.question.type": "CNAME", "dns.response_code": "NOERROR", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -231,6 +272,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 93, @@ -295,16 +343,25 @@ "dns.question.type": "A", "dns.response_code": "NOERROR", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55371, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 97, ResponderBytes: 200, NAPPolicy: Balanced Security and Connectivity, DNSQuery: www.elastic.co, DNSRecordType: a host address, DNS_TTL: 12", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -314,6 +371,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 97, @@ -377,16 +441,25 @@ "dns.question.type": "AAAA", "dns.response_code": "NOERROR", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 60441, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 193, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: IP6 Address, DNS_TTL: 299, DNSResponseType: No error", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -396,6 +469,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 93, @@ -458,16 +538,25 @@ "dns.question.type": "CNAME", "dns.response_code": "NOERROR", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 59714, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 658", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -477,6 +566,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 93, @@ -542,16 +638,25 @@ "dns.question.type": "MX", "dns.response_code": "NXDOMAIN", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Non-Existent Domain, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -561,6 +666,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 93, @@ -623,16 +735,25 @@ "dns.question.type": "NS", "dns.response_code": "NOERROR", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -642,6 +763,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 93, @@ -705,16 +833,25 @@ "dns.question.type": "SOA", "dns.response_code": "SERVFAIL", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSResponseType: Server Failure, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -724,6 +861,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 93, @@ -788,16 +932,25 @@ "dns.question.type": "TXT", "dns.response_code": "NOERROR", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -807,6 +960,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 93, @@ -872,16 +1032,25 @@ "dns.question.type": "A", "dns.response_code": "REFUSED", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 205.251.196.144, SrcPort: 33973, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 75, NAPPolicy: Balanced Security and Connectivity, DNSQuery: refusedthis.com, DNSRecordType: a host address, DNSResponseType: Query Refused", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -891,6 +1060,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "205.251.196.144" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 98, @@ -949,16 +1125,25 @@ "destination.port": 53, "dns.response_code": "SERVFAIL", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 39541, DstPort: 53, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 457, ResponderBytes: 313, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: Server Failure", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -968,6 +1153,13 @@ "network.iana_number": 6, "network.protocol": "dns", "network.transport": "tcp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 457, @@ -1031,16 +1223,25 @@ "dns.question.type": "A", "dns.response_code": "NXDOMAIN", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 41672, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 107, ResponderBytes: 180, NAPPolicy: Balanced Security and Connectivity, DNSQuery: laskdfjlaksdf.elastic.co, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 900", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -1050,6 +1251,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "9.9.9.9" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 107, @@ -1112,16 +1320,25 @@ "dns.question.type": "A", "dns.response_code": "NOERROR", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 59577, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 104, ResponderBytes: 108, NAPPolicy: Balanced Security and Connectivity, DNSQuery: ns-1168.awsdns-18.org, DNSRecordType: a host address, DNS_TTL: 31694", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -1131,6 +1348,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "9.9.9.9" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 104, @@ -1194,16 +1418,25 @@ "dns.question.type": "SRV", "dns.response_code": "NXDOMAIN", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 9.9.9.9, SrcPort: 35998, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 101, ResponderBytes: 162, NAPPolicy: Balanced Security and Connectivity, DNSQuery: _http._tcp.security.ubuntu.com, DNSRecordType: Server Selection, DNSResponseType: Non-Existent Domain, DNS_TTL: 946", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -1213,6 +1446,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "9.9.9.9" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 101, @@ -1277,16 +1517,25 @@ "dns.question.type": "MX", "dns.response_code": "NOERROR", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 55105, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 199, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: mail exchange, DNS_TTL: 299", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -1296,6 +1545,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 93, @@ -1358,16 +1614,25 @@ "dns.question.type": "SOA", "dns.response_code": "NOERROR", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 47260, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: marks the start of a zone of authority, DNS_TTL: 899", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -1377,6 +1642,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 93, @@ -1439,16 +1711,25 @@ "dns.question.type": "CNAME", "dns.response_code": "NOERROR", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 53033, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 166, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: the canonical name for an alias, DNS_TTL: 899", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -1458,6 +1739,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 93, @@ -1520,16 +1808,25 @@ "dns.question.type": "NS", "dns.response_code": "NOERROR", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 57141, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 221, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: an authoritative name server, DNS_TTL: 21599", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -1539,6 +1836,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 93, @@ -1599,16 +1903,25 @@ "dns.question.type": "PTR", "dns.response_code": "NOERROR", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 46093, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 131, NAPPolicy: Balanced Security and Connectivity, DNSRecordType: a domain name pointer, DNS_TTL: 59", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -1618,6 +1931,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 93, @@ -1682,16 +2002,25 @@ "dns.question.type": "TXT", "dns.response_code": "NOERROR", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-26T21:11:03.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Monitor, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 58082, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 93, ResponderBytes: 722, NAPPolicy: Balanced Security and Connectivity, DNSQuery: elastic.co, DNSRecordType: text strings, DNS_TTL: 299", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-26T23:11:03.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "input.type": "log", @@ -1701,6 +2030,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 93, diff --git a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json index 1bb063843cb..4397eb76e17 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json @@ -3,12 +3,19 @@ "@timestamp": "2019-01-01T01:00:27.000-02:00", "cisco.ftd.message_id": "999999", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 999999, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-7-999999: This message is not filtered.", "event.severity": 7, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "beats", "input.type": "log", diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index c5b8b35aa11..ba0bb71f417 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -33,12 +33,19 @@ "destination.ip": "10.0.100.30", "destination.port": 80, "event.action": "intrusion-detected", + "event.category": [ + "intrusion_detection" + ], "event.code": 430001, "event.dataset": "cisco.ftd", + "event.kind": "alert", "event.module": "cisco", "event.original": "%FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55644, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "event.severity": 0, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "firepower", "input.type": "log", @@ -49,6 +56,13 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "10.0.1.20", + "10.0.100.30" + ], + "related.user": [ + "No Authentication Required" + ], "service.id": "1", "service.type": "cisco", "source.address": "10.0.1.20", @@ -95,12 +109,19 @@ "destination.ip": "10.0.100.30", "destination.port": 80, "event.action": "intrusion-detected", + "event.category": [ + "intrusion_detection" + ], "event.code": 430001, "event.dataset": "cisco.ftd", + "event.kind": "alert", "event.module": "cisco", "event.original": "%FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55868, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "event.severity": 0, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "firepower", "input.type": "log", @@ -111,6 +132,13 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "10.0.1.20", + "10.0.100.30" + ], + "related.user": [ + "No Authentication Required" + ], "service.id": "1", "service.type": "cisco", "source.address": "10.0.1.20", @@ -155,12 +183,19 @@ "destination.ip": "10.0.1.20", "destination.port": 39114, "event.action": "intrusion-detected", + "event.category": [ + "intrusion_detection" + ], "event.code": 430001, "event.dataset": "cisco.ftd", + "event.kind": "alert", "event.module": "cisco", "event.original": "%FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 39114, Protocol: tcp, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "event.severity": 0, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "firepower", "input.type": "log", @@ -169,6 +204,13 @@ "message": "APP-DETECT failed FTP login attempt", "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.100.30", + "10.0.1.20" + ], + "related.user": [ + "No Authentication Required" + ], "service.id": "1", "service.type": "cisco", "source.address": "10.0.100.30", @@ -213,12 +255,19 @@ "destination.ip": "10.0.1.20", "destination.port": 40740, "event.action": "intrusion-detected", + "event.category": [ + "intrusion_detection" + ], "event.code": 430001, "event.dataset": "cisco.ftd", + "event.kind": "alert", "event.module": "cisco", "event.original": "%FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 40740, Protocol: 6, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity", "event.severity": 0, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "firepower", "input.type": "log", @@ -227,6 +276,13 @@ "message": "APP-DETECT failed FTP login attempt", "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.100.30", + "10.0.1.20" + ], + "related.user": [ + "No Authentication Required" + ], "service.id": "1", "service.type": "cisco", "source.address": "10.0.100.30", diff --git a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json index 6d31cf04199..2b46be5b166 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json @@ -10,12 +10,19 @@ "destination.address": "10.8.12.47", "destination.ip": "10.8.12.47", "event.action": "intrusion-detected", + "event.category": [ + "intrusion_detection" + ], "event.code": 430001, "event.dataset": "cisco.ftd", + "event.kind": "alert", "event.module": "cisco", "event.original": "ApplicationProtocol: http, Client: webserver, DstIP: 10.8.12.47, SrcIP: 10.1.123.45, Message: Intrusion attempt", "event.severity": 7, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "beats", "input.type": "log", @@ -26,6 +33,10 @@ "network.protocol": "http", "process.name": "ftd", "process.pid": 1234, + "related.ip": [ + "10.1.123.45", + "10.8.12.47" + ], "service.type": "cisco", "source.address": "10.1.123.45", "source.ip": "10.1.123.45", @@ -40,12 +51,19 @@ "cisco.ftd.security.http_response": "404", "cisco.ftd.security.message": "Some message here (1:36330:2).", "event.action": "intrusion-detected", + "event.category": [ + "intrusion_detection" + ], "event.code": 430001, "event.dataset": "cisco.ftd", + "event.kind": "alert", "event.module": "cisco", "event.original": "HTTPResponse: 404, Message: Some message here (1:36330:2).", "event.severity": 7, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "beats", "http.response.status_code": "404", @@ -67,12 +85,20 @@ "cisco.ftd.security.http_response": "404", "cisco.ftd.security.message": "Some message here (1:36330:2)", "event.action": "connection-started", + "event.category": [ + "network" + ], "event.code": 430002, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "HTTPResponse: 404, Message: Some message here (1:36330:2), Empty: ,FileCount:, IngressZone:", "event.severity": 7, "event.timezone": "-02:00", + "event.type": [ + "connection", + "start" + ], "fileset.name": "ftd", "host.hostname": "beats", "http.response.status_code": "404", @@ -104,12 +130,19 @@ "destination.ip": "192.168.3.33", "destination.port": 64311, "event.action": "malware-detected", + "event.category": [ + "malware" + ], "event.code": 430005, "event.dataset": "cisco.ftd", + "event.kind": "alert", "event.module": "cisco", "event.original": "%ASA-3-430005 Message: This one has a type id, HTTPResponse: 404, Message: And two messages, SrcIP: 127.0.0.1, DstIP: 192.168.3.33, SrcPort: 512, DstPort: 64311", "event.severity": 3, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "beats", "http.response.status_code": "404", @@ -122,6 +155,10 @@ ], "process.name": "ftd", "process.pid": 1234, + "related.ip": [ + "127.0.0.1", + "192.168.3.33" + ], "service.type": "cisco", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index 13b6f867d86..36a494d8f89 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -9,19 +9,30 @@ "destination.ip": "203.0.113.42", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-5-106100: access-list AL-DMZ-LB-IN denied tcp LB-DMZ/WHAT-IS-THIS-A-HOSTNAME-192.0.2.244(27218) -> OUTSIDE/203.0.113.42(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", "event.outcome": "deny", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "203.0.113.42" + ], "service.type": "cisco", "source.address": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", "source.domain": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", @@ -39,12 +50,20 @@ "destination.address": "172.24.177.29", "destination.ip": "172.24.177.29", "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302021, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr mydomain.example.net/17233 laddr 192.168.132.46/17233", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -52,6 +71,10 @@ "log.offset": 201, "network.iana_number": 1, "network.transport": "icmp", + "related.ip": [ + "192.168.132.46", + "172.24.177.29" + ], "service.type": "cisco", "source.address": "192.168.132.46", "source.ip": "192.168.132.46", @@ -78,13 +101,21 @@ "destination.nat.port": "80", "destination.port": 80, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 338204, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", @@ -92,6 +123,10 @@ "log.offset": 360, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.10.10.1", + "172.24.177.3" + ], "server.domain": "example.org", "service.type": "cisco", "source.address": "10.10.10.1", diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 8dc33e7527d..05fc4af2cbc 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -9,19 +9,31 @@ "destination.ip": "192.0.0.8", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "warning", "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.1.2.30", + "192.0.0.8" + ], "service.type": "cisco", "source.address": "10.1.2.30", "source.ip": "10.1.2.30", @@ -41,19 +53,31 @@ "destination.ip": "192.0.0.8", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src dmz:10.1.2.30/63016 dst outside:192.0.0.8/53 type 3, code 0, by access-group \"acl_dmz\" [0xe3aab522, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "warning", "log.offset": 139, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.1.2.30", + "192.0.0.8" + ], "service.type": "cisco", "source.address": "10.1.2.30", "source.ip": "10.1.2.30", @@ -74,19 +98,31 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 294, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.1.2.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.1.2.16", "source.ip": "10.1.2.16", @@ -106,13 +142,21 @@ "destination.ip": "192.0.2.10", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106100: access-list inside denied udp inside/172.29.2.101(1039) -> outside/192.0.2.10(53) hit-cnt 1 first hit [0xd820e56a, 0x0]", "event.outcome": "deny", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "INT-FW01", "input.type": "log", @@ -120,6 +164,10 @@ "log.offset": 465, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "172.29.2.101", + "192.0.2.10" + ], "service.type": "cisco", "source.address": "172.29.2.101", "source.ip": "172.29.2.101", @@ -139,13 +187,21 @@ "destination.ip": "192.0.2.57", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106100: access-list inside permitted udp inside/172.29.2.3(1065) -> outside/192.0.2.57(53) hit-cnt 144 300-second interval [0xe982c7a4, 0x0]", "event.outcome": "allow", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "INT-FW01", "input.type": "log", @@ -153,6 +209,10 @@ "log.offset": 632, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "172.29.2.3", + "192.0.2.57" + ], "service.type": "cisco", "source.address": "172.29.2.3", "source.ip": "172.29.2.3", @@ -166,12 +226,19 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4952 to outside:192.0.2.130/12834", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "informational", @@ -186,12 +253,19 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302013: Built outbound TCP connection 89743274 for outside:192.0.2.43/443 (192.0.2.43/443) to outside:10.123.3.42/4952 (10.123.3.42.130/12834)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "informational", @@ -206,12 +280,19 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-305011: Built dynamic UDP translation from outside:10.123.1.35/52925 to outside:192.0.2.130/25882", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "informational", @@ -226,12 +307,19 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.ftd.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302015: Built outbound UDP connection 89743275 for outside:192.0.2.222/53 (192.0.2.43/53) to outside:10.123.1.35/52925 (10.123.1.35/25882)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "informational", @@ -246,12 +334,19 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-305011: Built dynamic TCP translation from outside:10.123.3.42/4953 to outside:192.0.2.130/45392", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "informational", @@ -266,12 +361,19 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302013: Built outbound TCP connection 89743276 for outside:192.0.2.1/80 (192.0.2.1/80) to outside:10.123.3.42/4953 (10.123.3.130/45392)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "informational", @@ -292,15 +394,23 @@ "destination.ip": "10.123.1.35", "destination.port": 52925, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.ftd", "event.duration": 5025000000000, "event.end": "2013-04-29T12:59:50.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302016: Teardown UDP connection 89743275 for outside:192.0.2.222/53 to inside:10.123.1.35/52925 duration 1:23:45 bytes 140", "event.severity": 6, "event.start": "2013-04-29T13:36:05.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "informational", @@ -308,6 +418,10 @@ "network.bytes": 140, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "192.0.2.222", + "10.123.1.35" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", @@ -329,15 +443,23 @@ "destination.ip": "10.123.1.35", "destination.port": 52925, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.ftd", "event.duration": 36000000000000, "event.end": "2013-04-29T12:59:50.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302016: Teardown UDP connection 666 for outside:192.0.2.222/53 user1 to inside:10.123.1.35/52925 user2 duration 10:00:00 bytes 9999999", "event.severity": 6, "event.start": "2013-04-29T04:59:50.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "informational", @@ -345,6 +467,10 @@ "network.bytes": 9999999, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "192.0.2.222", + "10.123.1.35" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", @@ -361,12 +487,20 @@ "destination.address": "172.24.177.29", "destination.ip": "172.24.177.29", "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302021, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302021: Teardown ICMP connection for faddr 172.24.177.29/0 gaddr 192.168.132.46/17233 laddr 192.168.132.46/17233", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "FJSG2NRFW01", "input.type": "log", @@ -374,6 +508,10 @@ "log.offset": 2012, "network.iana_number": 1, "network.transport": "icmp", + "related.ip": [ + "192.168.132.46", + "172.24.177.29" + ], "service.type": "cisco", "source.address": "192.168.132.46", "source.ip": "192.168.132.46", @@ -386,12 +524,19 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.ftd.message_id": "305011", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 305011, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-305011: Built dynamic TCP translation from inside:192.168.3.42/4954 to outside:192.0.0.130/10879", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "informational", @@ -406,12 +551,19 @@ "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302013: Built outbound TCP connection 89743277 for outside:192.0.0.17/80 (192.0.0.17/80) to inside:192.168.3.42/4954 (10.0.0.130/10879)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "informational", @@ -429,13 +581,21 @@ "destination.ip": "10.1.2.60", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106007, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106007: Deny inbound UDP from 192.0.0.66/12981 to 10.1.2.60/53 due to DNS Query", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "critical", @@ -444,6 +604,10 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "192.0.0.66", + "10.1.2.60" + ], "service.type": "cisco", "source.address": "192.0.0.66", "source.ip": "192.0.0.66", @@ -463,19 +627,31 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2006) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 2567, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -495,19 +671,31 @@ "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49734) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 2726, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.46", + "192.0.0.88" + ], "service.type": "cisco", "source.address": "10.0.0.46", "source.ip": "10.0.0.46", @@ -527,19 +715,31 @@ "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49735) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 2887, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.46", + "192.0.0.88" + ], "service.type": "cisco", "source.address": "10.0.0.46", "source.ip": "10.0.0.46", @@ -559,19 +759,31 @@ "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49736) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 3048, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.46", + "192.0.0.88" + ], "service.type": "cisco", "source.address": "10.0.0.46", "source.ip": "10.0.0.46", @@ -591,19 +803,31 @@ "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49737) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 3209, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.46", + "192.0.0.88" + ], "service.type": "cisco", "source.address": "10.0.0.46", "source.ip": "10.0.0.46", @@ -623,19 +847,31 @@ "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49738) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 3370, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.46", + "192.0.0.88" + ], "service.type": "cisco", "source.address": "10.0.0.46", "source.ip": "10.0.0.46", @@ -655,19 +891,31 @@ "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49746) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 3531, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.46", + "192.0.0.88" + ], "service.type": "cisco", "source.address": "10.0.0.46", "source.ip": "10.0.0.46", @@ -687,19 +935,31 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2007) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 3692, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -719,19 +979,31 @@ "destination.ip": "192.168.33.31", "destination.port": 25, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.13(43013) -> dmz/192.168.33.31(25) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 3851, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.13", + "192.168.33.31" + ], "service.type": "cisco", "source.address": "10.0.0.13", "source.ip": "10.0.0.13", @@ -751,19 +1023,31 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2008) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 4008, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -781,13 +1065,21 @@ "destination.ip": "10.1.2.42", "destination.port": 137, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106006, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106006: Deny inbound UDP from 192.0.2.66/137 to 10.1.2.42/137 on interface inside", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "critical", @@ -795,6 +1087,10 @@ "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "192.0.2.66", + "10.1.2.42" + ], "service.type": "cisco", "source.address": "192.0.2.66", "source.ip": "192.0.2.66", @@ -811,13 +1107,21 @@ "destination.ip": "10.1.5.60", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106007, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106007: Deny inbound UDP from 192.0.2.66/12981 to 10.1.5.60/53 due to DNS Query", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "critical", @@ -826,6 +1130,10 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "192.0.2.66", + "10.1.5.60" + ], "service.type": "cisco", "source.address": "192.0.2.66", "source.ip": "192.0.2.66", @@ -845,19 +1153,31 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2009) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 4387, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -877,19 +1197,31 @@ "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.46(49776) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 4546, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.46", + "192.0.0.88" + ], "service.type": "cisco", "source.address": "10.0.0.46", "source.ip": "10.0.0.46", @@ -909,19 +1241,31 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2010) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 4707, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -941,19 +1285,31 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2011) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "deny", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 4866, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -973,19 +1329,31 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in denied tcp inside/10.0.0.16(2012) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "deny", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 5022, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -1005,19 +1373,31 @@ "destination.ip": "10.0.0.132", "destination.port": 8111, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "warning", "log.offset": 5178, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "192.0.2.126", + "10.0.0.132" + ], "service.type": "cisco", "source.address": "192.0.2.126", "source.ip": "192.0.2.126", @@ -1037,19 +1417,31 @@ "destination.ip": "10.0.0.132", "destination.port": 8111, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.126/53638 dst inside:10.0.0.132/8111 by access-group \"acl_out\" [0x71761f18, 0x0]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "warning", "log.offset": 5325, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "192.0.2.126", + "10.0.0.132" + ], "service.type": "cisco", "source.address": "192.0.2.126", "source.ip": "192.0.2.126", @@ -1069,19 +1461,31 @@ "destination.ip": "192.0.0.88", "destination.port": 40443, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.46(49840) -> outside/192.0.0.88(40443) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 5472, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.46", + "192.0.0.88" + ], "service.type": "cisco", "source.address": "10.0.0.46", "source.ip": "10.0.0.46", @@ -1101,19 +1505,31 @@ "destination.ip": "192.0.0.89", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 5635, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.89" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -1134,19 +1550,31 @@ "destination.ip": "192.0.0.99", "destination.port": 2000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106100, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 5796, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.0.16", + "192.0.0.99" + ], "service.type": "cisco", "source.address": "10.0.0.16", "source.ip": "10.0.0.16", @@ -1160,12 +1588,19 @@ "@timestamp": "2018-12-11T08:01:24.000-02:00", "cisco.ftd.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", @@ -1181,12 +1616,19 @@ "@timestamp": "2018-12-11T08:01:24.000-02:00", "cisco.ftd.message_id": "302015", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302015, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", @@ -1208,13 +1650,21 @@ "destination.ip": "192.0.0.12", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", @@ -1222,6 +1672,10 @@ "log.offset": 6332, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "192.168.1.33", + "192.0.0.12" + ], "service.type": "cisco", "source.address": "192.168.1.33", "source.ip": "192.168.1.33", @@ -1241,13 +1695,21 @@ "destination.ip": "192.0.0.12", "destination.port": 53, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group \"dmz\" [0x123a465e, 0x4c7bf613]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", @@ -1255,6 +1717,10 @@ "log.offset": 6487, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "192.168.1.33", + "192.0.0.12" + ], "service.type": "cisco", "source.address": "192.168.1.33", "source.ip": "192.168.1.33", @@ -1268,12 +1734,19 @@ "@timestamp": "2018-12-11T08:01:31.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", @@ -1289,12 +1762,19 @@ "@timestamp": "2018-12-11T08:01:31.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", @@ -1316,15 +1796,23 @@ "destination.ip": "192.168.1.34", "destination.port": 5678, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2018-12-11T08:01:31.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302014: Teardown TCP connection 447236 for outside:192.0.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", "event.severity": 6, "event.start": "2018-12-11T10:01:31.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", @@ -1333,6 +1821,10 @@ "network.bytes": 14804, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", @@ -1352,15 +1844,23 @@ "destination.ip": "192.168.1.35", "destination.port": 5678, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 68000000000, "event.end": "2018-12-11T08:01:38.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "event.severity": 6, "event.start": "2018-12-11T10:00:30.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", @@ -1369,6 +1869,10 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "192.0.2.222", + "192.168.1.35" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", @@ -1388,15 +1892,23 @@ "destination.ip": "192.168.1.35", "destination.port": 5678, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 68000000000, "event.end": "2018-12-11T08:01:38.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302014: Teardown TCP connection 447234 for outside:192.0.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", "event.severity": 6, "event.start": "2018-12-11T10:00:30.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", @@ -1405,6 +1917,10 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "192.0.2.222", + "192.168.1.35" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", @@ -1422,13 +1938,21 @@ "destination.ip": "192.168.1.34", "destination.port": 5679, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106015, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "event.outcome": "deny", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", @@ -1436,6 +1960,10 @@ "log.offset": 7504, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", @@ -1453,13 +1981,21 @@ "destination.ip": "192.168.1.34", "destination.port": 5679, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106015, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", "event.outcome": "deny", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", @@ -1467,6 +2003,10 @@ "log.offset": 7651, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", @@ -1486,13 +2026,21 @@ "destination.ip": "192.0.0.12", "destination.port": 5000, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.0.0.12/5000 by access-group \"dmz\" [0x123a465e, 0x8c20f21]", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", @@ -1500,6 +2048,10 @@ "log.offset": 7798, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "192.168.1.34", + "192.0.0.12" + ], "service.type": "cisco", "source.address": "192.168.1.34", "source.ip": "192.168.1.34", @@ -1513,12 +2065,19 @@ "@timestamp": "2018-12-11T08:01:53.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", @@ -1534,12 +2093,19 @@ "@timestamp": "2018-12-11T08:01:53.000-02:00", "cisco.ftd.message_id": "302013", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 302013, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302013: Built outbound TCP connection 447237 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:192.168.1.34/65000 (192.168.1.34/65000)", "event.severity": 6, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", @@ -1561,15 +2127,23 @@ "destination.ip": "10.10.10.10", "destination.port": 1235, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302014, "event.dataset": "cisco.ftd", "event.duration": 86399000000000, "event.end": "2018-12-11T08:01:53.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302014: Teardown TCP connection 447237 for outside:192.0.2.222/1234 to dmz:10.10.10.10/1235 duration 23:59:59 bytes 11420 TCP FINs", "event.severity": 6, "event.start": "2018-12-10T10:01:54.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", @@ -1578,6 +2152,10 @@ "network.bytes": 11420, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "192.0.2.222", + "10.10.10.10" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", @@ -1597,15 +2175,23 @@ "destination.ip": "10.44.2.2", "destination.port": 500, "event.action": "flow-expiration", + "event.category": [ + "network" + ], "event.code": 302016, "event.dataset": "cisco.ftd", "event.duration": 122000000000, "event.end": "2012-08-15T23:30:09.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-302016: Teardown UDP connection 40 for outside:10.44.4.4/500 to inside:10.44.2.2/500 duration 0:02:02 bytes 1416", "event.severity": 6, "event.start": "2012-08-16T01:28:07.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "informational", @@ -1613,6 +2199,10 @@ "network.bytes": 1416, "network.iana_number": 17, "network.transport": "udp", + "related.ip": [ + "10.44.4.4", + "10.44.2.2" + ], "service.type": "cisco", "source.address": "10.44.4.4", "source.ip": "10.44.4.4", @@ -1629,18 +2219,30 @@ "destination.address": "192.88.99.47", "destination.ip": "192.88.99.47", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106016, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", "log.offset": 8624, + "related.ip": [ + "0.0.0.0", + "192.88.99.47" + ], "service.type": "cisco", "source.address": "0.0.0.0", "source.ip": "0.0.0.0", @@ -1656,18 +2258,30 @@ "destination.address": "192.88.99.57", "destination.ip": "192.88.99.57", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106016, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", "log.offset": 8745, + "related.ip": [ + "0.0.0.0", + "192.88.99.57" + ], "service.type": "cisco", "source.address": "0.0.0.0", "source.ip": "0.0.0.0", @@ -1683,18 +2297,30 @@ "destination.address": "192.88.99.47", "destination.ip": "192.88.99.47", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106016, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", "log.offset": 8866, + "related.ip": [ + "0.0.0.0", + "192.88.99.47" + ], "service.type": "cisco", "source.address": "0.0.0.0", "source.ip": "0.0.0.0", @@ -1710,18 +2336,30 @@ "destination.address": "192.88.99.47", "destination.ip": "192.88.99.47", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106016, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.47 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", "log.offset": 8987, + "related.ip": [ + "0.0.0.0", + "192.88.99.47" + ], "service.type": "cisco", "source.address": "0.0.0.0", "source.ip": "0.0.0.0", @@ -1737,18 +2375,30 @@ "destination.address": "192.88.99.57", "destination.ip": "192.88.99.57", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106016, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", "log.offset": 9108, + "related.ip": [ + "0.0.0.0", + "192.88.99.57" + ], "service.type": "cisco", "source.address": "0.0.0.0", "source.ip": "0.0.0.0", @@ -1764,18 +2414,30 @@ "destination.address": "192.88.99.57", "destination.ip": "192.88.99.57", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106016, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.88.99.57 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", "log.offset": 9229, + "related.ip": [ + "0.0.0.0", + "192.88.99.57" + ], "service.type": "cisco", "source.address": "0.0.0.0", "source.ip": "0.0.0.0", @@ -1791,18 +2453,30 @@ "destination.address": "192.168.1.255", "destination.ip": "192.168.1.255", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106016, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", "log.offset": 9350, + "related.ip": [ + "0.0.0.0", + "192.168.1.255" + ], "service.type": "cisco", "source.address": "0.0.0.0", "source.ip": "0.0.0.0", @@ -1818,18 +2492,30 @@ "destination.address": "192.168.1.255", "destination.ip": "192.168.1.255", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106016, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface Mobile_Traffic", "event.outcome": "deny", "event.severity": 2, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", "log.offset": 9472, + "related.ip": [ + "0.0.0.0", + "192.168.1.255" + ], "service.type": "cisco", "source.address": "0.0.0.0", "source.ip": "0.0.0.0", @@ -1848,13 +2534,21 @@ "destination.ip": "10.32.112.125", "destination.port": 25, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 106023, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-106023: Deny tcp src outside:192.0.2.95/24069 dst inside:10.32.112.125/25 by access-group \"PERMIT_IN\" [0x0, 0x0]\"", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", "input.type": "log", @@ -1862,6 +2556,10 @@ "log.offset": 9594, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "192.0.2.95", + "10.32.112.125" + ], "service.type": "cisco", "source.address": "192.0.2.95", "source.ip": "192.0.2.95", @@ -1878,13 +2576,21 @@ "cisco.ftd.message_id": "313001", "cisco.ftd.source_interface": "Outside", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 313001, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-3-313001: Denied ICMP type=3, code=3 from 10.2.3.5 on interface Outside", "event.outcome": "deny", "event.severity": 3, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "host.hostname": "GIFRCHN01", "input.type": "log", @@ -1892,6 +2598,9 @@ "log.offset": 9748, "network.iana_number": 1, "network.transport": "icmp", + "related.ip": [ + "10.2.3.5" + ], "service.type": "cisco", "source.address": "10.2.3.5", "source.ip": "10.2.3.5", @@ -1908,19 +2617,31 @@ "destination.address": "172.16.1.10", "destination.ip": "172.16.1.10", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 313004, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-313004: Denied ICMP type=0, from laddr 172.16.30.2 on interface inside to 172.16.1.10: no matching session", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "warning", "log.offset": 9858, "network.iana_number": 1, "network.transport": "icmp", + "related.ip": [ + "172.16.30.2", + "172.16.1.10" + ], "service.type": "cisco", "source.address": "172.16.30.2", "source.ip": "172.16.30.2", @@ -1944,19 +2665,31 @@ "destination.ip": "192.88.99.129", "destination.port": 80, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 338002, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (192.88.99.1/7890) to outside:192.88.99.129/80 (192.88.99.129/80), destination 192.88.99.129 resolved from dynamic list: bad.example.com", "event.outcome": "allow", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "warning", "log.offset": 9994, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.1.1.45", + "192.88.99.129" + ], "server.domain": "bad.example.com", "service.type": "cisco", "source.address": "10.1.1.45", @@ -1987,19 +2720,30 @@ "destination.nat.port": "80", "destination.port": 80, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 338004, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.225/80), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", "event.outcome": "monitored", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "warning", "log.offset": 10245, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.1.1.1", + "192.0.2.223" + ], "service.type": "cisco", "source.address": "10.1.1.1", "source.ip": "10.1.1.1", @@ -2029,19 +2773,31 @@ "destination.nat.port": "8080", "destination.port": 80, "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 338008, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:10.1.1.1/33340 (10.2.1.1/33340) to outsidet:192.0.2.223/80 (192.0.2.223/8080), destination 192.0.2.223 resolved from dynamic list: 192.0.2.223/255.255.255.255, threat-level: very-high, category: Malware", "event.outcome": "deny", "event.severity": 4, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "warning", "log.offset": 10544, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.1.1.1", + "192.0.2.223" + ], "service.type": "cisco", "source.address": "10.1.1.1", "source.ip": "10.1.1.1", @@ -2059,17 +2815,29 @@ "destination.address": "192.0.2.1", "destination.ip": "192.0.2.1", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 304001, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 10843, + "related.ip": [ + "10.30.30.30", + "192.0.2.1" + ], "service.type": "cisco", "source.address": "10.30.30.30", "source.ip": "10.30.30.30", @@ -2085,17 +2853,29 @@ "destination.address": "192.0.2.32", "destination.ip": "192.0.2.32", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 304001, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com", "event.outcome": "allow", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 10920, + "related.ip": [ + "10.5.111.32", + "192.0.2.32" + ], "service.type": "cisco", "source.address": "10.5.111.32", "source.ip": "10.5.111.32", @@ -2112,17 +2892,29 @@ "destination.address": "192.0.0.19", "destination.ip": "192.0.0.19", "event.action": "firewall-rule", + "event.category": [ + "network" + ], "event.code": 304002, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside", "event.outcome": "deny", "event.severity": 5, "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], "fileset.name": "ftd", "input.type": "log", "log.level": "notification", "log.offset": 11012, + "related.ip": [ + "10.69.6.39", + "192.0.0.19" + ], "service.type": "cisco", "source.address": "10.69.6.39", "source.ip": "10.69.6.39", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 0ca5801a669..51da7aa889f 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -34,13 +34,22 @@ "destination.ip": "10.0.1.20", "destination.packets": 0, "event.action": "connection-started", + "event.category": [ + "network" + ], "event.code": 430002, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 98, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", "event.outcome": "allow", "event.severity": 1, "event.timezone": "-02:00", + "event.type": [ + "connection", + "start", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "firepower", "input.type": "log", @@ -50,6 +59,13 @@ "network.iana_number": 1, "network.protocol": "icmp", "network.transport": "icmp", + "related.ip": [ + "10.0.100.30", + "10.0.1.20" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.100.30", "source.bytes": 98, @@ -98,16 +114,25 @@ "destination.ip": "10.0.1.20", "destination.packets": 1, "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-15T14:05:33.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 98, ResponderBytes: 98, NAPPolicy: Balanced Security and Connectivity", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-15T16:05:33.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "firepower", "input.type": "log", @@ -117,6 +142,13 @@ "network.iana_number": 1, "network.protocol": "icmp", "network.transport": "icmp", + "related.ip": [ + "10.0.100.30", + "10.0.1.20" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.100.30", "source.bytes": 98, @@ -176,13 +208,22 @@ "dns.question.type": "A", "dns.response_code": "NOERROR", "event.action": "connection-started", + "event.category": [ + "network" + ], "event.code": 430002, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 50074, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 106, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSQuery: eu-central-1.ec2.archive.ubuntu.com, DNSRecordType: a host address", "event.outcome": "allow", "event.severity": 1, "event.timezone": "-02:00", + "event.type": [ + "connection", + "start", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "firepower", "input.type": "log", @@ -192,6 +233,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 106, @@ -255,16 +303,25 @@ "dns.question.type": "A", "dns.response_code": "NXDOMAIN", "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-15T14:07:00.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 8.8.8.8, SrcPort: 49264, DstPort: 53, Protocol: udp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 2, ResponderPackets: 2, InitiatorBytes: 164, ResponderBytes: 314, NAPPolicy: Balanced Security and Connectivity, DNSQuery: siem-inside, DNSRecordType: a host address, DNSResponseType: Non-Existent Domain, DNS_TTL: 86395", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-15T16:07:00.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "firepower", "input.type": "log", @@ -274,6 +331,13 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "related.ip": [ + "10.0.1.20", + "8.8.8.8" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 164, @@ -330,13 +394,22 @@ "destination.packets": 1, "destination.port": 80, "event.action": "connection-started", + "event.category": [ + "network" + ], "event.code": 430002, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", "event.outcome": "allow", "event.severity": 1, "event.timezone": "-02:00", + "event.type": [ + "connection", + "start", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "firepower", "input.type": "log", @@ -344,6 +417,13 @@ "log.offset": 2515, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.1.20", + "52.59.244.233" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 140, @@ -409,16 +489,25 @@ "destination.packets": 29001, "destination.port": 80, "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 1000000000, "event.end": "2019-08-15T14:07:19.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 52.59.244.233, SrcPort: 43228, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: Debian APT-HTTP/1.3 (1.6.11), Client: Advanced Packaging Tool, ClientVersion: 1.3, ApplicationProtocol: HTTP, WebApplication: Ubuntu, ConnectionDuration: 1, InitiatorPackets: 1359, ResponderPackets: 29001, InitiatorBytes: 97454, ResponderBytes: 41319018, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: eu-central-1.ec2.archive.ubuntu.com, URL: http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-15T16:07:18.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "firepower", "http.response.status_code": "200", @@ -432,6 +521,13 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "10.0.1.20", + "52.59.244.233" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 97454, @@ -491,13 +587,22 @@ "destination.packets": 1, "destination.port": 80, "event.action": "connection-started", + "event.category": [ + "network" + ], "event.code": 430002, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 140, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity", "event.outcome": "allow", "event.severity": 1, "event.timezone": "-02:00", + "event.type": [ + "connection", + "start", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "firepower", "input.type": "log", @@ -505,6 +610,13 @@ "log.offset": 3919, "network.iana_number": 6, "network.transport": "tcp", + "related.ip": [ + "10.0.1.20", + "213.211.198.62" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 140, @@ -569,16 +681,25 @@ "destination.packets": 4, "destination.port": 80, "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 0, "event.end": "2019-08-16T07:33:15.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Allow, SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46000, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Rule-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 0, InitiatorPackets: 6, ResponderPackets: 4, InitiatorBytes: 503, ResponderBytes: 690, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: www.eicar.org, URL: http://www.eicar.org/download/eicar_com.zip", "event.outcome": "allow", "event.severity": 1, "event.start": "2019-08-16T09:33:15.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "firepower", "http.response.status_code": "200", @@ -589,6 +710,13 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "10.0.1.20", + "213.211.198.62" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 503, @@ -638,13 +766,22 @@ "destination.ip": "10.0.1.20", "destination.packets": 0, "event.action": "connection-started", + "event.category": [ + "network" + ], "event.code": 430002, "event.dataset": "cisco.ftd", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430002: AccessControlRuleAction: Block, SrcIP: 10.0.100.30, DstIP: 10.0.1.20, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: output, EgressInterface: input, IngressZone: output-zone, EgressZone: input-zone, ACPolicy: default, AccessControlRuleName: Block-inbound-ICMP, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity", "event.outcome": "block", "event.severity": 1, "event.timezone": "-02:00", + "event.type": [ + "connection", + "start", + "denied" + ], "fileset.name": "ftd", "host.hostname": "firepower", "input.type": "log", @@ -652,6 +789,13 @@ "log.offset": 5177, "network.iana_number": 1, "network.transport": "icmp", + "related.ip": [ + "10.0.100.30", + "10.0.1.20" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.100.30", "source.bytes": 0, @@ -708,16 +852,25 @@ "destination.packets": 7, "destination.port": 8000, "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 1000000000, "event.end": "2019-08-14T15:09:41.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-1-430003: AccessControlRuleAction: Block, AccessControlRuleReason: File Block, SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, IngressInterface: input, EgressInterface: output, IngressZone: input-zone, EgressZone: output-zone, ACPolicy: default, AccessControlRuleName: Intrusion-Rule, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, UserAgent: curl/7.58.0, Client: cURL, ClientVersion: 7.58.0, ApplicationProtocol: HTTP, ConnectionDuration: 1, FileCount: 1, InitiatorPackets: 4, ResponderPackets: 7, InitiatorBytes: 365, ResponderBytes: 1927, NAPPolicy: Balanced Security and Connectivity, HTTPResponse: 200, ReferencedHost: 10.0.100.30:8000, URL: http://10.0.100.30:8000/eicar_com.zip", "event.outcome": "block", "event.severity": 1, "event.start": "2019-08-14T17:09:40.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "denied" + ], "fileset.name": "ftd", "host.hostname": "siem-ftd", "http.response.status_code": "200", @@ -728,6 +881,13 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "10.0.1.20", + "10.0.100.30" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.bytes": 365, @@ -744,4 +904,4 @@ "user.name": "No Authentication Required", "user_agent.original": "curl/7.58.0" } -] \ No newline at end of file +] diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index dbba62884a4..2d02ecd67d3 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -23,13 +23,20 @@ "destination.ip": "10.0.100.30", "destination.port": 8000, "event.action": "file-detected", + "event.category": [ + "malware" + ], "event.code": 430004, "event.dataset": "cisco.ftd", + "event.kind": "alert", "event.module": "cisco", "event.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41522, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:54:24Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", "event.severity": 1, "event.start": "2019-08-14T14:54:24Z", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "file.name": "exploit.exe", "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -40,6 +47,13 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "10.0.1.20", + "10.0.100.30" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.ip": "10.0.1.20", @@ -76,13 +90,20 @@ "destination.ip": "10.0.100.30", "destination.port": 8000, "event.action": "file-detected", + "event.category": [ + "malware" + ], "event.code": 430004, "event.dataset": "cisco.ftd", + "event.kind": "alert", "event.module": "cisco", "event.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41526, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe, FileType: ELF, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T14:55:01Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/exploit.exe", "event.severity": 1, "event.start": "2019-08-14T14:55:01Z", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "file.name": "exploit.exe", "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -93,6 +114,13 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "10.0.1.20", + "10.0.100.30" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.ip": "10.0.1.20", @@ -129,13 +157,20 @@ "destination.ip": "10.0.100.30", "destination.port": 8000, "event.action": "file-detected", + "event.category": [ + "malware" + ], "event.code": 430004, "event.dataset": "cisco.ftd", + "event.kind": "alert", "event.module": "cisco", "event.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41530, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:00:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com", "event.severity": 1, "event.start": "2019-08-14T15:00:27Z", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "file.name": "eicar.com", "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -146,6 +181,13 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "10.0.1.20", + "10.0.100.30" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.ip": "10.0.1.20", @@ -182,13 +224,20 @@ "destination.ip": "10.0.100.30", "destination.port": 8000, "event.action": "file-detected", + "event.category": [ + "malware" + ], "event.code": 430004, "event.dataset": "cisco.ftd", + "event.kind": "alert", "event.module": "cisco", "event.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41534, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: eicar.com.txt, FileType: EICAR, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:01:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar.com.txt", "event.severity": 1, "event.start": "2019-08-14T15:01:40Z", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "file.name": "eicar.com.txt", "fileset.name": "ftd", "host.hostname": "siem-ftd", @@ -199,6 +248,13 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "related.ip": [ + "10.0.1.20", + "10.0.100.30" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.ip": "10.0.1.20", @@ -239,13 +295,20 @@ "destination.ip": "10.0.100.30", "destination.port": 8000, "event.action": "file-detected", + "event.category": [ + "malware" + ], "event.code": 430004, "event.dataset": "cisco.ftd", + "event.kind": "alert", "event.module": "cisco", "event.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41540, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:27Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "event.severity": 1, "event.start": "2019-08-14T15:03:27Z", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "file.hash.sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", "file.name": "eicar_com.zip", "file.size": "184", @@ -258,6 +321,16 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "related.hash": [ + "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + ], + "related.ip": [ + "10.0.1.20", + "10.0.100.30" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.ip": "10.0.1.20", @@ -298,13 +371,20 @@ "destination.ip": "10.0.100.30", "destination.port": 8000, "event.action": "file-detected", + "event.category": [ + "malware" + ], "event.code": 430004, "event.dataset": "cisco.ftd", + "event.kind": "alert", "event.module": "cisco", "event.original": "%FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41542, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, ThreatName: Unknown, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:03:31Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "event.severity": 1, "event.start": "2019-08-14T15:03:31Z", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "file.hash.sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", "file.name": "eicar_com.zip", "file.size": "184", @@ -317,6 +397,16 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "related.hash": [ + "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + ], + "related.ip": [ + "10.0.1.20", + "10.0.100.30" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.ip": "10.0.1.20", @@ -361,13 +451,20 @@ "destination.ip": "10.0.100.30", "destination.port": 8000, "event.action": "malware-detected", + "event.category": [ + "malware" + ], "event.code": 430005, "event.dataset": "cisco.ftd", + "event.kind": "alert", "event.module": "cisco", "event.original": "%FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41544, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Malware Block, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, ThreatScore: 76, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-14T15:09:40Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: File Size Is Too Small, URI: http://10.0.100.30:8000/eicar_com.zip", "event.severity": 1, "event.start": "2019-08-14T15:09:40Z", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "file.hash.sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", "file.name": "eicar_com.zip", "file.size": "184", @@ -380,6 +477,16 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "related.hash": [ + "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + ], + "related.ip": [ + "10.0.1.20", + "10.0.100.30" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.ip": "10.0.1.20", @@ -432,13 +539,20 @@ "destination.ip": "213.211.198.62", "destination.port": 80, "event.action": "malware-detected", + "event.category": [ + "malware" + ], "event.code": 430005, "event.dataset": "cisco.ftd", + "event.kind": "alert", "event.module": "cisco", "event.original": "%FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", "event.severity": 1, "event.start": "2019-08-16T09:39:02Z", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "file.hash.sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", "file.name": "eicar_com.zip", "file.size": "184", @@ -451,6 +565,16 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "related.hash": [ + "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + ], + "related.ip": [ + "10.0.1.20", + "213.211.198.62" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.ip": "10.0.1.20", @@ -494,13 +618,20 @@ "destination.ip": "10.0.100.30", "destination.port": 80, "event.action": "malware-detected", + "event.category": [ + "malware" + ], "event.code": 430005, "event.dataset": "cisco.ftd", + "event.kind": "alert", "event.module": "cisco", "event.original": "%FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55378, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Unknown, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:40:45Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: Sent for Analysis, FileStaticAnalysisStatus: Failed to Send, URI: http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "event.severity": 1, "event.start": "2019-08-16T09:40:45Z", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "file.hash.sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7", "file.name": "dd3dee576d0cb4abfed00f97f0c71c1d", "file.size": "278987", @@ -513,6 +644,16 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "related.hash": [ + "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" + ], + "related.ip": [ + "10.0.1.20", + "10.0.100.30" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.ip": "10.0.1.20", @@ -566,13 +707,20 @@ "destination.ip": "18.197.225.123", "destination.port": 80, "event.action": "malware-detected", + "event.category": [ + "malware" + ], "event.code": 430005, "event.dataset": "cisco.ftd", + "event.kind": "alert", "event.module": "cisco", "event.original": "%FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 18.197.225.123, SrcPort: 47926, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7, SHA_Disposition: Malware, SperoDisposition: Spero detection not performed on file, ThreatName: Pdf.Exploit.Pdfka::100.sbx.tg, ThreatScore: 100, FileName: dd3dee576d0cb4abfed00f97f0c71c1d, FileType: PDF, FileSize: 278987, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:42:06Z, FilePolicy: malware-and-file-policy, FileSandboxStatus: Failed to Send, URI: http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "event.severity": 1, "event.start": "2019-08-16T09:42:06Z", "event.timezone": "-02:00", + "event.type": [ + "info" + ], "file.hash.sha256": "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7", "file.name": "dd3dee576d0cb4abfed00f97f0c71c1d", "file.size": "278987", @@ -585,6 +733,16 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "related.hash": [ + "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" + ], + "related.ip": [ + "10.0.1.20", + "18.197.225.123" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "10.0.1.20", "source.ip": "10.0.1.20", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index ea330b35b27..e9a6b15f242 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -50,16 +50,25 @@ "destination.packets": 4, "destination.port": 80, "event.action": "connection-finished", + "event.category": [ + "network" + ], "event.code": 430003, "event.dataset": "cisco.ftd", "event.duration": 20000000000, "event.end": "2020-02-29T23:02:36.000-02:00", + "event.kind": "event", "event.module": "cisco", "event.original": "%NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 3.3.3.3, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico", "event.outcome": "allow", "event.severity": 0, "event.start": "2020-03-01T01:02:16.000Z", "event.timezone": "-02:00", + "event.type": [ + "connection", + "end", + "allowed" + ], "fileset.name": "ftd", "host.hostname": "CISCO-SENSOR-3D", "http.request.referrer": "http://eyedropper-color-pick.info/mk?c=1581483445764", @@ -71,6 +80,13 @@ "network.protocol": "http", "network.transport": "tcp", "process.name": "Alerts", + "related.ip": [ + "3.3.3.3", + "2.2.2.2" + ], + "related.user": [ + "No Authentication Required" + ], "service.type": "cisco", "source.address": "3.3.3.3", "source.bytes": 729, diff --git a/x-pack/filebeat/module/cisco/ios/config/input.yml b/x-pack/filebeat/module/cisco/ios/config/input.yml index a2f1396fdc4..2ed8ae959c2 100644 --- a/x-pack/filebeat/module/cisco/ios/config/input.yml +++ b/x-pack/filebeat/module/cisco/ios/config/input.yml @@ -20,6 +20,10 @@ publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 - script: lang: javascript id: cisco_ios diff --git a/x-pack/filebeat/module/cisco/ios/config/pipeline.js b/x-pack/filebeat/module/cisco/ios/config/pipeline.js index c4e28d2fe11..4506f67ccb3 100644 --- a/x-pack/filebeat/module/cisco/ios/config/pipeline.js +++ b/x-pack/filebeat/module/cisco/ios/config/pipeline.js @@ -151,8 +151,7 @@ var ciscoIOS = (function() { normalizeEventOutcome(evt); setNetworkType(evt); setRelatedIP(evt); - evt.Put("event.category", "network_traffic"); - evt.Put("event.type", "firewall"); + setECSCategorization(evt); return; } }) @@ -204,6 +203,14 @@ var ciscoIOS = (function() { event.AppendTo("related.ip", event.Get("destination.ip")); }; + var setECSCategorization = function(event) { + event.Put("event.kind", "event"); + event.AppendTo("event.category", "network"); + event.AppendTo("event.category", "network_traffic"); + event.AppendTo("event.type", "connection"); + event.AppendTo("event.type", "firewall"); + }; + return { process: function(evt) { copyOriginalMessage.Run(evt); diff --git a/x-pack/filebeat/module/cisco/ios/pipeline_test.go b/x-pack/filebeat/module/cisco/ios/pipeline_test.go index 53496b6a640..6104c25a306 100644 --- a/x-pack/filebeat/module/cisco/ios/pipeline_test.go +++ b/x-pack/filebeat/module/cisco/ios/pipeline_test.go @@ -43,11 +43,11 @@ var testCases = []testCase{ "cisco.ios.facility": "SEC", "destination.ip": "198.51.100.255", "destination.port": int64(15600), - "event.category": "network_traffic", + "event.category": []string{"network", "network_traffic"}, "event.code": "IPACCESSLOGP", "event.outcome": "deny", "event.severity": int64(6), - "event.type": "firewall", + "event.type": []string{"connection", "firewall"}, "log.level": "informational", "log.original": isdef.IsNonEmptyString, "message": "list 100 denied udp 198.51.100.1(55934) -> 198.51.100.255(15600), 1 packet", @@ -66,11 +66,11 @@ var testCases = []testCase{ "cisco.ios.access_list": "100", "cisco.ios.facility": "SEC", "destination.ip": "198.51.100.2", - "event.category": "network_traffic", + "event.category": []string{"network", "network_traffic"}, "event.code": "IPACCESSLOGDP", "event.outcome": "deny", "event.severity": int64(6), - "event.type": "firewall", + "event.type": []string{"connection", "firewall"}, "icmp.code": int64(5), "icmp.type": int64(3), "log.level": "informational", @@ -90,11 +90,11 @@ var testCases = []testCase{ "cisco.ios.access_list": "170", "cisco.ios.facility": "SEC", "destination.ip": "224.168.168.168", - "event.category": "network_traffic", + "event.category": []string{"network", "network_traffic"}, "event.code": "IPACCESSLOGRP", "event.outcome": "deny", "event.severity": int64(6), - "event.type": "firewall", + "event.type": []string{"connection", "firewall"}, "log.level": "informational", "log.original": isdef.IsNonEmptyString, "message": "list 170 denied igmp 198.51.100.1 -> 224.168.168.168, 1 packet", @@ -112,11 +112,11 @@ var testCases = []testCase{ "cisco.ios.access_list": "INBOUND-ON-AP", "cisco.ios.facility": "SEC", "destination.ip": "224.0.0.2", - "event.category": "network_traffic", + "event.category": []string{"network", "network_traffic"}, "event.code": "IPACCESSLOGSP", "event.outcome": "deny", "event.severity": int64(6), - "event.type": "firewall", + "event.type": []string{"connection", "firewall"}, "igmp.type": int64(20), "log.level": "informational", "log.original": isdef.IsNonEmptyString, @@ -135,11 +135,11 @@ var testCases = []testCase{ "cisco.ios.access_list": "1", "cisco.ios.facility": "SEC", "destination.ip": "239.10.10.10", - "event.category": "network_traffic", + "event.category": []string{"network", "network_traffic"}, "event.code": "IPACCESSLOGNP", "event.outcome": "allow", "event.severity": int64(6), - "event.type": "firewall", + "event.type": []string{"connection", "firewall"}, "log.level": "informational", "log.original": isdef.IsNonEmptyString, "message": "list 1 permitted 0 198.51.100.1 -> 239.10.10.10, 1 packet", diff --git a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json index 2b2fb9ff840..3485b3ff583 100644 --- a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json +++ b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json @@ -4,15 +4,22 @@ "cisco.ios.facility": "SEC", "destination.address": "224.0.0.22", "destination.ip": "224.0.0.22", - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGRP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 585917, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -42,15 +49,22 @@ "cisco.ios.facility": "SEC", "destination.address": "224.0.0.2", "destination.ip": "224.0.0.2", - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGSP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 585918, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "igmp.type": 20, "input.type": "log", @@ -81,15 +95,22 @@ "cisco.ios.facility": "SEC", "destination.address": "255.255.255.255", "destination.ip": "255.255.255.255", - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGNP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 585919, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -120,15 +141,22 @@ "destination.address": "2001:DB8:1000::1", "destination.ip": "2001:DB8:1000::1", "destination.port": 22, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "ACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "allow", "event.sequence": 585920, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -160,15 +188,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663303, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -199,15 +234,22 @@ "cisco.ios.facility": "SEC", "destination.address": "198.51.100.2", "destination.ip": "198.51.100.2", - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGDP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663304, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "icmp.code": 4, "icmp.type": 3, @@ -240,15 +282,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663305, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -286,15 +335,22 @@ "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663306, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -326,15 +382,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663307, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -366,15 +429,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663308, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -406,15 +476,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663309, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -446,15 +523,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663310, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -486,15 +570,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663311, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -526,15 +617,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663312, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -587,15 +685,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663314, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -627,15 +732,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663315, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -667,15 +779,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663316, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -713,15 +832,22 @@ "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663317, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -753,15 +879,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663318, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -793,15 +926,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663319, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -833,15 +973,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663320, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -879,15 +1026,22 @@ "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663321, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -919,15 +1073,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663322, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -965,15 +1126,22 @@ "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", "destination.port": 53, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663323, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -1005,15 +1173,22 @@ "destination.address": "198.51.100.195", "destination.ip": "198.51.100.195", "destination.port": 59415, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663324, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -1071,15 +1246,22 @@ "cisco.ios.facility": "SEC", "destination.address": "198.51.100.1", "destination.ip": "198.51.100.1", - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGDP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663326, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "icmp.code": 3, "icmp.type": 3, @@ -1118,15 +1300,22 @@ "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663327, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -1158,15 +1347,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663328, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -1198,15 +1394,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663329, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -1238,15 +1441,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 138, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663330, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -1278,15 +1488,22 @@ "destination.address": "198.51.100.255", "destination.ip": "198.51.100.255", "destination.port": 15600, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663331, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", @@ -1324,15 +1541,22 @@ "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", "destination.port": 80, - "event.category": "network_traffic", + "event.category": [ + "network", + "network_traffic" + ], "event.code": "IPACCESSLOGP", "event.dataset": "cisco.ios", + "event.kind": "event", "event.module": "cisco", "event.outcome": "deny", "event.sequence": 1663332, "event.severity": 6, "event.timezone": "-02:00", - "event.type": "firewall", + "event.type": [ + "connection", + "firewall" + ], "fileset.name": "ios", "input.type": "log", "log.level": "informational", diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index b4229a13c7e..cc37b6493c4 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -1289,6 +1289,93 @@ processors: target_field: cisco.{< .internal_prefix >}.rule_name ignore_missing: true + # ECS categorization + - script: + lang: painless + params: + connection-finished: + kind: event + category: + - network + type: + - connection + - end + connection-started: + kind: event + category: + - network + type: + - connection + - start + file-detected: + kind: alert + category: + - malware + type: + - info + firewall-rule: + kind: event + category: + - network + type: + - info + flow-expiration: + kind: event + category: + - network + type: + - connection + - end + intrusion-detected: + kind: alert + category: + - intrusion_detection + type: + - info + malware-detected: + kind: alert + category: + - malware + type: + - info + source: >- + if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { + return; + } + ctx.event.kind = params.get(ctx.event.action).get('kind'); + ctx.event.category = params.get(ctx.event.action).get('category').clone(); + ctx.event.type = params.get(ctx.event.action).get('type').clone(); + + if (ctx?.event?.outcome == null) { + return; + } + if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) { + if (ctx.event.outcome == 'allow') { + ctx.event.type.add('allowed'); + } + if (ctx.event.outcome == 'deny') { + ctx.event.type.add('denied'); + } + if (ctx.event.outcome == 'block') { + ctx.event.type.add('denied'); + } + } + - append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" + - append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" + - append: + field: related.user + value: "{{user.name}}" + if: "ctx?.user?.name != null" + - append: + field: related.hash + value: "{{file.hash.sha256}}" + if: "ctx?.file?.hash?.sha256 != null" on_failure: # Copy any fields under _temp_.cisco to its final destination. Those can help # with diagnosing the failure.