Greetings!
The Cisco FTD FileBeat module is awesome and works very well. However, I noticed a possible bug with the ingest pipeline or maybe it's something that I have misconfigured.
Any of the events from the Cisco FTD SysLog that are 430002 / connection-started do not seem to parse the message payload fully to get all of the needed fields.
This is the raw json after ingestion. You can also notice that the time stamp (36Z) is the first part of the original log. You will also notice that you don't see the IPReputationSICategory: Malware in the fields. The URL also seems to be missing. I see that these fields exist and work when it is a connection-ended / 430003 event.
The last thing that I just caught is that in the payload I see : %NGIPS-0-430003 but the event.code given was 430002, so I am not sure if this it the wrong part of the ingest or something else is amiss. This is leveraging 7.5.2 without any modifications. Please let me know if I should also reach out to support.
*I did some basic cleansing of the data but for the most part it should be pretty close. Also this is the same for Domain Reputations that are connection-started events.
{
"_index": "filebeat-7.5.2-2020.02.06-000001",
"_type": "_doc",
"_id": "kRDUN3ABGn9pvKaPzoHr",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"hostname": "redacted",
"id": "f4efb769-0d6c-46ea-b009-3856a47cbe97",
"ephemeral_id": "7ed9a5c7-0121-4bb2-aca2-16d30ff66ff3",
"type": "filebeat",
"version": "7.5.2"
},
"log": {
"level": "debug",
"source": {
"address": "1.1.1.1:50289"
}
},
"destination": {
"geo": {
"continent_name": "Europe",
"country_iso_code": "PT",
"location": {
"lon": -9.1394,
"lat": 38.7139
}
},
"as": {
"number": 8426,
"organization": {
"name": "Claranet Ltd"
}
},
"address": "2.2.2.2",
"port": 80,
"ip": "2.2.2.2"
},
"syslog": {
"facility": 112
},
"source": {
"geo": {
"continent_name": "North America",
"region_iso_code": "US-SD",
"city_name": "Cow",
"country_iso_code": "US",
"region_name": "South Dakota",
"location": {
"lon": -97.6104,
"lat": 44.0369
}
},
"as": {
"number": 7773,
"organization": {
"name": "State Government"
}
},
"address": "3.3.3.3",
"port": 65090,
"ip": "3.3.3.3"
},
"fileset": {
"name": "ftd"
},
"tags": [
"cisco-ftd",
"beats_input_codec_plain_applied"
],
"network": {
"transport": "tcp",
"iana_number": 6
},
"input": {
"type": "udp"
},
"@timestamp": "2020-02-11T23:17:00.000-06:00",
"ecs": {
"version": "1.1.0"
},
"service": {
"type": "cisco"
},
"host": {
"name": "redacted"
},
"@version": "1",
"event": {
"severity": 7,
"code": 430002,
"original": "36Z CISCO-SENSOR-3D Alerts %NGIPS-0-430003: DeviceUUID: 1c8ff662-08f3-11e4-85c0-bc960372972f, AccessControlRuleAction: Allow, AccessControlRuleReason: IP Monitor, SrcIP: 3.3.3.3, DstIP: 2.2.2.2, SrcPort: 65090, DstPort: 80, Protocol: tcp, IngressInterface: s1p1, EgressInterface: s1p2, IngressZone: Inside-DMZ-Interface-Inline, EgressZone: Inside-DMZ-Interface-Inline, ACPolicy: COOL-POLICY-3D, AccessControlRuleName: Inside DMZ-Rule-Inline, Prefilter Policy: Unknown, User: No Authentication Required, UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36, Client: Chrome, ClientVersion: 80.0.3987.87, ApplicationProtocol: HTTP, ConnectionDuration: 20, InitiatorPackets: 4, ResponderPackets: 4, InitiatorBytes: 729, ResponderBytes: 246, NAPPolicy: State-Backbone, SecIntMatchingIP: Destination, IPReputationSICategory: Malware, HTTPReferer: http://eyedropper-color-pick.info/mk?c=1581483445764, ReferencedHost: eyedropper-color-pick.info, URL: http://bad-malwaresite-grr.info/favicon.ico",
"timezone": "-06:00",
"module": "cisco",
"action": "connection-started",
"dataset": "cisco.ftd",
"outcome": "allow"
},
"user": {
"name": "No Authentication Required",
"id": "No Authentication Required"
},
"cisco": {
"ftd": {
"destination_interface": "s1p2",
"security": {
"access_control_rule_reason": "IP Monitor",
"egress_zone": "Inside-DMZ-Interface-Inline",
"access_control_rule_name": "Inside DMZ-Rule-Inline",
"egress_interface": "s1p2",
"access_control_rule_action": "Allow",
"prefilter_policy": "Unknown",
"ingress_zone": "Inside-DMZ-Interface-Inline",
"dst_ip": "2.2.2.2",
"ac_policy": "COOL-POLICY-3D",
"src_port": "65090",
"src_ip": "3.3.3.3",
"protocol": "tcp",
"dst_port": "80",
"ingress_interface": "s1p1",
"user": "No Authentication Required",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML"
},
"rule_name": [
"COOL-POLICY-3D",
"Inside DMZ-Rule-Inline"
],
"source_interface": "s1p1",
"message_id": "430002"
}
},
"user_agent": {
"original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML"
}
},
"fields": {
"suricata.eve.timestamp": [
"2020-02-12T05:17:00.000Z"
],
"@timestamp": [
"2020-02-12T05:17:00.000Z"
]
},
"highlight": {
"event.action": [
"@kibana-highlighted-field@connection-started@/kibana-highlighted-field@"
],
"event.dataset": [
"@kibana-highlighted-field@cisco.ftd@/kibana-highlighted-field@"
]
},
"sort": [
1581484620000
]
}
