Skip to content

Instantly share code, notes, and snippets.

@adriansr

adriansr/cisco-asa-pipeline.json

Created December 2, 2019 13:32
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save adriansr/902dea2b92f1ea8624714c1bc97a3c78 to your computer and use it in GitHub Desktop.
Save adriansr/902dea2b92f1ea8624714c1bc97a3c78 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cisco-asa-pipeline.json
{
"filebeat-8.0.0-cisco-asa-asa-ftd-pipeline" : {
"description" : "Pipeline for Cisco ASA logs",
"processors" : [
{
"grok" : {
"field" : "message",
"patterns" : [
"(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:log.original}"
],
"pattern_definitions" : {
"SYSLOGFACILITY" : "<%{NONNEGINT:syslog.facility:int}(?:.%{NONNEGINT:syslog.priority:int})?>",
"FTD_DATE" : "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})",
"ASA_DATE" : "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?",
"PROCESS" : "(?:[^\\s:\\[]+)",
"SYSLOG_END" : "(?::|\\s\\s+)",
"SYSLOG_HEADER" : "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date})?(?:\\s+%{SYSLOGHOST:host.hostname})?(?: %{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?(?:{DATA})?%{SYSLOG_END}"
}
}
},
{
"grok" : {
"field" : "log.original",
"patterns" : [
"%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{POSINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}",
"%{GREEDYDATA:message}"
],
"pattern_definitions" : {
"FTD_SUFFIX" : "[^0-9-]+",
"FTD_PREFIX" : "%{DATA}%(?:FTD|ASA)"
}
}
},
{
"set" : {
"field" : "_temp_.cisco.message_id",
"value" : "",
"if" : "ctx?._temp_?.cisco?.message_id == null"
}
},
{
"set" : {
"field" : "event.severity",
"value" : 7,
"if" : "ctx?.event?.severity == null"
}
},
{
"drop" : {
"if" : "ctx.event.severity > 7"
}
},
{
"date" : {
"if" : "ctx.event.timezone == null",
"field" : "_temp_.raw_date",
"target_field" : "@timestamp",
"formats" : [
"ISO8601",
"MMM d HH:mm:ss",
"MMM dd HH:mm:ss",
"EEE MMM d HH:mm:ss",
"EEE MMM dd HH:mm:ss",
"MMM d HH:mm:ss z",
"MMM dd HH:mm:ss z",
"EEE MMM d HH:mm:ss z",
"EEE MMM dd HH:mm:ss z",
"MMM d yyyy HH:mm:ss",
"MMM dd yyyy HH:mm:ss",
"EEE MMM d yyyy HH:mm:ss",
"EEE MMM dd yyyy HH:mm:ss",
"MMM d yyyy HH:mm:ss z",
"MMM dd yyyy HH:mm:ss z",
"EEE MMM d yyyy HH:mm:ss z",
"EEE MMM dd yyyy HH:mm:ss z"
],
"on_failure" : [
{
"append" : {
"field" : "error.message",
"value" : "{{ _ingest.on_failure_message }}"
}
}
]
}
},
{
"date" : {
"target_field" : "@timestamp",
"formats" : [
"ISO8601",
"MMM d HH:mm:ss",
"MMM dd HH:mm:ss",
"EEE MMM d HH:mm:ss",
"EEE MMM dd HH:mm:ss",
"MMM d HH:mm:ss z",
"MMM dd HH:mm:ss z",
"EEE MMM d HH:mm:ss z",
"EEE MMM dd HH:mm:ss z",
"MMM d yyyy HH:mm:ss",
"MMM dd yyyy HH:mm:ss",
"EEE MMM d yyyy HH:mm:ss",
"EEE MMM dd yyyy HH:mm:ss",
"MMM d yyyy HH:mm:ss z",
"MMM dd yyyy HH:mm:ss z",
"EEE MMM d yyyy HH:mm:ss z",
"EEE MMM dd yyyy HH:mm:ss z"
],
"on_failure" : [
{
"append" : {
"field" : "error.message",
"value" : "{{ _ingest.on_failure_message }}"
}
}
],
"if" : "ctx.event.timezone != null",
"timezone" : "{{ event.timezone }}",
"field" : "_temp_.raw_date"
}
},
{
"set" : {
"field" : "log.level",
"if" : "ctx.event.severity == 0",
"value" : "unknown"
}
},
{
"set" : {
"field" : "log.level",
"if" : "ctx.event.severity == 1",
"value" : "alert"
}
},
{
"set" : {
"field" : "log.level",
"if" : "ctx.event.severity == 2",
"value" : "critical"
}
},
{
"set" : {
"field" : "log.level",
"if" : "ctx.event.severity == 3",
"value" : "error"
}
},
{
"set" : {
"field" : "log.level",
"if" : "ctx.event.severity == 4",
"value" : "warning"
}
},
{
"set" : {
"field" : "log.level",
"if" : "ctx.event.severity == 5",
"value" : "notification"
}
},
{
"set" : {
"if" : "ctx.event.severity == 6",
"value" : "informational",
"field" : "log.level"
}
},
{
"set" : {
"field" : "log.level",
"if" : "ctx.event.severity == 7",
"value" : "debug"
}
},
{
"set" : {
"if" : "ctx._temp_.cisco.message_id != \"\"",
"field" : "event.action",
"value" : "firewall-rule"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '106001'",
"field" : "message",
"pattern" : "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}"
}
},
{
"dissect" : {
"pattern" : "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}",
"if" : "ctx._temp_.cisco.message_id == '106002'",
"field" : "message"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '106006'",
"field" : "message",
"pattern" : "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '106007'",
"field" : "message",
"pattern" : "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}"
}
},
{
"dissect" : {
"field" : "message",
"pattern" : "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}",
"if" : "ctx._temp_.cisco.message_id == '106010'"
}
},
{
"dissect" : {
"pattern" : "Dropping echo request from %{source.address} to PAT address %{destination.address}",
"if" : "ctx._temp_.cisco.message_id == '106013'",
"field" : "message"
}
},
{
"set" : {
"value" : "icmp",
"if" : "ctx._temp_.cisco.message_id == '106013'",
"field" : "network.transport"
}
},
{
"set" : {
"if" : "ctx._temp_.cisco.message_id == '106013'",
"field" : "network.direction",
"value" : "inbound"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '106014'",
"field" : "message",
"pattern" : "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address} %{}dst %{_temp_.cisco.destination_interface}:%{destination.address} %{}"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '106015'",
"field" : "message",
"pattern" : "%{event.outcome} %{network.transport} (no connection) from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '106016'",
"field" : "message",
"pattern" : "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}"
}
},
{
"dissect" : {
"pattern" : "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}",
"if" : "ctx._temp_.cisco.message_id == '106017'",
"field" : "message"
}
},
{
"dissect" : {
"field" : "message",
"pattern" : "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}",
"if" : "ctx._temp_.cisco.message_id == '106018'"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '106020'",
"field" : "message",
"pattern" : "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '106021'",
"field" : "message",
"pattern" : "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '106022'",
"field" : "message",
"pattern" : "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '106023'",
"field" : "message",
"pattern" : "%{event.outcome} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{} access%{}group \"%{_temp_.cisco.list_id}\"%{}"
}
},
{
"dissect" : {
"pattern" : "%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group \"%{_temp_.cisco.list_id}\"",
"if" : "ctx._temp_.cisco.message_id == '106027'",
"field" : "message"
}
},
{
"dissect" : {
"pattern" : "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port}) -> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port}) %{}",
"if" : "ctx._temp_.cisco.message_id == '106100'",
"field" : "message"
}
},
{
"dissect" : {
"field" : "message",
"pattern" : "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.address} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.address} %{destination.port} %{}",
"if" : "ctx._temp_.cisco.message_id == '106102'"
}
},
{
"dissect" : {
"pattern" : "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.address} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.address} %{destination.port} %{}",
"if" : "ctx._temp_.cisco.message_id == '106103'",
"field" : "message"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '304001'",
"field" : "message",
"pattern" : "%{source.address} %{}ccessed URL %{destination.address}:%{url.original}"
}
},
{
"set" : {
"if" : "ctx._temp_.cisco.message_id == '304001'",
"field" : "event.outcome",
"value" : "allow"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '304002'",
"field" : "message",
"pattern" : "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '313001'",
"field" : "message",
"pattern" : "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '313004'",
"field" : "message",
"pattern" : "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '313005'",
"field" : "message",
"pattern" : "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '313008'",
"field" : "message",
"pattern" : "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type} , code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '313009'",
"field" : "message",
"pattern" : "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code} , for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '322001'",
"field" : "message",
"pattern" : "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '338001'",
"field" : "message",
"pattern" : "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
}
},
{
"set" : {
"if" : "ctx._temp_.cisco.message_id == '338001'",
"field" : "server.domain",
"value" : "{{source.domain}}"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '338002'",
"field" : "message",
"pattern" : "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}"
}
},
{
"set" : {
"value" : "{{destination.domain}}",
"if" : "ctx._temp_.cisco.message_id == '338002'",
"field" : "server.domain"
}
},
{
"dissect" : {
"field" : "message",
"pattern" : "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}",
"if" : "ctx._temp_.cisco.message_id == '338003'"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '338004'",
"field" : "message",
"pattern" : "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
}
},
{
"dissect" : {
"field" : "message",
"pattern" : "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}",
"if" : "ctx._temp_.cisco.message_id == '338005'"
}
},
{
"set" : {
"value" : "{{source.domain}}",
"if" : "ctx._temp_.cisco.message_id == '338005'",
"field" : "server.domain"
}
},
{
"dissect" : {
"pattern" : "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}",
"if" : "ctx._temp_.cisco.message_id == '338006'",
"field" : "message"
}
},
{
"set" : {
"if" : "ctx._temp_.cisco.message_id == '338006'",
"field" : "server.domain",
"value" : "{{destination.domain}}"
}
},
{
"dissect" : {
"pattern" : "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}",
"if" : "ctx._temp_.cisco.message_id == '338007'",
"field" : "message"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '338008'",
"field" : "message",
"pattern" : "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '338101'",
"field" : "message",
"pattern" : "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}"
}
},
{
"set" : {
"if" : "ctx._temp_.cisco.message_id == '338101'",
"field" : "server.domain",
"value" : "{{source.domain}}"
}
},
{
"dissect" : {
"field" : "message",
"pattern" : "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}",
"if" : "ctx._temp_.cisco.message_id == '338102'"
}
},
{
"set" : {
"if" : "ctx._temp_.cisco.message_id == '338102'",
"field" : "server.domain",
"value" : "{{destination.domain}}"
}
},
{
"dissect" : {
"field" : "message",
"pattern" : "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}",
"if" : "ctx._temp_.cisco.message_id == '338103'"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '338104'",
"field" : "message",
"pattern" : "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}"
}
},
{
"dissect" : {
"pattern" : "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}",
"if" : "ctx._temp_.cisco.message_id == '338201'",
"field" : "message"
}
},
{
"set" : {
"value" : "{{source.domain}}",
"if" : "ctx._temp_.cisco.message_id == '338201'",
"field" : "server.domain"
}
},
{
"dissect" : {
"pattern" : "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}",
"if" : "ctx._temp_.cisco.message_id == '338202'",
"field" : "message"
}
},
{
"set" : {
"if" : "ctx._temp_.cisco.message_id == '338202'",
"field" : "server.domain",
"value" : "{{destination.domain}}"
}
},
{
"dissect" : {
"field" : "message",
"pattern" : "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}",
"if" : "ctx._temp_.cisco.message_id == '338203'"
}
},
{
"set" : {
"if" : "ctx._temp_.cisco.message_id == '338203'",
"field" : "server.domain",
"value" : "{{source.domain}}"
}
},
{
"dissect" : {
"pattern" : "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}",
"if" : "ctx._temp_.cisco.message_id == '338204'",
"field" : "message"
}
},
{
"set" : {
"value" : "{{destination.domain}}",
"if" : "ctx._temp_.cisco.message_id == '338204'",
"field" : "server.domain"
}
},
{
"dissect" : {
"if" : "ctx._temp_.cisco.message_id == '338301'",
"field" : "message",
"pattern" : "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}"
}
},
{
"set" : {
"field" : "client.address",
"value" : "{{destination.address}}",
"if" : "ctx._temp_.cisco.message_id == '338301'"
}
},
{
"set" : {
"value" : "{{destination.port}}",
"if" : "ctx._temp_.cisco.message_id == '338301'",
"field" : "client.port"
}
},
{
"set" : {
"field" : "server.address",
"value" : "{{source.address}}",
"if" : "ctx._temp_.cisco.message_id == '338301'"
}
},
{
"set" : {
"if" : "ctx._temp_.cisco.message_id == '338301'",
"field" : "server.port",
"value" : "{{source.port}}"
}
},
{
"set" : {
"if" : "[\"302014\", \"302016\", \"302018\", \"302021\", \"302036\", \"302304\", \"302306\"].contains(ctx._temp_.cisco.message_id)",
"field" : "event.action",
"value" : "flow-expiration"
}
},
{
"grok" : {
"field" : "message",
"if" : "[\"302014\", \"302016\", \"302018\", \"302021\", \"302036\", \"302304\", \"302306\"].contains(ctx._temp_.cisco.message_id)",
"patterns" : [
"Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int} (?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int} (?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA}",
"Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER} (?:%{NOTSPACE:_temp_.cisco.destination_username} )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}(?: %{NOTSPACE:_temp_.cisco.source_username})?%{GREEDYDATA}"
],
"pattern_definitions" : {
"MAPPEDSRC" : "(?:%{DATA:_temp_.cisco.mapped_source_ip}|%{HOSTNAME})",
"NOTCOLON" : "[^:]*",
"ECSSOURCEIPORHOST" : "(?:%{IP:source.address}|%{HOSTNAME:source.domain})",
"ECSDESTIPORHOST" : "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})"
}
}
},
{
"kv" : {
"field" : "message",
"field_split" : ",",
"value_split" : ":",
"target_field" : "_temp_.orig_security",
"trim_key" : " ",
"trim_value" : " ",
"ignore_failure" : true,
"if" : "[\"430001\", \"430002\", \"430003\", \"430004\", \"430005\", \"\"].contains(ctx._temp_.cisco.message_id)"
}
},
{
"remove" : {
"field" : [
"message"
],
"ignore_missing" : true
}
},
{
"script" : {
"source" : "boolean isEmpty(def value) {\n return (value instanceof AbstractList? value.size() : value.length()) == 0;\n}\ndef appendOrCreate(Map dest, String[] path, def value) {\n for (int i=0; i<path.length-1; i++) {\n dest = dest.computeIfAbsent(path[i], _ -> new HashMap());\n }\n String key = path[path.length - 1];\n def existing = dest.get(key);\n return existing == null?\n dest.put(key, value)\n : existing instanceof AbstractList?\n existing.add(value)\n : dest.put(key, new ArrayList([existing, value]));\n}\ndef msg = ctx._temp_.orig_security;\ndef counters = new HashMap();\ndef dest = new HashMap();\nctx._temp_.cisco['security'] = dest;\nfor (entry in msg.entrySet()) {\n def param = params.get(entry.getKey());\n if (param == null) {\n continue;\n }\n param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) );\n if (!isEmpty(entry.getValue())) {\n param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) );\n dest[param.target] = entry.getValue();\n }\n}\nif (ctx._temp_.cisco.message_id != \"\") return;\ndef best;\nfor (entry in counters.entrySet()) {\n if (best == null || best.getValue() < entry.getValue()) best = entry;\n}\nif (best != null) ctx._temp_.cisco.message_id = best.getKey();\n",
"if" : "ctx._temp_?.orig_security != null",
"params" : {
"URL" : {
"target" : "url",
"id" : [
"430002",
"430003"
],
"ecs" : [
"url.original"
]
},
"ThreatScore" : {
"target" : "threat_score",
"id" : [
"430005"
],
"ecs" : [
"_temp_.cisco.threat_level"
]
},
"ACPolicy" : {
"ecs" : [
"_temp_.cisco.rule_name"
],
"target" : "ac_policy",
"id" : [
"430001",
"430002",
"430003"
]
},
"SSLServerCertStatus" : {
"target" : "ssl_server_cert_status",
"id" : [
"430002",
"430003"
]
},
"DNS_Sinkhole" : {
"target" : "dns_sinkhole",
"id" : [
"430002",
"430003"
]
},
"ArchiveFileName" : {
"id" : [
"430004",
"430005"
],
"ecs" : [
"file.name"
],
"target" : "archive_file_name"
},
"EgressInterface" : {
"id" : [
"430001",
"430002",
"430003"
],
"ecs" : [
"_temp_.cisco.destination_interface"
],
"target" : "egress_interface"
},
"FileAction" : {
"id" : [
"430004",
"430005"
],
"target" : "file_action"
},
"ThreatName" : {
"target" : "threat_name",
"id" : [
"430005"
],
"ecs" : [
"_temp_.cisco.threat_category"
]
},
"URLReputation" : {
"target" : "url_reputation",
"id" : [
"430002",
"430003"
]
},
"FileSandboxStatus" : {
"target" : "file_sandbox_status",
"id" : [
"430004",
"430005"
]
},
"GID" : {
"target" : "gid",
"id" : [
"430001"
],
"ecs" : [
"service.id"
]
},
"InlineResult" : {
"target" : "inline_result",
"id" : [
"430001"
],
"ecs" : [
"event.outcome"
]
},
"ICMPCode" : {
"target" : "icmp_code",
"id" : [
"430001",
"430002",
"430003"
]
},
"HTTPReferer" : {
"ecs" : [
"http.request.referrer"
],
"target" : "http_referer",
"id" : [
"430002",
"430003"
]
},
"SSLVersion" : {
"target" : "ssl_version",
"id" : [
"430002",
"430003"
]
},
"SSLTicketID" : {
"id" : [
"430002",
"430003"
],
"target" : "ssl_ticket_id"
},
"URLCategory" : {
"target" : "url_category",
"id" : [
"430002",
"430003"
]
},
"ArchiveSHA256" : {
"target" : "archive_sha256",
"id" : [
"430004",
"430005"
],
"ecs" : [
"file.hash.sha256"
]
},
"originalClientSrcIP" : {
"target" : "original_client_src_ip",
"id" : [
"430002",
"430003"
],
"ecs" : [
"client.address"
]
},
"Priority" : {
"target" : "priority",
"id" : [
"430001"
]
},
"FileDirection" : {
"target" : "file_direction",
"id" : [
"430004",
"430005"
]
},
"FileCount" : {
"target" : "file_count",
"id" : [
"430002",
"430003"
]
},
"NAPPolicy" : {
"target" : "nap_policy",
"id" : [
"430001",
"430002",
"430003"
]
},
"DstIP" : {
"target" : "dst_ip",
"ecs" : [
"destination.address"
]
},
"SSLSessionID" : {
"target" : "ssl_session_id",
"id" : [
"430002",
"430003"
]
},
"ReferencedHost" : {
"ecs" : [
"url.domain"
],
"target" : "referenced_host",
"id" : [
"430002",
"430003"
]
},
"FileName" : {
"ecs" : [
"file.name"
],
"target" : "file_name",
"id" : [
"430004",
"430005"
]
},
"Classification" : {
"target" : "classification",
"id" : [
"430001"
]
},
"SSLExpectedAction" : {
"id" : [
"430002",
"430003"
],
"target" : "ssl_expected_action"
},
"FileType" : {
"id" : [
"430004",
"430005"
],
"target" : "file_type"
},
"URLSICategory" : {
"target" : "urlsi_category",
"id" : [
"430002",
"430003"
]
},
"Tunnel or Prefilter Rule" : {
"target" : "tunnel_or_prefilter_rule",
"id" : [
"430002",
"430003"
]
},
"FileSize" : {
"ecs" : [
"file.size"
],
"target" : "file_size",
"id" : [
"430004",
"430005"
]
},
"Prefilter Policy" : {
"target" : "prefilter_policy",
"id" : [
"430002",
"430003"
]
},
"UserAgent" : {
"target" : "user_agent",
"id" : [
"430002",
"430003"
],
"ecs" : [
"user_agent.original"
]
},
"InitiatorPackets" : {
"ecs" : [
"source.packets"
],
"target" : "initiator_packets",
"id" : [
"430003"
]
},
"ClientVersion" : {
"target" : "client_version",
"id" : [
"430002",
"430003"
]
},
"SID" : {
"target" : "sid",
"id" : [
"430001"
]
},
"Protocol" : {
"target" : "protocol",
"ecs" : [
"network.transport"
]
},
"SrcIP" : {
"ecs" : [
"source.address"
],
"target" : "src_ip"
},
"MPLS_Label" : {
"target" : "mpls_label",
"id" : [
"430001"
]
},
"Security Group" : {
"id" : [
"430002",
"430003"
],
"target" : "security_group"
},
"SSLFlowStatus" : {
"target" : "ssl_flow_status",
"id" : [
"430002",
"430003",
"430004",
"430005"
]
},
"User" : {
"target" : "user",
"ecs" : [
"user.id",
"user.name"
]
},
"SSLURLCategory" : {
"target" : "sslurl_category",
"id" : [
"430002",
"430003"
]
},
"WebApplication" : {
"target" : "web_application",
"ecs" : [
"network.application"
]
},
"NumIOC" : {
"target" : "num_ioc",
"id" : [
"430001"
]
},
"VLAN_ID" : {
"target" : "vlan_id",
"id" : [
"430001",
"430002",
"430003"
]
},
"InitiatorBytes" : {
"id" : [
"430003"
],
"ecs" : [
"source.bytes"
],
"target" : "initiator_bytes"
},
"SHA_Disposition" : {
"target" : "sha_disposition",
"id" : [
"430004",
"430005"
]
},
"Endpoint Profile" : {
"target" : "endpoint_profile",
"id" : [
"430002",
"430003"
]
},
"Client" : {
"ecs" : [
"network.application"
],
"target" : "client"
},
"SSLServerName" : {
"ecs" : [
"server.domain"
],
"target" : "ssl_server_name",
"id" : [
"430002",
"430003"
]
},
"SSLPolicy" : {
"target" : "ssl_policy",
"id" : [
"430002",
"430003"
]
},
"DNSSICategory" : {
"target" : "dnssi_category",
"id" : [
"430002",
"430003"
]
},
"IngressInterface" : {
"target" : "ingress_interface",
"id" : [
"430001",
"430002",
"430003"
],
"ecs" : [
"_temp_.cisco.source_interface"
]
},
"DNSRecordType" : {
"id" : [
"430002",
"430003"
],
"ecs" : [
"dns.question.type"
],
"target" : "dns_record_type"
},
"AccessControlRuleReason" : {
"id" : [
"430002",
"430003"
],
"target" : "access_control_rule_reason"
},
"Message" : {
"target" : "message",
"id" : [
"430001"
],
"ecs" : [
"message"
]
},
"AccessControlRuleName" : {
"ecs" : [
"_temp_.cisco.rule_name"
],
"target" : "access_control_rule_name",
"id" : [
"430002",
"430003"
]
},
"DNSQuery" : {
"target" : "dns_query",
"id" : [
"430002",
"430003"
],
"ecs" : [
"dns.question.name"
]
},
"Revision" : {
"id" : [
"430001"
],
"target" : "revision"
},
"SSLCertificate" : {
"target" : "ssl_certificate",
"id" : [
"430002",
"430003",
"430004",
"430005"
]
},
"SSSLCipherSuite" : {
"target" : "sssl_cipher_suite",
"id" : [
"430002",
"430003"
]
},
"IngressZone" : {
"target" : "ingress_zone",
"id" : [
"430001",
"430002",
"430003"
]
},
"URI" : {
"target" : "uri",
"id" : [
"430004",
"430005"
],
"ecs" : [
"url.original"
]
},
"FileSHA256" : {
"target" : "file_sha256",
"id" : [
"430004",
"430005"
],
"ecs" : [
"file.hash.sha256"
]
},
"SecIntMatchingIP" : {
"target" : "sec_int_matching_ip",
"id" : [
"430002",
"430003"
]
},
"ApplicationProtocol" : {
"ecs" : [
"network.protocol"
],
"target" : "application_protocol"
},
"FirstPacketSecond" : {
"id" : [
"430004",
"430005"
],
"ecs" : [
"event.start"
],
"target" : "first_packet_second"
},
"EgressZone" : {
"target" : "egress_zone",
"id" : [
"430001",
"430002",
"430003"
]
},
"ICMPType" : {
"target" : "icmp_type",
"id" : [
"430001",
"430002",
"430003"
]
},
"NetBIOSDomain" : {
"target" : "net_bios_domain",
"id" : [
"430002",
"430003"
],
"ecs" : [
"host.hostname"
]
},
"SrcPort" : {
"target" : "src_port",
"ecs" : [
"source.port"
]
},
"ArchiveFileStatus" : {
"target" : "archive_file_status",
"id" : [
"430004",
"430005"
]
},
"ArchiveDepth" : {
"target" : "archive_depth",
"id" : [
"430004",
"430005"
]
},
"ConnectionDuration" : {
"ecs" : [
"event.duration"
],
"target" : "connection_duration",
"id" : [
"430003"
]
},
"DstPort" : {
"target" : "dst_port",
"ecs" : [
"destination.port"
]
},
"SperoDisposition" : {
"target" : "spero_disposition",
"id" : [
"430004",
"430005"
]
},
"ResponderBytes" : {
"target" : "responder_bytes",
"id" : [
"430003"
],
"ecs" : [
"destination.bytes"
]
},
"TCPFlags" : {
"target" : "tcp_flags",
"id" : [
"430002",
"430003"
]
},
"SSLRuleName" : {
"target" : "ssl_rule_name",
"id" : [
"430002",
"430003"
]
},
"IPSCount" : {
"target" : "ips_count",
"id" : [
"430002",
"430003"
]
},
"IPReputationSICategory" : {
"target" : "ip_reputation_si_category",
"id" : [
"430002",
"430003"
]
},
"ResponderPackets" : {
"target" : "responder_packets",
"id" : [
"430003"
],
"ecs" : [
"destination.packets"
]
},
"FilePolicy" : {
"ecs" : [
"_temp_.cisco.rule_name"
],
"target" : "file_policy",
"id" : [
"430004",
"430005"
]
},
"DNSResponseType" : {
"target" : "dns_response_type",
"id" : [
"430002",
"430003"
],
"ecs" : [
"dns.response_code"
]
},
"HTTPResponse" : {
"target" : "http_response",
"id" : [
"430001",
"430002",
"430003"
],
"ecs" : [
"http.response.status_code"
]
},
"DNS_TTL" : {
"target" : "dns_ttl",
"id" : [
"430002",
"430003"
]
},
"FileStorageStatus" : {
"target" : "file_storage_status",
"id" : [
"430004",
"430005"
]
},
"IntrusionPolicy" : {
"id" : [
"430001"
],
"ecs" : [
"_temp_.cisco.rule_name"
],
"target" : "intrusion_policy"
},
"AccessControlRuleAction" : {
"target" : "access_control_rule_action",
"id" : [
"430002",
"430003"
],
"ecs" : [
"event.outcome"
]
},
"SSLActualAction" : {
"ecs" : [
"event.outcome"
],
"target" : "ssl_actual_action"
}
},
"lang" : "painless"
}
},
{
"script" : {
"params" : {
"dns.question.type" : {
"map" : {
"text strings" : "TXT",
"the canonical name for an alias" : "CNAME",
"marks the start of a zone of authority" : "SOA",
"a domain name pointer" : "PTR",
"a host address" : "A",
"mail exchange" : "MX",
"server selection" : "SRV",
"ip6 address" : "AAAA",
"an authoritative name server" : "NS"
}
},
"dns.response_code" : {
"map" : {
"no error" : "NOERROR",
"non-existent domain" : "NXDOMAIN",
"server failure" : "SERVFAIL",
"query refused" : "REFUSED"
}
},
"ctx._temp_.cisco.message_id" : {
"target" : "event.action",
"map" : {
"430005" : "malware-detected",
"430001" : "intrusion-detected",
"430002" : "connection-started",
"430003" : "connection-finished",
"430004" : "file-detected"
}
}
},
"source" : "def getField(Map src, String[] path) {\n for (int i=0; i<path.length-1; i++) {\n src = src.getOrDefault(path[i], null);\n if (src == null || !(src instanceof Map)) {\n return null;\n }\n }\n return src[path[path.length-1]];\n}\ndef setField(Map dest, String[] path, def value) {\n for (int i=0; i<path.length-1; i++) {\n dest = dest.computeIfAbsent(path[i], _ -> new HashMap());\n }\n dest[path[path.length-1]] = value;\n}\nfor (entry in params.entrySet()) {\n def srcField = entry.getKey();\n def param = entry.getValue();\n String oldVal = getField(ctx, srcField.splitOnToken('.'));\n if (oldVal == null) continue;\n def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null);\n if (newVal != null) {\n def dstField = param.getOrDefault('target', srcField);\n setField(ctx, dstField.splitOnToken('.'), newVal);\n }\n}\n",
"lang" : "painless"
}
},
{
"set" : {
"if" : "ctx.dns?.question?.type != null && ctx.dns?.response_code == null",
"field" : "dns.response_code",
"value" : "NOERROR"
}
},
{
"set" : {
"if" : "ctx._temp_.cisco.message_id == \"430001\"",
"field" : "event.action",
"value" : "intrusion-detected"
}
},
{
"set" : {
"if" : "ctx._temp_.cisco.message_id == \"430002\"",
"field" : "event.action",
"value" : "connection-started"
}
},
{
"set" : {
"if" : "ctx._temp_.cisco.message_id == \"430003\"",
"field" : "event.action",
"value" : "connection-finished"
}
},
{
"set" : {
"if" : "ctx._temp_.cisco.message_id == \"430004\"",
"field" : "event.action",
"value" : "file-detected"
}
},
{
"set" : {
"field" : "event.action",
"value" : "malware-detected",
"if" : "ctx._temp_.cisco.message_id == \"430005\""
}
},
{
"set" : {
"value" : "{{event.duration}}",
"if" : "ctx.event?.duration != null",
"field" : "_temp_.duration_hms"
}
},
{
"script" : {
"lang" : "painless",
"if" : "ctx?._temp_?.duration_hms != null",
"source" : "long parse_hms(String s) {\n long cur = 0, total = 0;\n for (char c: s.toCharArray()) {\n if (c >= (char)'0' && c <= (char)'9') {\n cur = (cur*10) + (long)c - (char)'0';\n } else if (c == (char)':') {\n total = (total + cur) * 60;\n cur = 0;\n } else {\n return 0;\n }\n }\n return total + cur;\n} if (ctx?.event == null) {\n ctx['event'] = new HashMap();\n} String end = ctx['@timestamp']; ctx.event['end'] = end; long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; ctx.event['duration'] = nanos; ctx.event['start'] = ZonedDateTime.ofInstant(\n Instant.parse(end).minusNanos(nanos),\n ZoneOffset.UTC);\n"
}
},
{
"lowercase" : {
"field" : "network.transport",
"ignore_failure" : true
}
},
{
"lowercase" : {
"field" : "network.protocol",
"ignore_failure" : true
}
},
{
"lowercase" : {
"field" : "network.application",
"ignore_failure" : true
}
},
{
"lowercase" : {
"field" : "file.type",
"ignore_failure" : true
}
},
{
"lowercase" : {
"field" : "network.direction",
"ignore_failure" : true
}
},
{
"script" : {
"if" : "ctx?.network?.transport != null",
"lang" : "painless",
"params" : {
"idpr" : 35,
"ipv6-opts" : 60,
"ipv6" : 41,
"esp" : 50,
"ipv6-route" : 43,
"ipv6-nonxt" : 59,
"ipv4" : 4,
"pup" : 12,
"irtp" : 28,
"igmp" : 2,
"rsvp" : 46,
"udp" : 17,
"tcp" : 6,
"egp" : 8,
"dccp" : 33,
"gre" : 47,
"ipv6-icmp" : 58,
"icmp" : 1,
"rdp" : 27,
"ipv6-frag" : 44,
"igp" : 9
},
"source" : "def net = ctx.network; def iana = params[net.transport]; if (iana != null) {\n net['iana_number'] = iana;\n return;\n} def reverse = new HashMap(); def[] arr = new def[] { null }; for (entry in params.entrySet()) {\n arr[0] = entry.getValue();\n reverse.put(String.format(\"%d\", arr), entry.getKey());\n} def trans = reverse[net.transport]; if (trans != null) {\n net['iana_number'] = net.transport;\n net['transport'] = trans;\n}\n"
}
},
{
"lowercase" : {
"field" : "event.outcome",
"ignore_missing" : true
}
},
{
"set" : {
"if" : "ctx.event?.outcome == \"est-allowed\"",
"value" : "allow",
"field" : "event.outcome"
}
},
{
"set" : {
"field" : "event.outcome",
"if" : "ctx.event?.outcome == \"permitted\"",
"value" : "allow"
}
},
{
"set" : {
"value" : "deny",
"field" : "event.outcome",
"if" : "ctx.event?.outcome == \"denied\""
}
},
{
"set" : {
"if" : "ctx.event?.outcome == \"dropped\"",
"value" : "deny",
"field" : "event.outcome"
}
},
{
"set" : {
"field" : "network.transport",
"if" : "ctx.network?.transport == \"icmpv6\"",
"value" : "ipv6-icmp"
}
},
{
"convert" : {
"field" : "source.port",
"type" : "integer",
"ignore_failure" : true
}
},
{
"convert" : {
"field" : "destination.port",
"type" : "integer",
"ignore_failure" : true
}
},
{
"convert" : {
"ignore_failure" : true,
"field" : "source.bytes",
"type" : "integer"
}
},
{
"convert" : {
"type" : "integer",
"ignore_failure" : true,
"field" : "destination.bytes"
}
},
{
"convert" : {
"field" : "source.packets",
"type" : "integer",
"ignore_failure" : true
}
},
{
"convert" : {
"field" : "destination.packets",
"type" : "integer",
"ignore_failure" : true
}
},
{
"convert" : {
"type" : "integer",
"ignore_failure" : true,
"field" : "_temp_.cisco.mapped_source_port"
}
},
{
"convert" : {
"field" : "_temp_.cisco.mapped_destination_port",
"type" : "integer",
"ignore_failure" : true
}
},
{
"convert" : {
"type" : "integer",
"ignore_failure" : true,
"field" : "_temp_.cisco.icmp_code"
}
},
{
"convert" : {
"field" : "_temp_.cisco.icmp_type",
"type" : "integer",
"ignore_failure" : true
}
},
{
"convert" : {
"ignore_failure" : true,
"field" : "network.iana_number",
"type" : "integer"
}
},
{
"grok" : {
"field" : "source.address",
"patterns" : [
"(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})"
],
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "destination.address",
"patterns" : [
"(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})"
],
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "client.address",
"patterns" : [
"(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})"
],
"ignore_failure" : true
}
},
{
"grok" : {
"field" : "server.address",
"patterns" : [
"(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})"
],
"ignore_failure" : true
}
},
{
"geoip" : {
"field" : "source.ip",
"target_field" : "source.geo",
"ignore_missing" : true
}
},
{
"geoip" : {
"field" : "destination.ip",
"target_field" : "destination.geo",
"ignore_missing" : true
}
},
{
"geoip" : {
"database_file" : "GeoLite2-ASN.mmdb",
"field" : "source.ip",
"target_field" : "source.as",
"properties" : [
"asn",
"organization_name"
],
"ignore_missing" : true
}
},
{
"geoip" : {
"database_file" : "GeoLite2-ASN.mmdb",
"field" : "destination.ip",
"target_field" : "destination.as",
"properties" : [
"asn",
"organization_name"
],
"ignore_missing" : true
}
},
{
"rename" : {
"field" : "source.as.asn",
"target_field" : "source.as.number",
"ignore_missing" : true
}
},
{
"rename" : {
"ignore_missing" : true,
"field" : "source.as.organization_name",
"target_field" : "source.as.organization.name"
}
},
{
"rename" : {
"field" : "destination.as.asn",
"target_field" : "destination.as.number",
"ignore_missing" : true
}
},
{
"rename" : {
"field" : "destination.as.organization_name",
"target_field" : "destination.as.organization.name",
"ignore_missing" : true
}
},
{
"set" : {
"field" : "source.nat.ip",
"value" : "{{_temp_.cisco.mapped_source_ip}}",
"if" : "ctx._temp_.cisco.mapped_source_ip != null && (ctx._temp_.cisco.mapped_source_ip != ctx.source.ip || ctx._temp_.cisco.mapped_source_port != ctx.source.port)"
}
},
{
"set" : {
"field" : "source.nat.port",
"value" : "{{_temp_.cisco.mapped_source_port}}",
"if" : "ctx._temp_.cisco.mapped_source_port != null && (ctx._temp_.cisco.mapped_source_ip != ctx.source.ip || ctx._temp_.cisco.mapped_source_port != ctx.source.port)"
}
},
{
"set" : {
"field" : "destination.nat.ip",
"value" : "{{_temp_.cisco.mapped_destination_ip}}",
"if" : "ctx._temp_.cisco.mapped_destination_ip != null && (ctx._temp_.cisco.mapped_destination_ip != ctx.destination.ip || ctx._temp_.cisco.mapped_destination_port != ctx.destination.port)"
}
},
{
"set" : {
"field" : "destination.nat.port",
"value" : "{{_temp_.cisco.mapped_destination_port}}",
"if" : "ctx._temp_.cisco.mapped_destination_port != null && (ctx._temp_.cisco.mapped_destination_ip != ctx.destination.ip || ctx._temp_.cisco.mapped_destination_port != ctx.destination.port)"
}
},
{
"convert" : {
"field" : "_temp_.cisco.message_id",
"target_field" : "event.code",
"type" : "integer",
"ignore_failure" : true
}
},
{
"remove" : {
"field" : [
"_temp_.cisco.message_id",
"event.code"
],
"if" : "ctx._temp_.cisco.message_id == \"\"",
"ignore_failure" : true
}
},
{
"rename" : {
"field" : "_temp_.cisco",
"target_field" : "cisco.asa",
"ignore_failure" : true
}
},
{
"remove" : {
"field" : "_temp_",
"ignore_missing" : true
}
},
{
"rename" : {
"target_field" : "event.original",
"ignore_missing" : true,
"field" : "log.original"
}
},
{
"rename" : {
"field" : "cisco.asa.list_id",
"target_field" : "cisco.asa.rule_name",
"ignore_missing" : true
}
}
],
"on_failure" : [
{
"append" : {
"field" : "error.message",
"value" : "{{ _ingest.on_failure_message }}"
}
}
]
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment