Created
December 2, 2019 13:32
-
-
Save adriansr/902dea2b92f1ea8624714c1bc97a3c78 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"filebeat-8.0.0-cisco-asa-asa-ftd-pipeline" : { | |
"description" : "Pipeline for Cisco ASA logs", | |
"processors" : [ | |
{ | |
"grok" : { | |
"field" : "message", | |
"patterns" : [ | |
"(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:log.original}" | |
], | |
"pattern_definitions" : { | |
"SYSLOGFACILITY" : "<%{NONNEGINT:syslog.facility:int}(?:.%{NONNEGINT:syslog.priority:int})?>", | |
"FTD_DATE" : "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})", | |
"ASA_DATE" : "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?", | |
"PROCESS" : "(?:[^\\s:\\[]+)", | |
"SYSLOG_END" : "(?::|\\s\\s+)", | |
"SYSLOG_HEADER" : "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date})?(?:\\s+%{SYSLOGHOST:host.hostname})?(?: %{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?(?:{DATA})?%{SYSLOG_END}" | |
} | |
} | |
}, | |
{ | |
"grok" : { | |
"field" : "log.original", | |
"patterns" : [ | |
"%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{POSINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}", | |
"%{GREEDYDATA:message}" | |
], | |
"pattern_definitions" : { | |
"FTD_SUFFIX" : "[^0-9-]+", | |
"FTD_PREFIX" : "%{DATA}%(?:FTD|ASA)" | |
} | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "_temp_.cisco.message_id", | |
"value" : "", | |
"if" : "ctx?._temp_?.cisco?.message_id == null" | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "event.severity", | |
"value" : 7, | |
"if" : "ctx?.event?.severity == null" | |
} | |
}, | |
{ | |
"drop" : { | |
"if" : "ctx.event.severity > 7" | |
} | |
}, | |
{ | |
"date" : { | |
"if" : "ctx.event.timezone == null", | |
"field" : "_temp_.raw_date", | |
"target_field" : "@timestamp", | |
"formats" : [ | |
"ISO8601", | |
"MMM d HH:mm:ss", | |
"MMM dd HH:mm:ss", | |
"EEE MMM d HH:mm:ss", | |
"EEE MMM dd HH:mm:ss", | |
"MMM d HH:mm:ss z", | |
"MMM dd HH:mm:ss z", | |
"EEE MMM d HH:mm:ss z", | |
"EEE MMM dd HH:mm:ss z", | |
"MMM d yyyy HH:mm:ss", | |
"MMM dd yyyy HH:mm:ss", | |
"EEE MMM d yyyy HH:mm:ss", | |
"EEE MMM dd yyyy HH:mm:ss", | |
"MMM d yyyy HH:mm:ss z", | |
"MMM dd yyyy HH:mm:ss z", | |
"EEE MMM d yyyy HH:mm:ss z", | |
"EEE MMM dd yyyy HH:mm:ss z" | |
], | |
"on_failure" : [ | |
{ | |
"append" : { | |
"field" : "error.message", | |
"value" : "{{ _ingest.on_failure_message }}" | |
} | |
} | |
] | |
} | |
}, | |
{ | |
"date" : { | |
"target_field" : "@timestamp", | |
"formats" : [ | |
"ISO8601", | |
"MMM d HH:mm:ss", | |
"MMM dd HH:mm:ss", | |
"EEE MMM d HH:mm:ss", | |
"EEE MMM dd HH:mm:ss", | |
"MMM d HH:mm:ss z", | |
"MMM dd HH:mm:ss z", | |
"EEE MMM d HH:mm:ss z", | |
"EEE MMM dd HH:mm:ss z", | |
"MMM d yyyy HH:mm:ss", | |
"MMM dd yyyy HH:mm:ss", | |
"EEE MMM d yyyy HH:mm:ss", | |
"EEE MMM dd yyyy HH:mm:ss", | |
"MMM d yyyy HH:mm:ss z", | |
"MMM dd yyyy HH:mm:ss z", | |
"EEE MMM d yyyy HH:mm:ss z", | |
"EEE MMM dd yyyy HH:mm:ss z" | |
], | |
"on_failure" : [ | |
{ | |
"append" : { | |
"field" : "error.message", | |
"value" : "{{ _ingest.on_failure_message }}" | |
} | |
} | |
], | |
"if" : "ctx.event.timezone != null", | |
"timezone" : "{{ event.timezone }}", | |
"field" : "_temp_.raw_date" | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "log.level", | |
"if" : "ctx.event.severity == 0", | |
"value" : "unknown" | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "log.level", | |
"if" : "ctx.event.severity == 1", | |
"value" : "alert" | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "log.level", | |
"if" : "ctx.event.severity == 2", | |
"value" : "critical" | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "log.level", | |
"if" : "ctx.event.severity == 3", | |
"value" : "error" | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "log.level", | |
"if" : "ctx.event.severity == 4", | |
"value" : "warning" | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "log.level", | |
"if" : "ctx.event.severity == 5", | |
"value" : "notification" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx.event.severity == 6", | |
"value" : "informational", | |
"field" : "log.level" | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "log.level", | |
"if" : "ctx.event.severity == 7", | |
"value" : "debug" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx._temp_.cisco.message_id != \"\"", | |
"field" : "event.action", | |
"value" : "firewall-rule" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '106001'", | |
"field" : "message", | |
"pattern" : "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"pattern" : "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}", | |
"if" : "ctx._temp_.cisco.message_id == '106002'", | |
"field" : "message" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '106006'", | |
"field" : "message", | |
"pattern" : "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '106007'", | |
"field" : "message", | |
"pattern" : "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"field" : "message", | |
"pattern" : "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}", | |
"if" : "ctx._temp_.cisco.message_id == '106010'" | |
} | |
}, | |
{ | |
"dissect" : { | |
"pattern" : "Dropping echo request from %{source.address} to PAT address %{destination.address}", | |
"if" : "ctx._temp_.cisco.message_id == '106013'", | |
"field" : "message" | |
} | |
}, | |
{ | |
"set" : { | |
"value" : "icmp", | |
"if" : "ctx._temp_.cisco.message_id == '106013'", | |
"field" : "network.transport" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx._temp_.cisco.message_id == '106013'", | |
"field" : "network.direction", | |
"value" : "inbound" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '106014'", | |
"field" : "message", | |
"pattern" : "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address} %{}dst %{_temp_.cisco.destination_interface}:%{destination.address} %{}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '106015'", | |
"field" : "message", | |
"pattern" : "%{event.outcome} %{network.transport} (no connection) from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '106016'", | |
"field" : "message", | |
"pattern" : "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"pattern" : "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}", | |
"if" : "ctx._temp_.cisco.message_id == '106017'", | |
"field" : "message" | |
} | |
}, | |
{ | |
"dissect" : { | |
"field" : "message", | |
"pattern" : "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}", | |
"if" : "ctx._temp_.cisco.message_id == '106018'" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '106020'", | |
"field" : "message", | |
"pattern" : "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '106021'", | |
"field" : "message", | |
"pattern" : "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '106022'", | |
"field" : "message", | |
"pattern" : "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '106023'", | |
"field" : "message", | |
"pattern" : "%{event.outcome} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{} access%{}group \"%{_temp_.cisco.list_id}\"%{}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"pattern" : "%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group \"%{_temp_.cisco.list_id}\"", | |
"if" : "ctx._temp_.cisco.message_id == '106027'", | |
"field" : "message" | |
} | |
}, | |
{ | |
"dissect" : { | |
"pattern" : "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port}) -> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port}) %{}", | |
"if" : "ctx._temp_.cisco.message_id == '106100'", | |
"field" : "message" | |
} | |
}, | |
{ | |
"dissect" : { | |
"field" : "message", | |
"pattern" : "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.address} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.address} %{destination.port} %{}", | |
"if" : "ctx._temp_.cisco.message_id == '106102'" | |
} | |
}, | |
{ | |
"dissect" : { | |
"pattern" : "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.address} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.address} %{destination.port} %{}", | |
"if" : "ctx._temp_.cisco.message_id == '106103'", | |
"field" : "message" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '304001'", | |
"field" : "message", | |
"pattern" : "%{source.address} %{}ccessed URL %{destination.address}:%{url.original}" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx._temp_.cisco.message_id == '304001'", | |
"field" : "event.outcome", | |
"value" : "allow" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '304002'", | |
"field" : "message", | |
"pattern" : "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '313001'", | |
"field" : "message", | |
"pattern" : "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '313004'", | |
"field" : "message", | |
"pattern" : "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '313005'", | |
"field" : "message", | |
"pattern" : "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '313008'", | |
"field" : "message", | |
"pattern" : "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type} , code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '313009'", | |
"field" : "message", | |
"pattern" : "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code} , for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '322001'", | |
"field" : "message", | |
"pattern" : "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '338001'", | |
"field" : "message", | |
"pattern" : "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx._temp_.cisco.message_id == '338001'", | |
"field" : "server.domain", | |
"value" : "{{source.domain}}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '338002'", | |
"field" : "message", | |
"pattern" : "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" | |
} | |
}, | |
{ | |
"set" : { | |
"value" : "{{destination.domain}}", | |
"if" : "ctx._temp_.cisco.message_id == '338002'", | |
"field" : "server.domain" | |
} | |
}, | |
{ | |
"dissect" : { | |
"field" : "message", | |
"pattern" : "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}", | |
"if" : "ctx._temp_.cisco.message_id == '338003'" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '338004'", | |
"field" : "message", | |
"pattern" : "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"field" : "message", | |
"pattern" : "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}", | |
"if" : "ctx._temp_.cisco.message_id == '338005'" | |
} | |
}, | |
{ | |
"set" : { | |
"value" : "{{source.domain}}", | |
"if" : "ctx._temp_.cisco.message_id == '338005'", | |
"field" : "server.domain" | |
} | |
}, | |
{ | |
"dissect" : { | |
"pattern" : "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}", | |
"if" : "ctx._temp_.cisco.message_id == '338006'", | |
"field" : "message" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx._temp_.cisco.message_id == '338006'", | |
"field" : "server.domain", | |
"value" : "{{destination.domain}}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"pattern" : "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}", | |
"if" : "ctx._temp_.cisco.message_id == '338007'", | |
"field" : "message" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '338008'", | |
"field" : "message", | |
"pattern" : "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '338101'", | |
"field" : "message", | |
"pattern" : "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx._temp_.cisco.message_id == '338101'", | |
"field" : "server.domain", | |
"value" : "{{source.domain}}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"field" : "message", | |
"pattern" : "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}", | |
"if" : "ctx._temp_.cisco.message_id == '338102'" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx._temp_.cisco.message_id == '338102'", | |
"field" : "server.domain", | |
"value" : "{{destination.domain}}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"field" : "message", | |
"pattern" : "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}", | |
"if" : "ctx._temp_.cisco.message_id == '338103'" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '338104'", | |
"field" : "message", | |
"pattern" : "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"pattern" : "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}", | |
"if" : "ctx._temp_.cisco.message_id == '338201'", | |
"field" : "message" | |
} | |
}, | |
{ | |
"set" : { | |
"value" : "{{source.domain}}", | |
"if" : "ctx._temp_.cisco.message_id == '338201'", | |
"field" : "server.domain" | |
} | |
}, | |
{ | |
"dissect" : { | |
"pattern" : "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}", | |
"if" : "ctx._temp_.cisco.message_id == '338202'", | |
"field" : "message" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx._temp_.cisco.message_id == '338202'", | |
"field" : "server.domain", | |
"value" : "{{destination.domain}}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"field" : "message", | |
"pattern" : "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}", | |
"if" : "ctx._temp_.cisco.message_id == '338203'" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx._temp_.cisco.message_id == '338203'", | |
"field" : "server.domain", | |
"value" : "{{source.domain}}" | |
} | |
}, | |
{ | |
"dissect" : { | |
"pattern" : "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.cisco.mapped_source_ip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.cisco.mapped_destination_ip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}", | |
"if" : "ctx._temp_.cisco.message_id == '338204'", | |
"field" : "message" | |
} | |
}, | |
{ | |
"set" : { | |
"value" : "{{destination.domain}}", | |
"if" : "ctx._temp_.cisco.message_id == '338204'", | |
"field" : "server.domain" | |
} | |
}, | |
{ | |
"dissect" : { | |
"if" : "ctx._temp_.cisco.message_id == '338301'", | |
"field" : "message", | |
"pattern" : "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}" | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "client.address", | |
"value" : "{{destination.address}}", | |
"if" : "ctx._temp_.cisco.message_id == '338301'" | |
} | |
}, | |
{ | |
"set" : { | |
"value" : "{{destination.port}}", | |
"if" : "ctx._temp_.cisco.message_id == '338301'", | |
"field" : "client.port" | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "server.address", | |
"value" : "{{source.address}}", | |
"if" : "ctx._temp_.cisco.message_id == '338301'" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx._temp_.cisco.message_id == '338301'", | |
"field" : "server.port", | |
"value" : "{{source.port}}" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "[\"302014\", \"302016\", \"302018\", \"302021\", \"302036\", \"302304\", \"302306\"].contains(ctx._temp_.cisco.message_id)", | |
"field" : "event.action", | |
"value" : "flow-expiration" | |
} | |
}, | |
{ | |
"grok" : { | |
"field" : "message", | |
"if" : "[\"302014\", \"302016\", \"302018\", \"302021\", \"302036\", \"302304\", \"302306\"].contains(ctx._temp_.cisco.message_id)", | |
"patterns" : [ | |
"Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int} (?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int} (?:%{NOTSPACE:_temp_.cisco.destination_username} )?(?:duration %{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes:int})%{GREEDYDATA}", | |
"Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER} (?:%{NOTSPACE:_temp_.cisco.destination_username} )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}(?: %{NOTSPACE:_temp_.cisco.source_username})?%{GREEDYDATA}" | |
], | |
"pattern_definitions" : { | |
"MAPPEDSRC" : "(?:%{DATA:_temp_.cisco.mapped_source_ip}|%{HOSTNAME})", | |
"NOTCOLON" : "[^:]*", | |
"ECSSOURCEIPORHOST" : "(?:%{IP:source.address}|%{HOSTNAME:source.domain})", | |
"ECSDESTIPORHOST" : "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" | |
} | |
} | |
}, | |
{ | |
"kv" : { | |
"field" : "message", | |
"field_split" : ",", | |
"value_split" : ":", | |
"target_field" : "_temp_.orig_security", | |
"trim_key" : " ", | |
"trim_value" : " ", | |
"ignore_failure" : true, | |
"if" : "[\"430001\", \"430002\", \"430003\", \"430004\", \"430005\", \"\"].contains(ctx._temp_.cisco.message_id)" | |
} | |
}, | |
{ | |
"remove" : { | |
"field" : [ | |
"message" | |
], | |
"ignore_missing" : true | |
} | |
}, | |
{ | |
"script" : { | |
"source" : "boolean isEmpty(def value) {\n return (value instanceof AbstractList? value.size() : value.length()) == 0;\n}\ndef appendOrCreate(Map dest, String[] path, def value) {\n for (int i=0; i<path.length-1; i++) {\n dest = dest.computeIfAbsent(path[i], _ -> new HashMap());\n }\n String key = path[path.length - 1];\n def existing = dest.get(key);\n return existing == null?\n dest.put(key, value)\n : existing instanceof AbstractList?\n existing.add(value)\n : dest.put(key, new ArrayList([existing, value]));\n}\ndef msg = ctx._temp_.orig_security;\ndef counters = new HashMap();\ndef dest = new HashMap();\nctx._temp_.cisco['security'] = dest;\nfor (entry in msg.entrySet()) {\n def param = params.get(entry.getKey());\n if (param == null) {\n continue;\n }\n param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) );\n if (!isEmpty(entry.getValue())) {\n param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) );\n dest[param.target] = entry.getValue();\n }\n}\nif (ctx._temp_.cisco.message_id != \"\") return;\ndef best;\nfor (entry in counters.entrySet()) {\n if (best == null || best.getValue() < entry.getValue()) best = entry;\n}\nif (best != null) ctx._temp_.cisco.message_id = best.getKey();\n", | |
"if" : "ctx._temp_?.orig_security != null", | |
"params" : { | |
"URL" : { | |
"target" : "url", | |
"id" : [ | |
"430002", | |
"430003" | |
], | |
"ecs" : [ | |
"url.original" | |
] | |
}, | |
"ThreatScore" : { | |
"target" : "threat_score", | |
"id" : [ | |
"430005" | |
], | |
"ecs" : [ | |
"_temp_.cisco.threat_level" | |
] | |
}, | |
"ACPolicy" : { | |
"ecs" : [ | |
"_temp_.cisco.rule_name" | |
], | |
"target" : "ac_policy", | |
"id" : [ | |
"430001", | |
"430002", | |
"430003" | |
] | |
}, | |
"SSLServerCertStatus" : { | |
"target" : "ssl_server_cert_status", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"DNS_Sinkhole" : { | |
"target" : "dns_sinkhole", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"ArchiveFileName" : { | |
"id" : [ | |
"430004", | |
"430005" | |
], | |
"ecs" : [ | |
"file.name" | |
], | |
"target" : "archive_file_name" | |
}, | |
"EgressInterface" : { | |
"id" : [ | |
"430001", | |
"430002", | |
"430003" | |
], | |
"ecs" : [ | |
"_temp_.cisco.destination_interface" | |
], | |
"target" : "egress_interface" | |
}, | |
"FileAction" : { | |
"id" : [ | |
"430004", | |
"430005" | |
], | |
"target" : "file_action" | |
}, | |
"ThreatName" : { | |
"target" : "threat_name", | |
"id" : [ | |
"430005" | |
], | |
"ecs" : [ | |
"_temp_.cisco.threat_category" | |
] | |
}, | |
"URLReputation" : { | |
"target" : "url_reputation", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"FileSandboxStatus" : { | |
"target" : "file_sandbox_status", | |
"id" : [ | |
"430004", | |
"430005" | |
] | |
}, | |
"GID" : { | |
"target" : "gid", | |
"id" : [ | |
"430001" | |
], | |
"ecs" : [ | |
"service.id" | |
] | |
}, | |
"InlineResult" : { | |
"target" : "inline_result", | |
"id" : [ | |
"430001" | |
], | |
"ecs" : [ | |
"event.outcome" | |
] | |
}, | |
"ICMPCode" : { | |
"target" : "icmp_code", | |
"id" : [ | |
"430001", | |
"430002", | |
"430003" | |
] | |
}, | |
"HTTPReferer" : { | |
"ecs" : [ | |
"http.request.referrer" | |
], | |
"target" : "http_referer", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"SSLVersion" : { | |
"target" : "ssl_version", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"SSLTicketID" : { | |
"id" : [ | |
"430002", | |
"430003" | |
], | |
"target" : "ssl_ticket_id" | |
}, | |
"URLCategory" : { | |
"target" : "url_category", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"ArchiveSHA256" : { | |
"target" : "archive_sha256", | |
"id" : [ | |
"430004", | |
"430005" | |
], | |
"ecs" : [ | |
"file.hash.sha256" | |
] | |
}, | |
"originalClientSrcIP" : { | |
"target" : "original_client_src_ip", | |
"id" : [ | |
"430002", | |
"430003" | |
], | |
"ecs" : [ | |
"client.address" | |
] | |
}, | |
"Priority" : { | |
"target" : "priority", | |
"id" : [ | |
"430001" | |
] | |
}, | |
"FileDirection" : { | |
"target" : "file_direction", | |
"id" : [ | |
"430004", | |
"430005" | |
] | |
}, | |
"FileCount" : { | |
"target" : "file_count", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"NAPPolicy" : { | |
"target" : "nap_policy", | |
"id" : [ | |
"430001", | |
"430002", | |
"430003" | |
] | |
}, | |
"DstIP" : { | |
"target" : "dst_ip", | |
"ecs" : [ | |
"destination.address" | |
] | |
}, | |
"SSLSessionID" : { | |
"target" : "ssl_session_id", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"ReferencedHost" : { | |
"ecs" : [ | |
"url.domain" | |
], | |
"target" : "referenced_host", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"FileName" : { | |
"ecs" : [ | |
"file.name" | |
], | |
"target" : "file_name", | |
"id" : [ | |
"430004", | |
"430005" | |
] | |
}, | |
"Classification" : { | |
"target" : "classification", | |
"id" : [ | |
"430001" | |
] | |
}, | |
"SSLExpectedAction" : { | |
"id" : [ | |
"430002", | |
"430003" | |
], | |
"target" : "ssl_expected_action" | |
}, | |
"FileType" : { | |
"id" : [ | |
"430004", | |
"430005" | |
], | |
"target" : "file_type" | |
}, | |
"URLSICategory" : { | |
"target" : "urlsi_category", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"Tunnel or Prefilter Rule" : { | |
"target" : "tunnel_or_prefilter_rule", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"FileSize" : { | |
"ecs" : [ | |
"file.size" | |
], | |
"target" : "file_size", | |
"id" : [ | |
"430004", | |
"430005" | |
] | |
}, | |
"Prefilter Policy" : { | |
"target" : "prefilter_policy", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"UserAgent" : { | |
"target" : "user_agent", | |
"id" : [ | |
"430002", | |
"430003" | |
], | |
"ecs" : [ | |
"user_agent.original" | |
] | |
}, | |
"InitiatorPackets" : { | |
"ecs" : [ | |
"source.packets" | |
], | |
"target" : "initiator_packets", | |
"id" : [ | |
"430003" | |
] | |
}, | |
"ClientVersion" : { | |
"target" : "client_version", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"SID" : { | |
"target" : "sid", | |
"id" : [ | |
"430001" | |
] | |
}, | |
"Protocol" : { | |
"target" : "protocol", | |
"ecs" : [ | |
"network.transport" | |
] | |
}, | |
"SrcIP" : { | |
"ecs" : [ | |
"source.address" | |
], | |
"target" : "src_ip" | |
}, | |
"MPLS_Label" : { | |
"target" : "mpls_label", | |
"id" : [ | |
"430001" | |
] | |
}, | |
"Security Group" : { | |
"id" : [ | |
"430002", | |
"430003" | |
], | |
"target" : "security_group" | |
}, | |
"SSLFlowStatus" : { | |
"target" : "ssl_flow_status", | |
"id" : [ | |
"430002", | |
"430003", | |
"430004", | |
"430005" | |
] | |
}, | |
"User" : { | |
"target" : "user", | |
"ecs" : [ | |
"user.id", | |
"user.name" | |
] | |
}, | |
"SSLURLCategory" : { | |
"target" : "sslurl_category", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"WebApplication" : { | |
"target" : "web_application", | |
"ecs" : [ | |
"network.application" | |
] | |
}, | |
"NumIOC" : { | |
"target" : "num_ioc", | |
"id" : [ | |
"430001" | |
] | |
}, | |
"VLAN_ID" : { | |
"target" : "vlan_id", | |
"id" : [ | |
"430001", | |
"430002", | |
"430003" | |
] | |
}, | |
"InitiatorBytes" : { | |
"id" : [ | |
"430003" | |
], | |
"ecs" : [ | |
"source.bytes" | |
], | |
"target" : "initiator_bytes" | |
}, | |
"SHA_Disposition" : { | |
"target" : "sha_disposition", | |
"id" : [ | |
"430004", | |
"430005" | |
] | |
}, | |
"Endpoint Profile" : { | |
"target" : "endpoint_profile", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"Client" : { | |
"ecs" : [ | |
"network.application" | |
], | |
"target" : "client" | |
}, | |
"SSLServerName" : { | |
"ecs" : [ | |
"server.domain" | |
], | |
"target" : "ssl_server_name", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"SSLPolicy" : { | |
"target" : "ssl_policy", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"DNSSICategory" : { | |
"target" : "dnssi_category", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"IngressInterface" : { | |
"target" : "ingress_interface", | |
"id" : [ | |
"430001", | |
"430002", | |
"430003" | |
], | |
"ecs" : [ | |
"_temp_.cisco.source_interface" | |
] | |
}, | |
"DNSRecordType" : { | |
"id" : [ | |
"430002", | |
"430003" | |
], | |
"ecs" : [ | |
"dns.question.type" | |
], | |
"target" : "dns_record_type" | |
}, | |
"AccessControlRuleReason" : { | |
"id" : [ | |
"430002", | |
"430003" | |
], | |
"target" : "access_control_rule_reason" | |
}, | |
"Message" : { | |
"target" : "message", | |
"id" : [ | |
"430001" | |
], | |
"ecs" : [ | |
"message" | |
] | |
}, | |
"AccessControlRuleName" : { | |
"ecs" : [ | |
"_temp_.cisco.rule_name" | |
], | |
"target" : "access_control_rule_name", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"DNSQuery" : { | |
"target" : "dns_query", | |
"id" : [ | |
"430002", | |
"430003" | |
], | |
"ecs" : [ | |
"dns.question.name" | |
] | |
}, | |
"Revision" : { | |
"id" : [ | |
"430001" | |
], | |
"target" : "revision" | |
}, | |
"SSLCertificate" : { | |
"target" : "ssl_certificate", | |
"id" : [ | |
"430002", | |
"430003", | |
"430004", | |
"430005" | |
] | |
}, | |
"SSSLCipherSuite" : { | |
"target" : "sssl_cipher_suite", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"IngressZone" : { | |
"target" : "ingress_zone", | |
"id" : [ | |
"430001", | |
"430002", | |
"430003" | |
] | |
}, | |
"URI" : { | |
"target" : "uri", | |
"id" : [ | |
"430004", | |
"430005" | |
], | |
"ecs" : [ | |
"url.original" | |
] | |
}, | |
"FileSHA256" : { | |
"target" : "file_sha256", | |
"id" : [ | |
"430004", | |
"430005" | |
], | |
"ecs" : [ | |
"file.hash.sha256" | |
] | |
}, | |
"SecIntMatchingIP" : { | |
"target" : "sec_int_matching_ip", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"ApplicationProtocol" : { | |
"ecs" : [ | |
"network.protocol" | |
], | |
"target" : "application_protocol" | |
}, | |
"FirstPacketSecond" : { | |
"id" : [ | |
"430004", | |
"430005" | |
], | |
"ecs" : [ | |
"event.start" | |
], | |
"target" : "first_packet_second" | |
}, | |
"EgressZone" : { | |
"target" : "egress_zone", | |
"id" : [ | |
"430001", | |
"430002", | |
"430003" | |
] | |
}, | |
"ICMPType" : { | |
"target" : "icmp_type", | |
"id" : [ | |
"430001", | |
"430002", | |
"430003" | |
] | |
}, | |
"NetBIOSDomain" : { | |
"target" : "net_bios_domain", | |
"id" : [ | |
"430002", | |
"430003" | |
], | |
"ecs" : [ | |
"host.hostname" | |
] | |
}, | |
"SrcPort" : { | |
"target" : "src_port", | |
"ecs" : [ | |
"source.port" | |
] | |
}, | |
"ArchiveFileStatus" : { | |
"target" : "archive_file_status", | |
"id" : [ | |
"430004", | |
"430005" | |
] | |
}, | |
"ArchiveDepth" : { | |
"target" : "archive_depth", | |
"id" : [ | |
"430004", | |
"430005" | |
] | |
}, | |
"ConnectionDuration" : { | |
"ecs" : [ | |
"event.duration" | |
], | |
"target" : "connection_duration", | |
"id" : [ | |
"430003" | |
] | |
}, | |
"DstPort" : { | |
"target" : "dst_port", | |
"ecs" : [ | |
"destination.port" | |
] | |
}, | |
"SperoDisposition" : { | |
"target" : "spero_disposition", | |
"id" : [ | |
"430004", | |
"430005" | |
] | |
}, | |
"ResponderBytes" : { | |
"target" : "responder_bytes", | |
"id" : [ | |
"430003" | |
], | |
"ecs" : [ | |
"destination.bytes" | |
] | |
}, | |
"TCPFlags" : { | |
"target" : "tcp_flags", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"SSLRuleName" : { | |
"target" : "ssl_rule_name", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"IPSCount" : { | |
"target" : "ips_count", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"IPReputationSICategory" : { | |
"target" : "ip_reputation_si_category", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"ResponderPackets" : { | |
"target" : "responder_packets", | |
"id" : [ | |
"430003" | |
], | |
"ecs" : [ | |
"destination.packets" | |
] | |
}, | |
"FilePolicy" : { | |
"ecs" : [ | |
"_temp_.cisco.rule_name" | |
], | |
"target" : "file_policy", | |
"id" : [ | |
"430004", | |
"430005" | |
] | |
}, | |
"DNSResponseType" : { | |
"target" : "dns_response_type", | |
"id" : [ | |
"430002", | |
"430003" | |
], | |
"ecs" : [ | |
"dns.response_code" | |
] | |
}, | |
"HTTPResponse" : { | |
"target" : "http_response", | |
"id" : [ | |
"430001", | |
"430002", | |
"430003" | |
], | |
"ecs" : [ | |
"http.response.status_code" | |
] | |
}, | |
"DNS_TTL" : { | |
"target" : "dns_ttl", | |
"id" : [ | |
"430002", | |
"430003" | |
] | |
}, | |
"FileStorageStatus" : { | |
"target" : "file_storage_status", | |
"id" : [ | |
"430004", | |
"430005" | |
] | |
}, | |
"IntrusionPolicy" : { | |
"id" : [ | |
"430001" | |
], | |
"ecs" : [ | |
"_temp_.cisco.rule_name" | |
], | |
"target" : "intrusion_policy" | |
}, | |
"AccessControlRuleAction" : { | |
"target" : "access_control_rule_action", | |
"id" : [ | |
"430002", | |
"430003" | |
], | |
"ecs" : [ | |
"event.outcome" | |
] | |
}, | |
"SSLActualAction" : { | |
"ecs" : [ | |
"event.outcome" | |
], | |
"target" : "ssl_actual_action" | |
} | |
}, | |
"lang" : "painless" | |
} | |
}, | |
{ | |
"script" : { | |
"params" : { | |
"dns.question.type" : { | |
"map" : { | |
"text strings" : "TXT", | |
"the canonical name for an alias" : "CNAME", | |
"marks the start of a zone of authority" : "SOA", | |
"a domain name pointer" : "PTR", | |
"a host address" : "A", | |
"mail exchange" : "MX", | |
"server selection" : "SRV", | |
"ip6 address" : "AAAA", | |
"an authoritative name server" : "NS" | |
} | |
}, | |
"dns.response_code" : { | |
"map" : { | |
"no error" : "NOERROR", | |
"non-existent domain" : "NXDOMAIN", | |
"server failure" : "SERVFAIL", | |
"query refused" : "REFUSED" | |
} | |
}, | |
"ctx._temp_.cisco.message_id" : { | |
"target" : "event.action", | |
"map" : { | |
"430005" : "malware-detected", | |
"430001" : "intrusion-detected", | |
"430002" : "connection-started", | |
"430003" : "connection-finished", | |
"430004" : "file-detected" | |
} | |
} | |
}, | |
"source" : "def getField(Map src, String[] path) {\n for (int i=0; i<path.length-1; i++) {\n src = src.getOrDefault(path[i], null);\n if (src == null || !(src instanceof Map)) {\n return null;\n }\n }\n return src[path[path.length-1]];\n}\ndef setField(Map dest, String[] path, def value) {\n for (int i=0; i<path.length-1; i++) {\n dest = dest.computeIfAbsent(path[i], _ -> new HashMap());\n }\n dest[path[path.length-1]] = value;\n}\nfor (entry in params.entrySet()) {\n def srcField = entry.getKey();\n def param = entry.getValue();\n String oldVal = getField(ctx, srcField.splitOnToken('.'));\n if (oldVal == null) continue;\n def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null);\n if (newVal != null) {\n def dstField = param.getOrDefault('target', srcField);\n setField(ctx, dstField.splitOnToken('.'), newVal);\n }\n}\n", | |
"lang" : "painless" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx.dns?.question?.type != null && ctx.dns?.response_code == null", | |
"field" : "dns.response_code", | |
"value" : "NOERROR" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx._temp_.cisco.message_id == \"430001\"", | |
"field" : "event.action", | |
"value" : "intrusion-detected" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx._temp_.cisco.message_id == \"430002\"", | |
"field" : "event.action", | |
"value" : "connection-started" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx._temp_.cisco.message_id == \"430003\"", | |
"field" : "event.action", | |
"value" : "connection-finished" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx._temp_.cisco.message_id == \"430004\"", | |
"field" : "event.action", | |
"value" : "file-detected" | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "event.action", | |
"value" : "malware-detected", | |
"if" : "ctx._temp_.cisco.message_id == \"430005\"" | |
} | |
}, | |
{ | |
"set" : { | |
"value" : "{{event.duration}}", | |
"if" : "ctx.event?.duration != null", | |
"field" : "_temp_.duration_hms" | |
} | |
}, | |
{ | |
"script" : { | |
"lang" : "painless", | |
"if" : "ctx?._temp_?.duration_hms != null", | |
"source" : "long parse_hms(String s) {\n long cur = 0, total = 0;\n for (char c: s.toCharArray()) {\n if (c >= (char)'0' && c <= (char)'9') {\n cur = (cur*10) + (long)c - (char)'0';\n } else if (c == (char)':') {\n total = (total + cur) * 60;\n cur = 0;\n } else {\n return 0;\n }\n }\n return total + cur;\n} if (ctx?.event == null) {\n ctx['event'] = new HashMap();\n} String end = ctx['@timestamp']; ctx.event['end'] = end; long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; ctx.event['duration'] = nanos; ctx.event['start'] = ZonedDateTime.ofInstant(\n Instant.parse(end).minusNanos(nanos),\n ZoneOffset.UTC);\n" | |
} | |
}, | |
{ | |
"lowercase" : { | |
"field" : "network.transport", | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"lowercase" : { | |
"field" : "network.protocol", | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"lowercase" : { | |
"field" : "network.application", | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"lowercase" : { | |
"field" : "file.type", | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"lowercase" : { | |
"field" : "network.direction", | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"script" : { | |
"if" : "ctx?.network?.transport != null", | |
"lang" : "painless", | |
"params" : { | |
"idpr" : 35, | |
"ipv6-opts" : 60, | |
"ipv6" : 41, | |
"esp" : 50, | |
"ipv6-route" : 43, | |
"ipv6-nonxt" : 59, | |
"ipv4" : 4, | |
"pup" : 12, | |
"irtp" : 28, | |
"igmp" : 2, | |
"rsvp" : 46, | |
"udp" : 17, | |
"tcp" : 6, | |
"egp" : 8, | |
"dccp" : 33, | |
"gre" : 47, | |
"ipv6-icmp" : 58, | |
"icmp" : 1, | |
"rdp" : 27, | |
"ipv6-frag" : 44, | |
"igp" : 9 | |
}, | |
"source" : "def net = ctx.network; def iana = params[net.transport]; if (iana != null) {\n net['iana_number'] = iana;\n return;\n} def reverse = new HashMap(); def[] arr = new def[] { null }; for (entry in params.entrySet()) {\n arr[0] = entry.getValue();\n reverse.put(String.format(\"%d\", arr), entry.getKey());\n} def trans = reverse[net.transport]; if (trans != null) {\n net['iana_number'] = net.transport;\n net['transport'] = trans;\n}\n" | |
} | |
}, | |
{ | |
"lowercase" : { | |
"field" : "event.outcome", | |
"ignore_missing" : true | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx.event?.outcome == \"est-allowed\"", | |
"value" : "allow", | |
"field" : "event.outcome" | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "event.outcome", | |
"if" : "ctx.event?.outcome == \"permitted\"", | |
"value" : "allow" | |
} | |
}, | |
{ | |
"set" : { | |
"value" : "deny", | |
"field" : "event.outcome", | |
"if" : "ctx.event?.outcome == \"denied\"" | |
} | |
}, | |
{ | |
"set" : { | |
"if" : "ctx.event?.outcome == \"dropped\"", | |
"value" : "deny", | |
"field" : "event.outcome" | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "network.transport", | |
"if" : "ctx.network?.transport == \"icmpv6\"", | |
"value" : "ipv6-icmp" | |
} | |
}, | |
{ | |
"convert" : { | |
"field" : "source.port", | |
"type" : "integer", | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"convert" : { | |
"field" : "destination.port", | |
"type" : "integer", | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"convert" : { | |
"ignore_failure" : true, | |
"field" : "source.bytes", | |
"type" : "integer" | |
} | |
}, | |
{ | |
"convert" : { | |
"type" : "integer", | |
"ignore_failure" : true, | |
"field" : "destination.bytes" | |
} | |
}, | |
{ | |
"convert" : { | |
"field" : "source.packets", | |
"type" : "integer", | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"convert" : { | |
"field" : "destination.packets", | |
"type" : "integer", | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"convert" : { | |
"type" : "integer", | |
"ignore_failure" : true, | |
"field" : "_temp_.cisco.mapped_source_port" | |
} | |
}, | |
{ | |
"convert" : { | |
"field" : "_temp_.cisco.mapped_destination_port", | |
"type" : "integer", | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"convert" : { | |
"type" : "integer", | |
"ignore_failure" : true, | |
"field" : "_temp_.cisco.icmp_code" | |
} | |
}, | |
{ | |
"convert" : { | |
"field" : "_temp_.cisco.icmp_type", | |
"type" : "integer", | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"convert" : { | |
"ignore_failure" : true, | |
"field" : "network.iana_number", | |
"type" : "integer" | |
} | |
}, | |
{ | |
"grok" : { | |
"field" : "source.address", | |
"patterns" : [ | |
"(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})" | |
], | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"grok" : { | |
"field" : "destination.address", | |
"patterns" : [ | |
"(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})" | |
], | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"grok" : { | |
"field" : "client.address", | |
"patterns" : [ | |
"(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})" | |
], | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"grok" : { | |
"field" : "server.address", | |
"patterns" : [ | |
"(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})" | |
], | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"geoip" : { | |
"field" : "source.ip", | |
"target_field" : "source.geo", | |
"ignore_missing" : true | |
} | |
}, | |
{ | |
"geoip" : { | |
"field" : "destination.ip", | |
"target_field" : "destination.geo", | |
"ignore_missing" : true | |
} | |
}, | |
{ | |
"geoip" : { | |
"database_file" : "GeoLite2-ASN.mmdb", | |
"field" : "source.ip", | |
"target_field" : "source.as", | |
"properties" : [ | |
"asn", | |
"organization_name" | |
], | |
"ignore_missing" : true | |
} | |
}, | |
{ | |
"geoip" : { | |
"database_file" : "GeoLite2-ASN.mmdb", | |
"field" : "destination.ip", | |
"target_field" : "destination.as", | |
"properties" : [ | |
"asn", | |
"organization_name" | |
], | |
"ignore_missing" : true | |
} | |
}, | |
{ | |
"rename" : { | |
"field" : "source.as.asn", | |
"target_field" : "source.as.number", | |
"ignore_missing" : true | |
} | |
}, | |
{ | |
"rename" : { | |
"ignore_missing" : true, | |
"field" : "source.as.organization_name", | |
"target_field" : "source.as.organization.name" | |
} | |
}, | |
{ | |
"rename" : { | |
"field" : "destination.as.asn", | |
"target_field" : "destination.as.number", | |
"ignore_missing" : true | |
} | |
}, | |
{ | |
"rename" : { | |
"field" : "destination.as.organization_name", | |
"target_field" : "destination.as.organization.name", | |
"ignore_missing" : true | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "source.nat.ip", | |
"value" : "{{_temp_.cisco.mapped_source_ip}}", | |
"if" : "ctx._temp_.cisco.mapped_source_ip != null && (ctx._temp_.cisco.mapped_source_ip != ctx.source.ip || ctx._temp_.cisco.mapped_source_port != ctx.source.port)" | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "source.nat.port", | |
"value" : "{{_temp_.cisco.mapped_source_port}}", | |
"if" : "ctx._temp_.cisco.mapped_source_port != null && (ctx._temp_.cisco.mapped_source_ip != ctx.source.ip || ctx._temp_.cisco.mapped_source_port != ctx.source.port)" | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "destination.nat.ip", | |
"value" : "{{_temp_.cisco.mapped_destination_ip}}", | |
"if" : "ctx._temp_.cisco.mapped_destination_ip != null && (ctx._temp_.cisco.mapped_destination_ip != ctx.destination.ip || ctx._temp_.cisco.mapped_destination_port != ctx.destination.port)" | |
} | |
}, | |
{ | |
"set" : { | |
"field" : "destination.nat.port", | |
"value" : "{{_temp_.cisco.mapped_destination_port}}", | |
"if" : "ctx._temp_.cisco.mapped_destination_port != null && (ctx._temp_.cisco.mapped_destination_ip != ctx.destination.ip || ctx._temp_.cisco.mapped_destination_port != ctx.destination.port)" | |
} | |
}, | |
{ | |
"convert" : { | |
"field" : "_temp_.cisco.message_id", | |
"target_field" : "event.code", | |
"type" : "integer", | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"remove" : { | |
"field" : [ | |
"_temp_.cisco.message_id", | |
"event.code" | |
], | |
"if" : "ctx._temp_.cisco.message_id == \"\"", | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"rename" : { | |
"field" : "_temp_.cisco", | |
"target_field" : "cisco.asa", | |
"ignore_failure" : true | |
} | |
}, | |
{ | |
"remove" : { | |
"field" : "_temp_", | |
"ignore_missing" : true | |
} | |
}, | |
{ | |
"rename" : { | |
"target_field" : "event.original", | |
"ignore_missing" : true, | |
"field" : "log.original" | |
} | |
}, | |
{ | |
"rename" : { | |
"field" : "cisco.asa.list_id", | |
"target_field" : "cisco.asa.rule_name", | |
"ignore_missing" : true | |
} | |
} | |
], | |
"on_failure" : [ | |
{ | |
"append" : { | |
"field" : "error.message", | |
"value" : "{{ _ingest.on_failure_message }}" | |
} | |
} | |
] | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment