diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 0f8a9350edcc..b48825373849 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -835,6 +835,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added `application/x-ndjson` as decode option for httpjson input {pull}23521[23521] - Added `application/x-www-form-urlencoded` as encode option for httpjson input {pull}23521[23521] - Added RFC6587 framing option for tcp and unix inputs {issue}23663[23663] {pull}23724[23724] +- Upgrade Cisco ASA/FTD/Umbrella to ECS 1.8.0. {pull}23819[23819] *Heartbeat* diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml index 2e85cd4dfee1..5dadd775a99d 100644 --- a/x-pack/filebeat/module/cisco/asa/config/input.yml +++ b/x-pack/filebeat/module/cisco/asa/config/input.yml @@ -23,7 +23,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 {{ if .external_zones }} - add_fields: diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 1d225c42addf..2578835b3d0a 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -1743,6 +1743,9 @@ "related.hosts": [ "dev01" ], + "related.user": [ + "aaaa" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1779,6 +1782,9 @@ "related.hosts": [ "dev01" ], + "related.user": [ + "aaaa" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -2115,7 +2121,6 @@ "dev01" ], "related.ip": [ - "10.10.10.10", "10.10.10.10" ], "service.type": "cisco", @@ -2207,7 +2212,6 @@ "dev01" ], "related.ip": [ - "10.10.10.10", "10.10.10.10" ], "service.type": "cisco", @@ -2302,7 +2306,6 @@ "dev01" ], "related.ip": [ - "10.20.30.40", "10.20.30.40" ], "service.type": "cisco", @@ -2347,7 +2350,6 @@ "dev01" ], "related.ip": [ - "10.20.30.40", "10.20.30.40" ], "service.type": "cisco", @@ -2392,7 +2394,6 @@ "dev01" ], "related.ip": [ - "10.20.30.40", "10.20.30.40" ], "service.type": "cisco", @@ -2437,7 +2438,6 @@ "dev01" ], "related.ip": [ - "10.20.30.40", "10.20.30.40" ], "service.type": "cisco", @@ -2710,6 +2710,9 @@ "related.ip": [ "10.10.0.87" ], + "related.user": [ + "enable_15" + ], "service.type": "cisco", "source.address": "10.10.0.87", "source.ip": "10.10.0.87", @@ -2749,6 +2752,9 @@ "related.hosts": [ "dev01" ], + "related.user": [ + "enable_15" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -2794,6 +2800,9 @@ "10.10.1.212", "10.10.1.254" ], + "related.user": [ + "*****" + ], "service.type": "cisco", "source.address": "10.10.1.212", "source.ip": "10.10.1.212", @@ -2837,6 +2846,9 @@ "related.ip": [ "10.10.0.87" ], + "related.user": [ + "admin" + ], "service.type": "cisco", "source.address": "10.10.0.87", "source.ip": "10.10.0.87", @@ -2884,6 +2896,9 @@ "10.10.0.87", "10.10.1.254" ], + "related.user": [ + "admin" + ], "service.type": "cisco", "source.address": "10.10.0.87", "source.ip": "10.10.0.87", @@ -2927,6 +2942,9 @@ "related.ip": [ "10.10.0.87" ], + "related.user": [ + "admin" + ], "service.type": "cisco", "source.address": "10.10.0.87", "source.ip": "10.10.0.87", @@ -3031,6 +3049,9 @@ "related.ip": [ "91.240.17.178" ], + "related.user": [ + "91.240.17.178" + ], "service.type": "cisco", "source.bytes": 297103, "source.user.name": "91.240.17.178", @@ -3071,6 +3092,9 @@ "related.ip": [ "8.8.8.8" ], + "related.user": [ + "testuser" + ], "service.type": "cisco", "source.address": "8.8.8.8", "source.as.number": 15169, @@ -3119,6 +3143,9 @@ "related.ip": [ "8.8.8.8" ], + "related.user": [ + "testuser" + ], "service.type": "cisco", "source.address": "8.8.8.8", "source.as.number": 15169, @@ -3167,6 +3194,9 @@ "related.ip": [ "192.168.50.1" ], + "related.user": [ + "alice" + ], "service.type": "cisco", "source.address": "192.168.50.1", "source.ip": "192.168.50.1", diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index a57299252caf..bcd775e4e1e6 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -96,7 +96,6 @@ "SNL-ASA-VPN-A01" ], "related.ip": [ - "10.123.123.123", "10.123.123.123" ], "service.type": "cisco", @@ -143,7 +142,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "10.123.123.123", "10.123.123.123" ], "service.type": "cisco", @@ -197,7 +195,6 @@ "SNL-ASA-VPN-A01" ], "related.ip": [ - "10.123.123.123", "10.123.123.123" ], "service.type": "cisco", @@ -242,7 +239,6 @@ "SNL-ASA-VPN-A01" ], "related.ip": [ - "10.123.123.123", "10.123.123.123" ], "service.type": "cisco", diff --git a/x-pack/filebeat/module/cisco/ftd/config/input.yml b/x-pack/filebeat/module/cisco/ftd/config/input.yml index 8a3ec3e9ab45..ebf27d1b115a 100644 --- a/x-pack/filebeat/module/cisco/ftd/config/input.yml +++ b/x-pack/filebeat/module/cisco/ftd/config/input.yml @@ -22,7 +22,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 {{ if .external_zones }} - add_fields: diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index 72b115c6975b..cbb36cb61856 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -98,7 +98,6 @@ "SNL-ASA-VPN-A01" ], "related.ip": [ - "10.123.123.123", "10.123.123.123" ], "service.type": "cisco", @@ -146,7 +145,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.ip": [ - "10.123.123.123", "10.123.123.123" ], "service.type": "cisco", @@ -201,7 +199,6 @@ "SNL-ASA-VPN-A01" ], "related.ip": [ - "10.123.123.123", "10.123.123.123" ], "service.type": "cisco", @@ -247,7 +244,6 @@ "SNL-ASA-VPN-A01" ], "related.ip": [ - "10.123.123.123", "10.123.123.123" ], "service.type": "cisco", diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 581691ebcf91..b76b7a69a20b 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -1613,14 +1613,27 @@ processors: field: related.ip value: "{{source.ip}}" if: "ctx?.source?.ip != null" + allow_duplicates: false - append: field: related.ip value: "{{destination.ip}}" if: "ctx?.destination?.ip != null" + allow_duplicates: false - append: field: related.user value: "{{user.name}}" - if: "ctx?.user?.name != null" + if: "ctx?.user?.name != null && ctx?.user?.name != ''" + allow_duplicates: false + - append: + field: related.user + value: "{{host.user.name}}" + if: ctx?.host?.user?.name != null && ctx?.host?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{source.user.name}}" + if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' + allow_duplicates: false - append: field: related.user value: "{{destination.user.name}}" @@ -1630,6 +1643,7 @@ processors: field: related.hash value: "{{file.hash.sha256}}" if: "ctx?.file?.hash?.sha256 != null" + allow_duplicates: false - append: field: related.hosts value: "{{host.hostname}}" diff --git a/x-pack/filebeat/module/cisco/umbrella/config/input.yml b/x-pack/filebeat/module/cisco/umbrella/config/input.yml index d4b26c49ce8a..d2da78cc349a 100644 --- a/x-pack/filebeat/module/cisco/umbrella/config/input.yml +++ b/x-pack/filebeat/module/cisco/umbrella/config/input.yml @@ -22,4 +22,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0